nobeastsofierce - Fotolia

How to introduce data security management into the cloud

Enterprises are adopting mobile and cloud computing rapidly -- raising concerns about data security management. George Lawton explores how IT can address those challenges.

Enterprises are beginning to leverage mobile devices and the cloud at a rapid pace. This raises parallel challenges in data security management and ensuring the data is managed in compliance with legal and corporate mandates. Many organizations worked through these challenges with in-house servers. Solutions have grown more complicated as the enterprise leverages more architectures that blend cloud services in concert with mobile devices.

"IT staff [members] are the custodians of the data," said Jason Buffington, senior analyst at Enterprise Strategy Group, an IT research service. "Consequently, they are responsible for protecting that data regardless of whether it lives on cloud services, servers or endpoints. This is no different than the level of IT governance enterprises deploy in-house."

Data security management across infrastructure is important because enterprises are spending more money to rectify data breaches, said Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, a data protection think tank. He found that over the past year, the cost of data breaches due to criminal attacks has increased from an average of $159 to $174 per record. Meanwhile, the average total cost of a data breach increased 23% over the past two years to $3.79 million among large enterprises.

Controlling endpoints

Since cloud companies have had to mitigate security concerns, often they will provide higher level security than traditional protection services on premises.
Jason Buffingtonsenior analyst, Enterprise Strategy Group

To discourage employees from turning to an unmanaged file sharing service, enterprise architects should consider adopting some form of enterprise file synchronization and sharing (EFSS) service like Box, Citrix ShareFile, Dropbox, Druva, Egnyte, SugarSync or Accellion.

"Early adopters of cloud storage typically recognize improved security as one of the recognized benefits after the fact," Buffington said. "Since cloud companies have had to mitigate security concerns, often they will provide higher level security than traditional protection services on premises."

These services are able to control the flow of data based on users and devices using technologies like mobile data management. This leaves the door open for employees to accidentally or deliberately move data outside of the firewall. Analyzing cloud usage for over 18 million users, SkyHigh Networks, a cloud security service found that 21% of files uploaded to cloud-based file sharing services contain sensitive personally identifiable information (PII), protected health information (PHI), payment card data, or intellectual property.

Combine EFSS with compliance

With traditional enterprise architectures, the enterprise could turn to compliance applications like HP Autonomy to sift through the data to ensure that PII, PHI and credit card numbers are managed appropriately. The challenge is that unauthorized cloud storage products are encrypted, which can make it harder to detect data leaks. Cloud-based products like SkyHigh Networks can improve data security management by monitoring employee access to a variety of cloud storage products like Dropbox, Google Drive and Box.

Buffington believes the future of enterprise file synchronization and storage lies in finding better ways to combine cloud storage and compliance from the beginning. "Cloud storage solutions mostly treat the device or some logical data set as the object in question," he said. "Governance starts to play a role when the enterprise can apply policies on the data based on the context of the data itself. This requires the ability to identify healthcare data or personally identifiable information."

For example, Druva has recently introduced inSync Proactive Compliance. This enables enterprises to quickly identify and act upon data risks across cloud services and mobile devices. The service is able to search through information as it is being transferred between devices and services using a library of pre-built templates for identifying credit numbers, Social Security Numbers and PHI.

Jaspreet Singh, CEO and co-founder of Druva, explained, "It becomes powerful because the use cases around compliance and search you have solved in data center are now easier to address in mobile and cloud infrastructure."

The problem is not how to keep it growing, but how to get more value out of the services organizations are using to manage their traditional IT infrastructure. Buffington said, "The next step is to have an enterprise-driven experience that allows IT to see whose data is being backed up and correlated with employees that leave the company, or the loss of mobile devices."

Next Steps

Put your mobility development know-how to the test

What do mobile developers need to look out for with iOS 9?

How geofencing can help improve enterprise security management

Dig Deeper on Secure application development