Here’s how to categorize cloud data in your organization
Does your company categorize data before uploading it to the cloud for archiving, processing, or transfer? This and similar questions are addressed in the IDG study “Cloud Security 2021” published in collaboration with TÜV SÜD and uniscon.
The result: More than half (53%) of the DACH companies (Germany, Switzerland, and Austria) surveyed categorize data before cloud migration. Near a third (29%) of decision-makers said they planned to categorize or classify data, and only 11% did not. This shows that most of the study participants have recognized the need for classifying their company’s own data. But why does it even matter?
Data categorization can protect against damage
This becomes clear at the latest when company-critical data falls into the wrong hands due to missing or incorrect categorization. Because a data leak, for example of personal data, can quickly result in high GDPR fines (see Articles 83, 84, and subsequent of the GDPR). However, company secrets, supplier contracts or other confidential information also need to be adequately protected. This is of crucial relevance especially for strictly regulated industries, which are currently increasingly pushing into the cloud.
According to the IDG study, for most companies, the most important criterion for categorizing data is the intended use. But there are also other distinguishing features that come into question. Below, we show you how to implement data categorization in your organization
Here’s how to categorize your company data
First, establish a policy for data categorization! Ideally, this should be short and clear and communicated to all employees (or at least those who work with the data).
In this guideline, you can stat, among other things:
- what goals you are pursuing with the categorization
- how the categorization is organized, and
- according to which criteria the data is differentiated.
You can also define roles and responsibilities and provide information on handling, such as storage location, encryption, access permissions, etc.
In this first step, it is already important to consider legal requirements and compliance guidelines and to include them in the calculations. You should also decide whether only new data or also existing data ought to be categorized . The latter is more time-consuming, but it is usually safer to apply the policy to existing data as well.
The categories according to which you classify your company data depend, among other things, on the nature of the company. In addition to the intended use, the type of data often plays a decisive role here—for example, whether it is personal data or trade secrets.
For example, a common breakdown is as follows:
- Public data: Data in this category does not have to be specifically protected but can also be freely accessible to the public. Examples: Sales and/or service contact information, references, price lists, etc.
- Confidential data: Confidential data is not intended for the public and is subject to certain security requirements. Examples: Organizational charts, personas, campaign structures, etc.
- Secret data: The third group includes highly sensitive data, the disclosure of which could pose a financial or legal risk to the organization and therefore requires special protection. Examples: Personal data or access data of customers and employees, patient and health data, trade secrets, etc.
Choose the right cloud provider for your categories
Once you have created a categorization policy and communicated it to your employees, assigned permissions and roles, and performed the categorization, the next step is to find a suitable provider for storing, processing, and transferring your company data.
Public data, for example, is in good hands in a public cloud. Public cloud services often take only the most necessary security precautions and are therefore not suitable for sensitive and secret data, but often provide intuitive operation and are usually low-priced or in some cases even free.
Confidential and secret data, on the other hand, require a higher level of security that only highly secure business cloud solutions or virtual data rooms can offer. In addition, the latter usually have further features such as audit-proof documentation options and journals, access restrictions and further options for protecting against unauthorized distribution such as watermarks.
And of course, personal data, business secrets or health and financial data can also be stored in the cloud—provided that the appropriate security is demonstrable. So be sure to look for certifications and seals of approval, and pay attention to other details such as server location and underlying technology. Cloud collaboration services such as idgard® from uniscon, for example, are based on Confidential computing to reliably exclude unauthorized data access and manipulation. This also means that the operator is also excluded and consequently has no access to the data in the cloud.
Interested? Then try the highly secure cloud collaboration service idgard® now for 14 days for free! No download, no installation, and no need to provide payment information—Just create an account and get started.
Categorizing or classifying data is, of course, not a data protection panacea: it alone does not protect against attacks, nor does it guarantee legal certainty. Nevertheless, well thought-out and implemented data categorization not only helps companies improve the security of critical data, but also facilitates compliance with legal and/or industry regulations. So, make appropriate considerations before migrating corporate data to the cloud and do your due diligence during implementation to be on the safe side.