Migrating sensitive data to the cloud
This part of the application modernization journey begins with the classification step. With the economic performance and scalability benefits of cloud computing the data breaches go unnoticed until it is too late. Part of the planning for the modernization of the application involves preparation and awareness of all the data either at rest or in transit. The emergence of data protection laws in geographical areas including the United States, such as the GDPR, the CCPA and others aim for protection of personally identifiable information aka PII. Laws add complexity associated with consumer rights over data youth and data sharing restricting access to how the data may be handled development teams often regard these regulations as a pain point but building full transparency that enables detailed audits and reports at the data level is just as important. The data teams must build a level of compliance with information on what data was accessed by whom, when and for what purpose. As personal and sensitive data proliferate to satisfy ever increasing business requirements the potential for internal misuse of data along with the diligence to comply with data regulations poses significant challenges and must be tamed during the planning stage itself. This helps data engineers who fear clauses about their personal liability and promotes mechanisms for managing consent for using the data. Traditional applications might not have prepared for these regulations and consents, so this is an opportunity for application modernization to tackle these along with the migration and modernization stages.
A caveat about these regulations must be called out. Many laws and regulations dictate different aspects of data protection such as disclosure of financial data documentation for Food and Drug production research and other industries might have standards that augment existing regulations, and the public cloud comes with certain built-in considerations and guarantees for data protection however the checklist of certifications to be met must still be ratified by the stakeholders. All these rules required direct careful handling and protection of data against exposure. The legal and ethical implications of mishandling sensitive data is left out of scope and cited as data privacy engineering discipline.
That said, a checklist to help with migrating sensitive data to the cloud can still provide benefits to overcome the common pitfalls regardless of the source of the data. It serves merely as a blueprint endless the foundation for a smooth secure transition.
Characterizing permitted use is the first step data teams need to take to address data protection for reporting. Modern privacy laws specify not only what constitutes sensitive data but also how the data can be used. Data obfuscation and redacting can help with protecting against exposure. In addition, data teams must classify the usages and the consumers. Once sensitive data is classified, and purpose-based usage scenarios are addressed, role-based access control must be defined to protect future growth.
Devising a strategy for governance is the next step; this is meant to prevent intruders and is meant to boost data protection by means of encryption and database management. Fine grained access control such as attribute or purpose-based ones also help in this regard.
Embracing a standard for defining data access policies can help to limit the explosion of mappings between users and the permissions for data access; this gains significance when a monolithic data management environment is migrated to the cloud. Failure to establish a standard for defining data access policies can lead to unauthorized data exposure.
When migrating to the cloud in a single stage with all at once data migration must be avoided as it is operationally risky. It is critical to develop a plan for incremental migration that facilitates development testing and deployment of a data protection framework which can be applied to ensure proper governance. Decoupling data protection and security policies from the underlying platform allows organizations to tolerate subsequent migrations.
There are different types of sanitizations such as redaction masking, obfuscation encryption tokenization and format preserving encryption. Among these static protection in which clear text values are sanitized and stored in their modified form and dynamic protection in which clear text data is transformed into a ciphertext are most used.
Finally defining and implementing data protection policies brings several additional processes such as validation monitoring logging reporting and auditing. Having the right tools and processes in place when migrating sensitive data to the cloud will allay concerns about compliance and provide proof that can be submitted to oversight agencies.