In reading through this survey released by the Cloud Security Alliance in June (link in comments below), I have a couple of takeaways. First is that organizations are still struggling to be effective in understanding where their data is, how it’s being used and classifying that data. This isn’t a cloud problem, however. Organizations are not sufficiently understanding their data usage whether it’s in the cloud or on premise. Until businesses become more active in inventorying and classifying data, regardless of where it’s processed, stored and transmitted, they will continue to struggle in effectively evaluating their risk posture.
In theory at least, cloud platforms offer organizations the means for making this effort more achievable. Amazon Macie for example is purposely built for automated discovery and classification of sensitive data. And while this capability is currently limited to S3 data stores, there are other means that can be programmed within AWS for detecting and alerting on the presence of sensitive information. I’m curious whether capabilities such as these are not effective in working as advertised, if it’s a problem of users not being aware of the capabilities or whether it may be that inventorying and classifying data properly is still just being overlooked as a necessary function. I suspect it’s some combination.
A second observation I have in reading this report is that organizations were responding that they are not able to effectively measure risk. Well…yeah. If you don’t know where sensitive data is or how it is used or what its classification is (assumed to include not understanding value of that data), it’s pretty impossible to understand impact or perhaps the probability of a threat event. It doesn’t matter whether you’re talking about quantitative or qualitative risk evaluation, if you don’t understand the usage or importance of data, you can’t objectively calculate risk to any degree of accuracy or consistency.
While I found this report interesting what I’m also interested in seeing is how these same organizations would respond to the same questions for on premise and whether there is any significant differences in the answers provided.
Comentários