One of the largest recurring themes that CSACH members are confronted with is “how do I develop a cloud strategy”. In reality this is largely dependent not upon the maturity of cloud technologies, rather upon your organization’s maturity in the area of Data Governance.
Data Governance – and not cloud strategy defines where and under what conditions your organizations data can be manipulated, stored and worked from. This varies from country to country and especially in Switzerland – with strong data protection laws – can often directly impact what kind of cloud strategy is even possible.
So in order to address these themes we have embarked upon a journey. With this series we will endeavor to clarify “What is Data Governance” and how does this relate to security in the cloud.
So what is Data Governance and how does it relate to security?
Data Governance is primarily concerned with three core aspects.
One will notice the invariable similarities between these main Data Governance metrics and the Security Triad – Namely Confidentiality, Integrity and Availability.
Interestingly the interpretation of these terms difer in the data governance world to the traditional Security world. As a reuslt some sort of clarification of the terminology is requried (from a security perspective) because basically, these things don’t map 100% with the terminology that is understood by the Security community.
“Data Security” from the perspective of data governance concerns itself with one of the “holy” Security Triad, specifically Confidentiality. Interestingly this is almost a 1-1 Map to what most would understand under confidentiality requirements.
Most organisations already have some sort of classification of data based upon confidentality. Usually this is represented in some sort of 4 levelled model such as the one depicted.
“Data Quality” from the perspective of data governance concerns itself… unassumingly with the quality of the information. Once again this can also map with the standard CIA security triad under the banner of “Data Integrity” and as such interestingly enough is also a primary concern of any security focused organization.
From a security perspective data Integrity is comprised of three main components:
- 1. Data at Rest. Does the storage medium have the ability to maintain the integrity of the data when it is being stored?
- 2. Data during transit. Can the data be modified during transit?
- 3. Non Repudiation. Do we know who changed/modified the data?
Additional data governance aspects of data quality also include the “correctness” of the information itself. This however is not part of the security understanding of data quality even though indirectly the technical integrity methodologies listed above also have a positive impact on data correctness..
“Data Integration” is an interesting component of data governance because it does not map 100% to what one would consider a primary security function. Upon closer inspection however it also has a lot to do with “Data Availability”… the final component of data security. Primarily data integration concerns itself with consolidating data sets and *making data available* in a complete form to its users.
From a security perspective Data Integration is very important. Most organizations are familiar with the issue of data being replicated all over the place. Indeed, one of the biggest challenges faced by security is knowing exactly where all data resides and then ensuring that the data is secured appropriately.
By Integrating data this drastically reduces the number of systems and services that need to be protected in an organization and by doing so – greatly simplifies the process of securing the company’s core asset – its data.
As such this finalizes the components that one would consider under the traditional CIA (Confidentiality, Integrity, Availability) banner that is so integral to the concept of security.
So there we have it, a Brief intro to Data Governance and how it maps to security. This my Data Governance colleagues will no doubt complain is an oversimplification of the themes of Data Governance, but for the purpose of Security this covers the core overlapping aspects.
We would highly recommend reading more material on Data Governance if your organization does not have a data architecture team.
So where do we go from here, how can we begin with a data governance strategy within an organization? What components do we need before we can consider a cloud strategy? This will be covered in the next article.
Data Governance – Creating Value from Information Assets Neera Bhansali 2013 CRC Press