The organization also needs to protect Data Processing mechanism as well as Data Control in life-cycle phases other than Create.
Industry standards and best practices require the creation, use, and enforcement of a host of data management policies and practices, including the areas of data retention, audit, and disposal.
In this section Data Control in cloud, we’ll address each of those in turn.
Here is an important note while understanding Data Control in cloud computing.
Each aspect of data management retention, audit, and disposal will need a specific policy addressing it.
There is no reason, however, that you cannot include all three policies under one overarching policy, such as a data management policy.
Just be sure each area is addressed thoroughly and with sufficient granularity;
Don’t let any individual sub policy slip in quality or comprehensiveness simply because you’re aggregating your required governance
What is Data Retention and processing in cloud computing?
As with all matters involving our profession, the organization’s data retention program should start with and be based on a strong, coherent policy.
The data retention policy in Data Control should include the following
What is data processing Retention Periods in cloud computing?
How long the data should be kept by the organization.
This usually refers to data that is being archived for long-term storage that is, data not currently being used in the production environment.
The retention period is often expressed in several years and is frequently set by regulation or legislation (see the next item).
Data retention periods can also be mandated or modified by contractual agreements.
What are the data processing Regulation used by cloud computing?
As we just mentioned, the retention period can be mandated by statute or contract; the retention policy should refer to all applicable regulatory guidance.
This is especially true in cases where there is conflicting regulation.
The policy should then also highlight any such disparity and include mention of senior management’s decision for how to approach and resolve this conflict with the policy as an appropriate mechanism.
What are the Retention Formats used by cloud computing?
The policy should contain a description of how the data is actually archived that is, what type of media it is stored on, and any handling specifications particular to the data.
How data processing Classification works in cloud computing?
The organization should have an overarching data classification policy that serves as guidance for data creators, owners, curators, and users, describing how and when data should be classified.
Security procedures and controls for handling the various classifications (as well as enforcement mechanisms for dealing with policy infractions).
In addition to the main policy, the data retention policy should include specific mention of how the various classes of data will be archived and retrieved.
Archiving and Retrieval Procedures in cloud computing
Having data in storage is useful;
Stored data can be used to correct production errors, can serve as business continuity and disaster recovery (BC/DR) backups, and can be data mined for business intelligence purposes.
But stored data is only useful if it can be retrieved and put back into production efficiently and cost-effectively.
The policy should include a detailed description of the processes both for sending data into storage and for recovering it.
This element of the policy (the detailed processes) might be included as an attachment or mentioned by reference to the actual documentation for the processes;
The processes might require more frequent updates and editing than the policy and could be kept separate.
How Monitoring, Maintenance, and Enforcement works in cloud computing?
As with all policies in the organization, the policy should list, in detail, how often the policy will be reviewed and amended, by whom, consequences for failure to adhere to the policy.
Which entity within the organization is responsible for enforcement.
Here is another important note while understanding Data Control in cloud computing.
Backups are great; a lot of organizations do regular, thorough backups. However, all too often, these same organizations don’t practice recovery from backup.
So they are unprepared for those situations where recovery is necessary, and recovery efforts are hampered or fail.
It is useful, and in some cases required by regulation, to test your organization’s recovery from backup to ensure this won’t happen to you.
Managing data retention in the cloud can be especially tricky; it may be difficult to ensure,
The data retention policy addresses the activities that take place in the Archive phase of the data life cycle.
How Data Audit works in the cloud?
As with all other assets, the organization needs to regularly review, inventory, and inspect usage and condition of the data it owns.
A data audit is a powerful tool for effecting these efforts.
As with the other elements of data management, the organization should have a policy for conducting audits of its data.
The policy should include detailed descriptions of:
- Audit periods
- Audit scope
- Audit responsibilities (internal and/or external)
- Audit processes and procedures
- Applicable regulations
- Monitoring, maintenance, and enforcement
Here is another important note while understanding Data Control in cloud computing.
As with all types of audits, the organization should be particularly careful about ensuring that auditors do not report to anyone in the management structure that owns or is affected by the data they are auditing.
Conflicts of interest must be avoided for the audits to have validity and utility.
In most organizations and enterprises, the audit is predicated on logging. Logging can happen in many forms: event logging, security logging, traffic logging, and so forth.
Logs can be generated by applications, OSs, and devices, and for general or specific purposes
Log review and audit is a specialized task for personnel with specific training and experience.
