Rawpixel - Fotolia


Cloud data classification services: How they benefit organizations

Data classification services from CSPs are important for organizations strengthening their cloud security posture. Expert Dave Shackleford explains the perks of these services.

Microsoft has introduced a new data classification service for Azure called Information Protection, which is designed...

to classify, label and protect data in the cloud. Specifically, Azure Information Protection allows the classification and protection assigned to the data to travel with it as it moves to and from different services and devices. Data classification services like Azure Information Protection are vitally important for a strong cloud security posture, especially for highly regulated industries worried about highly sensitive data moving into the cloud and between various cloud service environments and end-user devices.

It has long been understood that moving into the cloud brings new risks, chief among them, a lack of visibility into and control over what data is being uploaded to cloud services, who is accessing and using the data and what the data lifecycle looks like within a cloud service provider. Adallom, a cloud access security broker acquired by Microsoft, published a cloud risk report in 2014 that found 29% of employees were sharing an average of 98 corporate files with their personal email accounts, 5% of an average company's private files were made publicly accessible and 6% of files in cloud services were orphans -- of which approximately 70% were created by users outside the company and 30% by terminated employees or former contractors. With statistics like these, it's obvious that organizations need a better plan and better tools to properly classify sensitive data, tag the data appropriately and manage data creation, movement, access and processing and eventual destruction with policies. This is where data classification services come into play.

In addition to Azure Information Protection, several other service providers, such as CipherCloud and CloudLock, offer data classification services for cloud usage. Most of these services, at a very simple level, allow enterprises to tag data with specific metadata that assigns classification levels and other relevant security information and then monitor and control the tagged data with policies at a network, host or process level. Data classification services like these will allow organizations to perform the following types of activities:

  • Define data classification schemes within cloud provider environments and manually or automatically tag data at various points within the data lifecycle. This allows cloud administrators to control what data gets tagged when it's created;  those tags stay with the data throughout its lifecycle.
  • Control data movement and migration between cloud services, geographic regions and even end-user devices. This will also help with the enforcement and maintenance of compliance status and will allow the enforcement of privacy restrictions on data access and transfer outside some countries.
  • Implement data classification oriented access controls and privilege models. While there are many types of identity and access control models being used in cloud service environments today, the ability to control who can access and use data based on classification definitions will add another vital dimension to identity management policies and strategies.
  • Monitor what types of data are in the cloud, where the data resides and who has had access to it. Knowing what types of data are in the cloud, where they reside and who has accessed data over time will help security teams to keep track of what users are doing and, ideally, detect shadow IT scenarios in the cloud quickly.
  • Integrate data classification policies with other strong data protection controls like encryption and data loss prevention. Much of this will rely on APIs provided by data classification and protection vendors, along with the cloud providers themselves.

The addition of data classification services with tagging and policy enforcement will be a strong differentiator for cloud providers that want to provide their customers with more granular control over the entire data lifecycle, beginning with data creation. Security teams will benefit by having much more flexible approaches to data policy management in the cloud, as well as more monitoring capabilities that align with the most sensitive data that they are concerned with protecting. 

Next Steps

Check out these tips for creating a data classification policy

Learn why classification is essential for big data

Find out how to thwart dark data with data classification services

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices