Data sovereignty starts with classification
Data sovereignty is still misunderstood in Australia – that’s what Forrester senior analyst, Michael Barnes, said at a Trend Micro conference earlier this year.
Data sovereignty pertains to data storing, sending and processing restrictions outside national borders. Legally termed as “trans-border data flow” data sovereignty still remains to be one of the top concerns of CIOs hindering them to move their business to the cloud.
The Australian Privacy Act and US Patriot Act are two legislations are seen as deterrents for executives looking to host their data in a public or even private cloud. The Privacy Act of 1988 allows cloud providers based in Australia to release information to law enforcement agencies such as the Australian Federal Police or Customs without customer notification. The Patriot Act, albeit a U.S. enacted legislation, is still binding to foreign countries such as Australia due to bilateral agreements between the US and Australian governments to share information in order to curtail terrorist activities. In effect, the Patriot Act can also make Australian cloud providers release information if suspected to be malicious in nature.
Does this mean that it’s not safe to keep data in the cloud?
Small to midscale business (SMB) executives are afraid to move to the cloud frankly because they have not done yet their homework – in closely analysing legislations on trans-border data flow, one will see that it is a de facto standard of business. These policies are ratified between international governments for a single reason – to protect citizens against terrorism.
The right approach for SMBs is to not totally resist cloud computing technology - but to utilise the facets that would best bring value to business. For example, businesses can implement Data Classification, or the approach of arranging data into groups based on level of sensitivity and impact to business, which could be tagged as Restricted, Private or Public.
Restricted data is that which cannot be disclosed, altered or destroyed without authorisation. This data is normally protected by state or federal privacy regulations and confidentiality agreements. Ideally, data of this type is given the highest security controls and be kept on-premise. An example of this would be organisations that work with sensitive information such as personal / commercial confidential records and files, or work with the Australian government.
Private data on the other hand is information which when manipulated would may moderate risk to the business. Data of this nature, depending on management discretion can be moved partially to the cloud through hybrid cloud deployment or totally on-premise.
Finally public data is information that when accessed would not cause any risk to business. Examples of this are web content, research publications, press releases and similar. In effect, it is safe to put this on public cloud.
What are the steps to implement a successful data classification strategy? The recently released Information Week report provided a comprehensive guideline that businesses can follow to have a successful data classification strategy. To successfully implement data classification there must be full stakeholder support.
Since the business owns the data and not the technical staff, it is important that executives be the main drivers of enforcement and implementation. The guidelines on how to classify data should also be simple and straightforward; otherwise it may create a dent in productivity and can over time be ignored. Classification levels should also be clearly defined – the previously mentioned categorisations (Restricted, Private and Public data) must be explained clearly from the perspective of the business’ respective data. Once classified, the guidelines used can serve as guide for customer support; and can give businesses in a general understanding on how systems, applications and websites must be designed.
Business should look for partners that uses the latest solutions and models for data classification, a few to look for are: the use of metadata tags to email and documents making users identify sensitive data on top of automated content scanners. The solution must also have data awareness within Outlook, Outlook Web App, SharePoint, mobile devices and documents (i.e. Microsoft Office Word, Excel and PowerPoint). Data Classification application should also be compliant with ISO 27001 requirements in labelling and handling documents and information.
Businesses should start exploring cloud opportunities because it can not only improve business efficiency but also cut costs.
Sovereignty issues shouldn’t be a hindrance in using the cloud – through data classification, SMBs can be more flexible by identifying which data can be moved to the cloud and implement a company wide program making each employee accountable to the data that they consume and publish.