Cloud provider capabilities are evolving faster than ever, and enterprises are taking notice. With all the progressive features, cost savings and labor efficiencies modern cloud data access control platforms offer, why wouldn’t organizations seize the opportunity to accelerate data analytics and derive insights that could give them a competitive edge?
Unfortunately, cloud migration doesn’t happen overnight and has numerous blind spots that are difficult to fix until it’s too late. Additionally, data engineers tasked with preparing each data set for migration and analysis are potentially liable if any compliance or security measures fall short. With multiple cross-functional inputs, data consumers, and regulatory standards to consider, sensitive data can be at risk — unless a sound plan is in place.
Cloud data access control is key to secure and scalable sensitive data discovery, classification, migration, storage, and compute. As you migrate to the cloud, watch out for these common blindspots to protect your data and make the process as smooth as possible.
1. Sensitive data goes beyond PII and PHI
You know sensitive data when you see it — or do you? Personally identifiable information (PII) and protected health information (PHI) are commonly cited and are familiar to data teams, but they merely scratch the surface of what defines “sensitive data.”
Consider your credit card number; it doesn’t necessarily say anything about your personal identity but in the wrong hands it can certainly be used to harm you. The same goes for your usernames, passwords, calendars, emails, and even information you share in confidence with your attorney. In a personal context, it’s easy to see how the scope of data sensitivity quickly becomes much broader. Likewise, enterprises with information regarding salaries, employee data use, contractual agreements, and corporate operations, among others, are also in possession of sensitive data that could be used for personal or competitive gain.
As you plan your cloud migration, look past traditional personally identifiable information and be sure you’re taking other types of sensitive data into account.
2. Access policies and controls depend on use case
Too often, data engineers are bogged down by having to make pseudonymized or anonymized copies of data, then apply coarsely-grained access controls to the copies. In addition to taking up storage space, this method of data protection creates all-or-nothing access levels, and requires time-intensive updates as users or use cases evolve.
A common mistake when migrating sensitive data to the cloud is not first assessing how data is currently used and anticipating how it might be used in the future. However, data teams that take this small additional step are able to standardize data policy enforcement across platforms and apply fine-grained data access controls based on user role, attributes and purpose. Taking a dynamic approach to access control ensures that the right users, under the appropriate conditions, are able to access sensitive data when they need it without arbitrary restrictions.
Writing and applying dynamic access control policies clear expectations of how data will be used sets data teams up for reduced complexity as teams, data sets, and data sources inevitably grow. Not only will you save time and increase productivity, but you’ll be ready for future cloud migrations with a consistent data privacy policy framework across cloud environments.
3. Flexibility is key for data access control in cloud computing
By now, you’re familiar with the concept of separating compute and storage — in essence, freeing up compute space by keeping prevalent data at rest in storage until it’s needed for specific computations. As more cloud data platforms roll out this architecture, it’s easy to overlook how legacy access controls may no longer work as expected or how policies will need to be consistently applied across multiple solutions providers.
When planning your cloud migration, identifying a data access control solution that can be deployed across a hybrid cloud compute environment is critical to avoiding these two major blindspots. An inflexible data access control tool will perpetuate the need to manually apply access controls across platforms and introduces risk associated with inconsistent policies. Imagine having to apply data protections independently for each cloud platform you use — how would you keep track of every permitted use case and access policy, and how long would you spend compiling reports on data access and usage? This policy bloat would essentially erase the cost and time savings that make cloud migration appealing in the first place.
Additionally, creating fine-grained access controls across all data users, particularly in a multi-compute environment, results in hundreds of roles that must be managed manually. This introduces new risk with each change to the data, which can quickly become difficult to control. Attribute-based access control policies help avoid this role bloat across cloud data platforms by scaling policies across hundreds of roles, without role-based limitations.
Immuta integrates with various cloud platforms like Databricks, Snowflake, and AWS, so you can work seamlessly across systems.
4. Applying rules doesn’t equate to compliance
Recent regulatory enforcement actions, such as the 23 NYCRR 500 case with First American Title Insurance, prove that simply applying data privacy rules does not necessarily satisfy compliance requirements. However, this is often an oversight when migrating sensitive data to the cloud — and one that could put you at risk to be held accountable if those rules fall short.
Achieving regulatory compliance has two distinct parts (and involve both data teams and legal/compliance teams):
- Creating and applying data privacy rules in accordance with regulations, often done with input from legal and compliance teams.
- Having a strategy to monitor and confirm the impact of those rules against their objectives. Data teams must be able to verify data privacy rules are actually working as intended.
Without the second part, data teams are at risk of being held liable for damages regardless of the rules you’ve applied, as was the case for First American Title Insurance. When migrating sensitive data to the cloud, look for a data access control solution like Immuta, which enables data teams to validate policies, monitor and log data requests and access, quickly generate reports, and complete comprehensive audits whenever necessary. You can learn more about how to verify compliance measures in Seven Steps for Migrating Sensitive Data to the Cloud: A Guide for Data Teams.
Migrating data to the cloud, particularly sensitive data, can be complex — but it doesn’t have to be. Anticipating and making a plan to address these four common blindspots will help your team execute a smooth, secure cloud migration. But this is just the start.
To start your cloud migration with Immuta, request a free trial of our SOC 2 Type 2 certified SaaS deployment today.
Ready to get started?
START A TRIAL