I have had the opportunity to talk to business customers all over the world about the benefits of Cloud computing. One of the conversations I have had many times goes this way:

Tim: Which Cloud services do you use?
Customer: We don’t use any Cloud services.
Tim: Why don’t you use the Cloud, your business could benefit so much from it?
Customer: We can’t trust the Cloud with our data because of security concerns.
Tim: While it’s probably true that some of your data is so sensitive for your business that it might not be appropriate to put it into a public Cloud, not all of your data is that sensitive, right?
Customer: It’s true that some of our data is more important than other data. But we need to protect all of it.
Tim: Does your organization use any sort of data classification process?
Customer: Data classification? No.
Tim: Then how do you determine the relative value of different data sets to your organization? It might be the case that you shouldn’t move the really high value data into a public Cloud, but you might be leaving money on the table by not moving low value data into the Cloud and simplifying your operations. Data classification can help you make this determination.
Customer: Please tell me more about data classification…
 
I have had conversations like this more than a few times. An effective data classification process is important because it can help organizations determine the appropriate levels of control to maintain the confidentiality and integrity of their data. It can also deliver significant benefits including improved ways to manage the organization’s resources, compliance efficiencies and can help facilitate migration to the Cloud which can provide numerous benefits.

I thought it would be valuable to publish some guidance on data classification specifically for the Cloud computing context. Today we are publishing two new papers on data classification.

The first paper that we are releasing today, is a new paper in our CISO Perspectives series titled “CISO Perspectives on Data Classification.” This paper provides insights from leading chief information security officers (CISOs) at a couple of very successful companies. The aim of the paper is to share and highlight some of the key things that CISOs and information and security risk specialists might want to consider in relation to the topic of data classification. The paper discusses data classification: what it is, categories and processes, and key challenges associated with data classification projects. It also provides a number of references for more information that the CISOs interviewed have found helpful.

For this article we interviewed the following industry leaders:

  • John Meakin, Chief Information Security Officer, Royal Bank of Scotland Markets. Royal Bank of Scotland is an international banking and financial services company headquartered in Edinburgh. More about Royal Bank of Scotland.
  • Timothy Youngblood, Chief Information Security Officer, Dell. Dell provides technology solutions for people at work, at home and at school. More information about Dell.
  • Pierre Noel, Chief Security Officer & Advisor Asia, Microsoft. More information about Microsoft.

The second paper we are releasing today, “Data Classification for Cloud Readiness” provides an in-depth view into the importance of data classification and how it can help organizations manage risk. The paper also considers technologies such as encryption, rights management, and data loss prevention solutions, and how their implementation has evolved in the cloud era. The paper also identifies some of the top data classification regulations and compliance requirements that are currently relevant.

If your organization currently treats all data as if it has the same value, or you have not embraced Cloud computing yet because your organization has a “one size fits all” approach, these new papers will likely be helpful.  

Tim Rains
Director
Trustworthy Computing