Thales Blog

Data Classification - Learning To Walk Before We Run With Cloud Computing

May 11, 2011

I wanted to share a recent article from the editorial team at SearchSecurity that caught my attention. It is refreshing to see that amidst all the hype, there are some realistic and insightful comments about the practicalities of the cloud...

For me, there are simply still too many generic conversations about the cloud, too much focus on corporate branding by vendors and not enough real dialogue with customers. I can’t help thinking that advertisements for clouds at airports (of all places) are premature and mystifying to most – the definition of ‘marketing fluff’. By talking about cloud computing in such universal language, it’s easy for organisations to overlook the specifics that ultimately govern how and when they move from aspiration to action.

Right at the top of the list of specifics is security. Thank goodness, there is a healthy level of caution around protecting data (our data) in the cloud. Often, critics cite the protection of end-user or consumer information and compliance with privacy mandates as the primary showstopper, in reality, this is merely a symptom of a more fundamental issue. In fact, the biggest hurdle to widespread cloud adoption is organisations’ inability to classify data.

The military have been doing it for years, with “Top Secret” stamped on the things that matter most and documents being officially “declassified” when the appropriate time comes, but how many commercial organisations could say the same? If security were a black or white discipline things would be relatively easy but, as we all know, security is about shades of grey and when it comes to clouds those shades are even harder to measure. The obvious result is that CIOs must be selective about the types of business data that they transfer to the cloud. But with so many variables, where do you start?

Without the ability to easily assess the security proposition of an individual cloud service or without a formal data classification scheme organisations tend to play it safe , adopting the cloud for only those tasks that are deemed completely risk-free. The SearchSecurity article cites Marriott Hotel’s use of the cloud to host the maps on its website – hardly a business critical service by any stretch of the imagination. Similarly, there are lots of examples of organisations taking advantage of cloud computing for application development and stress testing using anonymous data before introducing the new piece of software into their traditional “trusted” datacentres – using real data. In both cases they are dodging the issue. With little or nothing to lose in terms of security, availability or latency but plenty to gain in the form of cost saving, there’s no question the proposition is compelling – but it’s hardly a revolution. The real savings come from migrating regulated systems to the cloud, systems that rely on hard commitment and employ the most expensive staff and most scarce resources.

A framework for organising business data by their sensitivity would certainly help give both providers and consumers of a cloud services a valuable tool to approach the problem. However, I don’t hold out much hope. Like beauty, the sensitivity of data is in the eye of the beholder, it’s all about context and that’s tough to measure. Even if it were easy, the prospect of declaring a data classification and grading accordingly is a scary one since it begs the question – “now what”? Few companies would be willing to modify existing business applications and processes to segregate data and unify protection metrics around each tier of classification. Worse still, the whole thing is a moving target with more types of data coming under the regulatory spotlight every day. Until recently, attention was focused on cardholder data and electronic healthcare records. Now, all of sudden, in the wake of the Epsilon breach and the subsequent glut of consumer disclosures, even email addresses have become ‘sensitive’ and in certain smart grid markets even meter readings constitute protected personal data.

It’s not easy, but without a lingua franca to facilitate a common scheme for data classification the cloud is destined to be revolutionary concept used for entirely un-revolutionary purposes, delivering only a fraction of its potential for quite some time.