A DataSecOps Approach to Cloud Migration Is Not Negotiable
By Ameesh Divatia, CEO and co-founder | September 29, 2020
A recent study of CIOs offered good news for those concerned about data protection. It reported that 86% of respondents are now viewing security as a higher budget priority, with 68% placing the cloud as a higher budget priority. In my experience, data security and privacy must be high in the queue for cloud migration projects. Another study supports that assertion, finding that nearly 80% of businesses suffered at least one cloud breach in the past 18 months, and 43% experienced 10 or more breaches over the same time period.
Few would argue the importance of data protection, but many organizations struggle to implement strategies that reduce the risk exposure during and after the cloud migration process. One emerging approach, called DataSecOps, addresses this challenge by bringing security teams and data scientists together for continuous collaboration throughout the lifecycle of a migration project. Here are some things you should consider when implementing a DataSecOps approach.
To effectively implement a DataSecOps approach to cloud migration, collaboration between security teams and data scientists must commence before the project begins. The mission of this collaboration is to ask and answer a very straightforward question: “How will each decision affect our ability to protect data?” And that question must be addressed proactively during every phase of the project.
Think of it this way: Houses in California must be built with the probability of earthquakes in mind to reduce the risk of damage. It is not a consideration you can apply after an earthquake has occurred. Similarly, when privacy and security are built into the foundation of cloud migration, the risk of data exposure in the event of a data breach is drastically reduced.
By now, we are all aware of the efficiency and cost-saving benefits that come with cloud migration, and, understandably, organizations want to be in a cloud environment as soon as possible. Recently, many organizations have accelerated plans to migrate due to a workforce that has moved from an office to a remote setting over the course of a few months. However, the “need for speed” cannot obfuscate the task of implementing the privacy and security controls necessary for a DataSecOps approach.
As with any project, proactive safeguards take time. However, the time spent on front-end protections is minimal when compared to the resources necessary to rectify a breach. And when you consider the penalties of noncompliance with data privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), migrating quickly at the expense of privacy and security simply is not worth it.
Address Your Data
A DataSecOps approach requires that specific safeguards are implemented to ensure data is protected before, during and after a cloud migration. Such actions include, but are not limited to, the following:
- Enforcing Data Policies: To ensure data is only being used for its intended purposes, there must be enforceable rules in place that dictate how sensitive data is collected, transformed, analyzed and shared, based on the risk profile of the data. It is also important to remember that policies must be clearly written, leaving no room for misinterpretation that could lead to unintended data exposure and regulatory noncompliance.
- Keeping Track Of Data Use: Accurate record taking can be useful in almost any business activity, and that assertion holds true with data privacy. Logging and reporting how, when and where sensitive data is being accessed is valuable in that it helps organizations to see areas where data is potentially being misused and educates on steps for corrective measures — not to mention the ability to demonstrate to regulatory authorities that reasonable security measures were in place, reducing the penalties assessed in case of a breach.
- Integrating Security Controls: One of the biggest mistakes organizations make during cloud migration is not fully assessing security risks that can negatively impact data privacy. Securing data on-premises is very different from securing it in the cloud, so it is critical to identify the appropriate controls necessary to make this change and maintain compliance. Early on, it is important to thoroughly assess current security controls to determine a baseline to help identify gaps that need to be addressed before cloud migration can begin.
Consider Existing Frameworks For Guidance
Organizations can use any number of privacy and security frameworks to help implement a DataSecOps approach to cloud migration. The Organisation of Economic Co-operation and Development (OECD), for example, is an excellent example of a framework that helps mitigate risk with security controls that map directly to specific regulatory requirements to maintain CCPA and GDPR compliance.
You might also consider the Gartner Data Security Governance Framework, which addresses how data-related risk can be addressed with security, and the NIST Framework, which helps to guide cybersecurity activities and assess an organization’s cybersecurity risk. Both are well respected frameworks that support a DataSecOps approach to migration.
These frameworks represent some of the many available. Each is nuanced, with a different focus, so it is important to determine which one aligns closest to your business strategies and goals, as well as your organization’s privacy and security maturation.
The Future Of Cloud Security
While the cloud is the modern approach to data storage and data analytics, organizations must also factor in the potential disruption and costs associated with privacy and security risk. Data protection should be at the foundation of each cloud migration, and implementing DataSecOps at the start and taking additional guidance from existing frameworks ensures that security and privacy are no longer “add-on” propositions.
This article originally appeared in Forbes.