What is data stewardship and why is it different in the cloud?
“A Data Steward is a stakeholder who makes data-related decisions. They set policy, specify standards, and craft recommendations that are acted on by a higher-level Data Governance Board and examine sets of data against criteria for completeness, correctness, and integrity.” – Data Governance Institute (DGI)
It is always the responsibility of companies to protect their data and particularly their customer’s data, safeguarding it from prying hands. Most every organization has regulatory responsibility (i.e. PCI, SOX, FISMA, GLBA, ISO and HIPAA) compliance, policy, standards and controls which must be adhered to. Because the cloud scatters data across multiple environments and CSPs, a formal approach to data governance and compliance combined with rigorous protection of corporate strategic data is indicated. This is further exacerbated because data is accessed from mobile devices. Before companies moved their applications and data to the cloud, data governance and data protection was often taken for granted. The formalization of a data steward role is recommended because applications and data are more distributed and complex.
CSPs are only partially responsible for breaches and data loss. The real liability for these events remains within the enterprise. In essence CSPs are riding shotgun on the road to data security.
“It is not the CSPs role to be trusted with data stewardship.”
This might come as a surprise to some business leaders, but the CSPs don’t have the business knowledge of the data and, therefore, they are not appropriate as data stewards. While businesses create service level agreements, sign contracts and take precautions, in the public cloud there are no real protections or guarantees in other cloud environments. As evidenced by the consent forms on their sites, vendors are not prevented from exposing Personally Identifiable Information (PII) or corporate data stored in their cloud environments. Furthermore, CSPs have different business objectives, risk profiles and motives for data management, and their main focus is earning revenue, not being a data steward.
Therefore, businesses need to extend their responsibilities to the cloud when it comes to protecting data and managing access to it. After all, it is up to the organizations to ensure that all data – everything from security camera footage and recorded phone calls to PII – are secure. Most CSPs are not responsible for upholding their customers’ corporate standards, and in the event of a data breach, both companies involved will be at fault.
The basics of data stewardship in the cloud
In short, “Data Governance is the exercise of decision-making and authority for data-related matters.” – (DGI).
It’s about accountability, not so much data protection – who is responsible for what and how will that affect access and security policies and procedures? Businesses should start asking these questions before they even think about moving apps and data over to cloud services, and consider these issues while negotiating service agreements. Because, at the end of the day, data stewardship is more than just tracking responsibility and accountability with a RACI (Responsible, Accountable, Consulted and Informed) matrix: It requires organizations to understand how to deal with data for each application, vendor and service provider in the context of business risk.
Note: Those interested in protecting their data should check out the OpenSky blog post about the cloud’s impact on corporate perimeters and what businesses can do to secure networks in the age of the cloud. The rest of this article will cover the basics of what you need to know about data security and management responsibilities in the cloud and how to use that information.
Data Stewardship is required to manage the process of your privacy requirements – from policy, consent and collection to regulation and data use. This is made more difficult the more an organization outsources to CSPs and distributes its data to employees and other parties.
Security data in the cloud requires a keen understanding of the sharing of responsibilities.
Whose data is it?
In short, businesses have a lot of questions that they must answer in order to truly understand the required roles and responsibilities in regard to data stewardship in cloud environments. Here are some of the many considerations:
- Internal Ownership and Valuation: Your data is more than customer records and PII. It includes plans for your next revenue generating market move and details of how your systems work. These have intrinsic value to the organization and are not directly driven by regulatory compliance. Don’t forget that data governance includes intellectual property.
- Laws and regulations: Different jurisdictions and data sovereignty laws impact the ownership of data and who controls it. It is absolutely necessary to conduct research into where data is stored, where CSPs are located and when data is moved across regional borders. Furthermore, businesses must know whether CSPs are subject to subpoenas and search warrants.
- Encryption key storage: Protecting data is a major part of stewardship, so it is important to understand who has the power to decrypt sensitive data.
- Data transfer notifications: If dealing with PII or payment card data, businesses need to determine policies and procedures for moving data. Does the owner need to know? Where is the data going?
- Auditing: Will CSPs be auditable? What about the data?
- Breach detection: If a breach occurs, businesses should already have a plan.
- CSP closure: What happens if CSPs go out of business or are acquired? A contingency plan is required. In fact, it is recommended that this strategy is baked into all cloud initiatives.
How to: Data stewardship
First and foremost, businesses should treat data as a corporate asset with tangible value and physical presence. Access to this resource is essential and every corporate policy in regard to stewardship should facilitate employee workflows. However, asking the right questions about how data is managed and collecting answers isn’t data stewardship, this activity is foundational groundwork for managing data and understanding where the most valued corporate data is housed.
CIOs, CTOs and CISOs must create robust implementation plans that define the data governance process. Businesses must “follow the data,” monitoring and ensuring quality, security and control of it – from creation to secure delivery, to use and deletion. In the cloud, this can be complex, but that is why the questions and answers listed above exist.
Companies moving to the cloud need to be vigilant in protecting their data, understanding the threat landscape and creating plans which include strong access control, data encryption, data loss protection (DLP), alerting, monitoring, compliance checking, incident response, and forensics capability.
The Data Governance Institute developed a framework to help companies set the rules of engagement for how to manage data activities. These concepts should dovetail nicely with the enterprise’s Data Loss Prevention oversight program. Data intelligence tools like data loss prevention, cloud discovery and protection should be employed to provide a better risk context.
Businesses should have metrics that monitor the flow of the data and quality and security of it. This must meet business goals, and sometimes utilizing analytics is important in that regard. Armed with a set of definitions, policies, processes and business rules, business can guarantee that information is used consistently and securely inside and outside of the organization.
Lastly, business leaders must work closely with CIOs, CTOs, CISOs, and data architects, as master data management is a time-consuming and people-intensive process that must be integrated into overall IT practices and processes.
Stewardship leads to governance
Data stewardship is closely related to data governance, as it requires a top-down program that is well communicated to all upstream and downstream partners and stakeholders. In essence, it provides support for data stewards and ensures that all concerns and considerations are matched with data protection policies and practices. The next blog post will dig into the governance and the cloud in part 4 of “Why is cloud security different?”
Source: Sky Chat IT Blog