Where to start: Data classification
If you don’t take time to understand your data, then you are setting yourself up for failure in a public cloud environment. Therefore, securing data must begin with data classification.
Here are some steps to follow:
- Identify the data that will be processed or stored in the cloud.
- Classify the information in regards to sensitivity towards loss of the CIA criteria. This would include identifying regulatory requirements for the data.
- Define the rules by which particular information classes of instances must be stored, transmitted, archived, transported and destroyed. Many handling requirements result from contractual or regulatory requirements.
A thought on physical location
As stated earlier, if there are restrictions on the physical location of data, you’ll need to find a provider that can handle them. Amazon Web Services uses regions, and many of the other cloud providers offer similar structures. However, you need to ensure the service-level agreements meet your locality requirements.
Protecting data in the cloud
In the cloud, your data can be in any of the following locations:
- Local storage of the virtual machine (i.e., processing engine). Data is tied to the virtual machine location and state.
- Persistent data store (i.e., Amazon EBS or S3, Azure SQL, etc.). Data is independent of virtual machine location and state.
- In transit on the wire.
You will also need to use one of the following methods to meet your data protection requirements:
- File system and share access control lists: This would be using the access control mechanisms in the offering to ensure appropriate restrictions on the data. This would be used in all cases, but it would not protect from malicious IT staff at the provider.
- Encryption with a mixture of public and private key solutions: This would most likely be used to protect against malicious IT staff at the provider.
- Transport level encryption: This would be used as a matter of course whenever sensitive information was being passed or transmitted.
I strongly insist that everyone classifies their data. Once that is done, there are a couple of cloud issues you need to think about:
- Is my data stored where is should be?
- If there are any physical location limits, are those met?
- Am I protecting against malicious IT staff?
The rest should be basic security practices, much like those used in your non-cloud environment. There is nothing obscure about securing data in the cloud. Just remember that “good security is good security” and you should be good to go.