Five steps for high data security in the cloud
Moving business processes and applications to the cloud requires precise planning to ensure data security at all times and in every detail.
When companies move entire business processes to the cloud, the expected business objectives can only be achieved if the migration is secured from the outset by a comprehensive IT security strategy - in which the security of the data plays a decisive role. NTT Security concretizes the most important activities in five steps.
- Identify and classify data
To begin with, companies must determine which applications and data are to be transferred from their own data center to a cloud provider during the migration. For example, it must be clarified what type of data is involved and whether personal data is involved, because then the strict regulations of the GDPR apply. In which applications will the data be used, by whom and how? Is it only read or is it also processed? The security model is built on the basis of this information.
- Define the level of protection for each step in the workflow
Based on the classification and risk assessment of the data, the level and class of protection must be determined for each step in the workload. Is encryption needed, and if so, when: during transmission, during storage, at field level? Will pseudonymization or tokens be required? Where should the encryption keys be stored: On-Premises, directly with the cloud provider or with a separate cloud provider?
- Define rules for access control
In order to achieve a high level of protection, data must not be accessible without protection at any time during a business process. It must also be ensured that copies of stored or archived data are protected during processing in the same way as the originals and that these copies are deleted when they are no longer required. Depending on roles in the company, access authorizations are assigned and compliance with them is monitored so that no unauthorized person can read, copy, change or delete data.
- Record all data accesses in log files
Companies need to link rules for granting access authorizations with comprehensive log management. Access logs record and store all data activities. These records and the evaluation of all data accesses and other security-relevant events are a prerequisite for seamless IT security monitoring. On the one hand, analysis of the log files enables unusual events to be identified and their causes determined, and on the other hand, it supports companies in tracing all activities during security audits.
- Observe the life cycle of the data
The retention of data is regulated in detail in the financial services, medical technology, chemical-pharmaceutical and other industries. The protection of personal data over its entire lifecycle is regulated in the GDPR - regardless of whether the data is located in the company's own data center or in the cloud. For companies, this means that they must retain complete control over personal data at all times, from collection and processing to archiving. This applies to individual and standard applications, regardless of whether they are on-premise or in the cloud.
"The discussion about the use of cloud technologies is no longer dominated by security concerns. Today, companies primarily want to take advantage of the associated opportunities to drive digital transformation," explains Franck Braunstedter, Senior Manager Cyber Defense and Cloud Security at NTT Security Germany. With external support, he says, companies are able to overcome the cloud-specific IT security challenges in all phases of a migration.
Source: NTT Security
