An Introduction to Data Governance

data security

As the number of businesses using multiple clouds continues to rise, the security challenges they face are changing.

Because hybrid architectures include multiple points of potential entry for bad actors, traditional perimeter security has become obsolete. The perimeter is no longer the only place to prevent data disclosure or leakage.

Further, hybrid architectures include multiple security policies with different tooling available, all of which must be considered if the customer wishes to have a unified experience and a lower total cost of ownership for protecting their networks.

These policies make it extremely important for senior management to know where their company’s sensitive data resides and have specific protocols in place to reduce the exposure for data leakage.

And as these security challenges arise, they are compounded by an increase in multifaceted adversaries — from novice cyber criminals and advanced persistent threats to well-trained nation state actors — all employing a series of tactics with the sole purpose of gathering a business’ most valued technical asset: its data.

In today’s multi-cloud security landscape, having strong data governance and data classification procedures in place can help ensure that sensitive data is inaccessible to unauthorized users and processes.

Data governance

With the loss of traditional network perimeter and legacy security frameworks, data governance is more important than ever.

According to security provider Gemalto, which releases an annual security confidence survey, “Most organizations are not confident in their ability to protect data after a data breach.” 

Follow that with the latest Experian Data Breach Industry Forecast, which includes a warning from the FBI about advanced persistent threats “increasingly targeting sensitive information stored on U.S. commercial and government networks,” and securing your company’s data should be top of mind.

Data governance is the first step in securing that information, and it begins with simply managing the various technical, physical and administrative control measures that need to be applied to a company’s data.

These controls will likely differ based on how the data is classified and what risk, if any, its disclosure would mean for the company. But employing a standard process on a single cloud or across a hybrid architecture is crucial.

Data classification

In order to create a data governance policy that mitigates risk, you must understand the sensitivity of the data and the risk to your company if it were to be exposed.

By classifying data, a business is able to assign a value to it and the assets used in processing that data. Depending on the industry in which the business operates, there may be regulatory and legal classification requirements, such as data at rest encryption for PCI compliance.

Data classified as “public” is information that if disclosed, would not harm the business.

Information classified as “sensitive” requires more protection so that in the event of a breach, data analysis does not compromise the data’s confidentiality.

Any data with a “private” classification is for company use only and disclosure will cause some damage to the company.

Finally, any data classified as “confidential” has the highest sensitivity and disclosure can cause irreparable damage to the business.

Regardless of its classification, however, it’s important that you understand the flow of all of your data, from storage through transit, to make sure the appropriate controls are in place to prevent data leakage.

Data-at-rest, in-motion and in-use

To gain a better understanding and visibility into how your data is being accessed, you must first understand when your data is at-rest (storage, volume, file), in-motion (Secure Shell, virtual private network) and in-use (application, tokenization).

Knowing when your data is in one of these states will allow you to determine the type of control that needs be applied to avoid the one size fits all architecture of implied data security. Deploying a technical control such as Rackspace Privacy and Data Protection allows you to work with your managed service provider to control the “who, what, where and how” via encryption policies applied to a business’ sensitive data.

As long as businesses continue to generate sensitive data, adversaries will continue to try and exfiltrate it through the exploitation of vulnerable systems. Therefore, the approach to securing systems begins with classifying your data to understand the risk of exposure to the business and applying the appropriate controls to protect that data.

Visit Rackspace to find out more about our privacy and data protection team and ways we can help keep your data safe, inside and out, through managed encryption and key management.

Ernie Martinez is a product engineer at Rackspace, where he's worked since 2013. He helps the Rackspace Managed Security team, as well as other business units, with the development of new products and services.


Please enter your comment!
Please enter your name here