Logging is fairly easy; most software and devices in modern enterprises can effectively log anything and everything the organization might want to capture.
Reading and analyzing these logs, however, can prove challenging
Log review and analysis is not often a priority in cloud computing
Most organizations do not have the wherewithal to dedicate the personnel required to effectively analyze log data.
Usually, log review becomes an additional duty for someone tasked to another office the security department, for instance.
And many additional duties do not get accomplished because the personnel assigned to them become task-saturated with their other, regular job tasks.
Why Log review is mundane and repetitive in cloud computing?
Reviewing logs takes a certain kind of person: someone who can sift through loads of data to spot the minute portion that might vary from the norm.
This is not exciting work, and even the best analyst can become lax through repetition.
Log review requires someone both new to the field and experienced
This can become a management quandary: the log reviewer must be someone junior enough that they can be assigned to perform log reviews without incurring too much trade-off cost to the organization
That is, other functions they might be performing are not more expensive or valuable than the log reviews.
Yet the person needs to have sufficient experience and training to perform the activity in a worthwhile manner.
The reviewer needs to have an understanding of the operation
If the reviewer cannot distinguish between what is authorized activity and what is not, they are not adding security value to the process.
Here is an important note while understanding Data Control in cloud computing.
It might serve the organization well for log reviews to only be a part-time function of a specific individual.
If a person is only doing log analysis and has no other duties, repetition and boredom might lead to the person missing something in the review that would have otherwise been noticed.
However, the person assigned to review logs must perform the task often enough that they recognize baseline activity, and therefore deviations from it.
long periods between analysis sessions might lead to the analyst losing institutional knowledge and some atrophy of the skill set.
Logs are like data backups, though: many organizations perform logging; logs are easy to set, acquire, and store.
The challenge, then, is to determine how often logs will be reviewed or audited, by whom, the processes for doing so, and so forth.
Having the logs is one thing: reviewing the logs you have is something else.
Here is an important note while understanding Data Control in cloud computing.
A natural inclination of a security practitioner might be to log everything; people in our field notoriously loathe to part with data, and want to know everything about everything.
The problem with doing so?
Logging everything creates additional risks and costs.
Having so much log data aggregated creates additional vulnerabilities, and requires additional protections, and the storage required for logging everything will entail a wholesale duplication of storage systems and space.
Data audit in the cloud can pose some almost insurmountable challenges.
The cloud provider may not want or, indeed, even be able, for operational or contractual reasons to disclose log data with the customer, for security, liability, or competitive reasons.
Therefore, the organization must consider, again, specific audit requirements when opting for cloud migration, and include any such specifications in the contract with the cloud provider.
The data audit policy addresses activities that take place in all phases of the data life cycle.
What is data processing and Data Destruction/Disposal in cloud computing?
In the legacy environment, where the organization has ownership and control of all the infrastructure, including the data, hardware, and software.
Data disposal options are direct and straightforward. In the cloud, data disposal is much more difficult and risky.
First, a review of data disposal options in the legacy environment:
Physical Destruction of Media and Hardware in cloud computing
Any hardware or portable media containing the data in question can be destroyed by burning, melting, impact (beating, drilling, grinding, and so forth), or industrial shredding.
This is the preferred method of sanitization since the data is physically unrecoverable.
Degaussing in cloud computing
This involves applying strong magnetic fields to the hardware and media where the data resides, effectively making them blank.
It does not work with solid-state drives.
Overwriting in cloud computing
Multiple passes of random characters are written to the storage areas (particular disk sectors) where the data resides, with a final pass of all zeroes or ones.
This can be extremely time-consuming for large storage areas.
Cryptoshredding in cloud computing
This involves encrypting the data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys.
Here is an important note while understanding Data Control in cloud computing.
Hardware and media can never be sanitized by simply deleting the data.
Deleting, as an operation, does not erase the data; it simply removes the logical pointers to the data for processing purposes.
In the cloud, many of these options are unavailable or not feasible. Because the cloud provider, not the data owner, owns the hardware, physical destruction is usually out of the question.
That leaves cryptoshredding as the sole pragmatic option for data disposal in the cloud.
As with the other data management functions, the organization needs to create a policy for data disposal.
This policy should include detailed descriptions of the following:
- The process for data disposal
- Applicable regulations
- Clear direction of when data should be destroyed
As in all cryptographic practices, proper implementation is essential for success.
The data disposal policy addresses activities that take place in the Destroy phase of the data life cycle.
Team@admin
