The Stack interviews Evelyn De Souza, Compliance and Data Privacy Leader, and Chair at the Cloud Security Alliance Data Governance Workgroup at Cisco Systems. She discusses the importance of industry support in creating effective cloud security policy…
“We tend to see an overreliance on technology controls and often not enough focus on mapping policy to process and technology controls,” says De Souza. “Many businesses don’t realise that privacy can be a good thing for business – when people make informed choices about the data they share, it usually leads to more accurate data for businesses to work with.”
Security is an ever-broadening area in technology, continues De Souza, pointing out that most recent cloud security issues centre around data access and businesses’ dependence on ‘one-size-fits-all’ strategies.
She believes that industry consortia, such as the Cloud Security Alliance, can support companies with these challenges by providing guidance and standards that are aligned with today’s business usage contexts. “Data protection should be explained in terms of real-world business practices […] it is important to make data protection ‘business consumable.’”
De Souza believes that as cloud consumers companies need to be vigilant and hold cloud providers accountable. Providers should offer strong processes around data access, storage, transactions and administration, such as removing default accounts, she adds.
Cloud-consuming organisations also need to ensure that the right protection mechanisms are in place for their most critical data assets and transactions. These include user access permissions, appropriate encryption and key management, and monitoring for data infiltration and exfiltration.
“Cloud-consuming organisations need to work with their cloud providers on determining who is responsible for which controls based on the particular cloud model they are using and the parts of the cloud stack that they control,” advises De Souza.
Referring to characteristics of an effective data protection solution, De Souza outlines 4 categories; Data classification, or digitally classifying and tagging data that is most important to your organisation and requires the most stringent protection. Data ownership, declaring ownership of assets and also entitlement rights as well as user access controls, including password management. Data protection, implementing controls such as encryption, key management, logging and monitoring. And lastly, Data residency – With an increasing number of regulations and standards requiring that certain types of data remain within certain geographic bounds, says De Souza, there is a range of complementing geo-location technologies beyond the actual policies that can help with these requirements.
Governance is also a major consideration, asserts De Souza, and companies must understand the policies and processes that govern how data is created, accessed, transacted and stored.