The pandemic—and its impact on companies and their workers—has accelerated the overall transformation of most businesses. The shift of data and applications to cloud is a prime example. While IT budgets fell by more than 4% in 2020, spending on public cloud was up 19%, and spending on cloud security rose 33%, said the Cloud Security Alliance (CSA).
Companies that once had conservative multi-year plans to move applications and infrastructure to the cloud—along with the attendant data—emerged from 2020 with more aggressive plans. Rather than their infrastructure consisting of 10% to 20% cloud, companies now have flipped that to 80% in the cloud.
And when applications can instantly be spun up, replaced or scaled, the criticality of business data only increases, said John Yeoh, global vice president of research for the CSA. Cloud service providers are getting better at helping companies manage that data, but many holes remain.
"When it comes to that unstructured data, we are getting a lot better grip, and there are a lot of solutions that help us understand, categorize, and discover our data. But every provider has their own classification schemes, and it's really hard to find a common classification language out there, which makes looking at the complete picture more difficult."
—John Yeoh
With companies looking to ensure that their data remains secure, whether on-premises or in the cloud, data-security platforms are moving to better discovery and classification capabilities as well as integration, technology research firm Forrester stated in "The Forrester Wave: Unstructured Data Security Platforms, Q2 2021."
Yet higher volumes of data mean much higher costs. When a company moves on-premises data to a cloud application, it should not move all rows and columns into the cloud, said Greg Clark, worldwide director of product management for CyberRes, a Micro Focus line of business.
"In some cases, organizations have gone unprepared into this cloud and hit the accelerator too fast and just moved their problems into the cloud. This necessitates the need for data discovery and understanding the value of the data."
—Greg Clark
Here are five key lessons for companies looking to secure their sprawling data, whether on-premises or, increasingly, in the cloud.
1. Make sure data security supports the business
Too often, security efforts interfere with the business. Data security must protect data against misuse, breaches, and accidental deletion, while still allowing companies to use the information in a relatively frictionless way.
The Forrester report identified reducing the cost of using data—even when fully secure—as a key metric for optimization:
"Although these offerings can be deployed across your entire environment with centralized policy management to produce consistent policies for controlling data, this alone is not enough. Evaluate overall manageability, usability, and support capabilities from the vendor to ensure it aligns with your available staffing capabilities and expectations."
2. Too much data is an anchor
Companies that hold on to too much data are setting themselves up for failure. Keeping too much data, or inheriting it in a merger with another company, makes costs balloon, especially in the cloud. You have to pay not only to house and back up the data, but also for security, tokenization, and identity and access management.
Companies need to be able to perform a risk assessment of that data—find what is valuable, find what is not, and take some actions against low-value data, so that the business can accelerate, said Clark.
"Most organizations have not pushed that delete button in some time, if ever. Most businesses are dragged down by this anchor that is the data that has been around for 10 or 15 years."
—Greg Clark
3. Supporting the remote workforce is mandatory
Prior to the pandemic, companies could require that employees access the most sensitive data only while in the office or connected through a work machine via a virtual private network. Yet, with most enterprises expecting to have employees continue to work remotely at least part of the time, such restrictions are no longer a viable option.
To support that mode of work, data security tools must verify the user and their access whenever necessary, in what Forrester refers to as a zero-trust framework. Forrester noted in its report:
"These platforms take into account and assess telemetry about not just the sensitivity of data, but also contextual information about the user, device, and other conditions or attributes—and automatically adapt its response to grant or deny access as this telemetry changes."
4. Cloud migration highlights need for data discovery
The move to the cloud that most companies have undergone stresses the importance of knowing how much data your company needs to retain, but also classifying the criticality of the data and what business function it has.
Moving every piece of data to the cloud is not only unwise, but also expensive. Because the cloud model is based on operational expenditures, companies are charged for storing their data, accessing it, and securing it. Unrestricted movement of data to the cloud will be costly, said the CSA's Yeoh.
"At the end of the day, a lot of it comes down to governance, understanding what data you have. Data sprawl is still a big problem at organizations. [Know] where your data is at all times and how sensitive that data is."
—John Yeoh
5. Supply chains are increasingly important
To protect data, companies also need to secure their supply chain, including knowing who is accessing their data. With compromise-by-supplier attacks such as SolarWinds and the targeting of data custodians such as in the American Medical Collection Agency breach, data security includes ensuring that such providers are secure as well, Forrester stated in its report.
"You must hold your security vendors to the same security level that your organization implements in your own environment."
Know the tools to get the job done
Now that you know what's important in terms of areas to focus, it's time to evaluate tools that can get the job done. In Forrester's Wave, the research firm focused on data-control products that do at least six of eight different data-security and integrity functions: data discovery, data classification, data intelligence, security data analytics, access control, data inspection, data deletion, and data obfuscation.
Put these lessons and analysis of tools into action on your team so that data sprawl doesn't get the best of you.
