Cyber Risk Advisory

Data Governance in the Cloud

June 20, 2019

Data governance is something your organization has likely considered, put into action, and implemented. The question is, to what degree is the data actually being governed – or not?

Storing data in the cloud is also something that your organization is likely already doing regardless of the degree to which the data is actually being appropriately governed.

Before diving deeper into cloud data governance, a quick review of data governance basics may prove helpful. At a high level, data governance is ensuring that an organization’s data is of high quality, readily available for use by authorized employees, consistent in both form and function, and most importantly, secure while in use, in transit, and at rest.

The level of an organization’s data governance proficiency, like many other aspects of data security and management, can be placed on an optimization or maturity spectrum. On the low end of the spectrum, data governance is informal, undocumented, or not at all considered. On the high end of the data governance maturity spectrum, organizations have established, well-defined data management and security models managed by specified users following published policies and procedures.

Organizations should ensure their ability to control, manage, and secure data on-premise before moving to cloud-based solutions. As the number of applicable regulatory frameworks grows, organizations must consider data governance not just for efficiency, optimization, and security, but, more importantly, for the potential legal, regulatory, and reputational effects should they lose, mishandle, or disclose any sensitive information in an unauthorized manner or to unauthorized parties. The potential legal ramifications, monetary fines, and damages to company perception far outweigh the costs of operationalizing a documented, repeatable Data Governance Program.

Recommendations for establishing general data governance include:

  • Conducting a thorough asset inventory of hardware, software, and data
  • Establishing a data classification schema, supporting program, and tools
  • Including a role-based access control (RBAC) policy and associated RBAC matrix that defines which roles have access to specified assets based on data security level and job function requirements
  • Defining a top-down management structure to ensure ongoing reliability and accountability of those responsible for maintaining the various aspects of the Data Governance Program 

The most important considerations for incorporating cloud-based solutions into a Data Governance Program include documenting all data flows from on-premise devices to those hosted in the cloud, cloud-to-cloud, and from the cloud back to on-premise devices. Additional considerations include monitoring the aforementioned data flows to ensure adherence to the program policies and the incorporation of an ongoing Change Management Program to ensure all new cloud devices and respective data flows are accurately diagrammed and documented.

Data governance can seem like a daunting task, which is only further complicated by incorporating cloud storage, hosting, and data transfers. To implement a successful Data Governance Program, data owners must ensure the proper buy-in, management support, and top-down leadership are all in place and all parties understand the need and importance of supporting the Data Governance Program as well as the liabilities they could face should the program not be followed.