Thales Blog

Scaling the data pyramid

October 22, 2013

The vast number and variety of analytical tools at our disposal combined with today’s breakneck speed of business presents organisations with increasingly overwhelming amounts of data to manage and protect. As with many other areas of business, the first step towards successful management is understanding. Data protection is no different, and although data classification is not a new concept, increasing reliance on the cloud is bringing a new urgency to the need for businesses to review their ‘data sensitivity pyramid’.

All businesses contain a range of data, from the mundane to the mission critical. As with many things in life, the mundane makes up the majority, forming the base of the pyramid. This isn’t to say that this data is of no use to the organisation, but rather ‘boring’ in the sense that it’s of little interest to malicious external parties. As we move up the pyramid, the data becomes increasingly sensitive, until we reach the ‘crown jewels’ at the very top.

Our recent ‘Global Trends in Cloud Encryption’ report highlighted that 53% organisations either currently transfer, or plan to transfer sensitive data to the cloud. The word sensitive is the key here – moving non-sensitive data to the cloud is a no-brainer, the challenge is to know how far up the pyramid the business can safely venture. In the same survey, twice as many respondents reported that they believe use of the cloud has decreased their overall security posture (35%). So we have to ask, are the tantalising benefits of the cloud – cost saving, flexibility, on-demand horse power – tempting some organisations to the cloud at the expense of security?

In the case of ‘cloud addiction’, the slippery slope is uphill – moving up the pyramid, transferring ever more sensitive classes of data to the cloud. Keeping secrets is more expensive than protecting low level data. The higher the sensitivity level of data and applications, the greater the operational and economic benefit that can be realised from moving them to the cloud.

Businesses cannot afford to take a one-size fits all approach when considering which data can be safely moved to the cloud. The traditional 80:20 rule, splitting data into twenty percent ‘critical’ vs. eighty percent ‘non-critical’ will not hold sway - organisations must seek a more granular understanding of their data. They must also acknowledge that data security in the cloud is somewhat a moving target. With the relative sensitivity of data subject to constant change, as well as the continual evolution of loss and privacy regulations, data classification is not a one-off task.

The classification process is vital, though by no means the final step in data protection. Once a business understands the lie of its data landscape, it must decide which data must be encrypted. Encryption desensitises the data, rendering it unreadable. It would be an oversimplification to say that once encrypted, any data can be treated as lower level data, though the technology undoubtedly plays a key role in allowing businesses to scale the pyramid with confidence.

Confidence in the cloud depends on understanding your data. Understand what’s important to you, and protect it. Don’t wait for a data breach to highlight where your most sensitive assets lie.