Use of cloud services has become commonplace for most private equity firms. Often firms or their portfolio companies move to a cloud service then investigate how to properly secure their data. Questions about the data risk and data security should always come first.
No matter where your firm or its portfolio companies are in the process of cloud migration, Agio’s industry experience in cloud security has taught us the five most important steps to securing your critical data in the cloud.
Step 1. Understand business requirements
Migration to the cloud is not an IT decision. Cloud migration is a business decision. I am often asked if public cloud services like iDeals, Intralinks, Box and Office365 are secure to use. The answer depends on the nature of the data migrated to the cloud and the applicable regulatory, compliance and business requirements.
“Needs like encryption, data loss prevention (DLP), and strong audit controls must be considered”
Cloud services have a shared security model where providers can secure underlying infrastructure and platforms, but ultimate responsibility for cloud data security falls on you, the data owner. If, however, the data is sensitive in nature (ie, investor information) such that a breach would require notifications to multiple state attorneys general, fines and loss of investor trust and firm reputation, then far more diligence is required to ensure that cloud services provide the necessary security controls.
Needs like encryption, data loss prevention (DLP), and strong audit controls must be considered. In some cases, on-premise data centers may still be the best solution. Conducting a risk assessment with business impact analysis is a key step for any firm to determine what data can be moved. Such assessments must include, at a minimum, a determination of the impact to the firm should data stored in the cloud be breached. This assessment should be informed by business requirements, which themselves are based on regulation and compliance requirements.
Step 2. Classify data to match business and compliance requirements
Most PE firms have some form of data classification – the organization of data into categories for its most effective use and protection. For many it is a simple division of sensitive and non-sensitive data. But if the firm is alerted that there was unauthorized access to a cloud file share, would you know if that share had investor data that would require breach notification? Do you distinguish between trade positions and investor lists?
“For the higher levels of data classes, it is understood that, if a breach occurs, appropriate notifications need to be done”
The most mature firms classify data in ways that make it easy to understand the business and compliance requirements if there is a breach. This can be a three-tiered (public, confidential, protected) or multi-tiered (public, sensitive, PII-USA, PII-EU, PHI-USA, PCI) approach. For the higher levels of data classes, it is understood that, if a breach occurs, appropriate notifications need to be done. It is also easier to determine what data can securely be moved to the cloud and what data requires greater security controls. Whatever the model for data classification, it needs to be used in the datacenter and cloud.
Step 3. Label and store data in accordance with data classification
An associate opens up several Word documents and PDFs from the data room as part of due diligence review of a new startup, but there is nothing in the names or format to indicate the sensitivity level of its contents. Can this data be downloaded to a laptop? Can it be emailed?
“Proper data labeling and storage can be as simple as establishing a naming convention for sensitive files or folders”
Without proper labeling and storage of sensitive data in the cloud, and the accompanying training, users can be left to their own devices to make the call on how to handle data. Proper data labeling and storage can be as simple as establishing a naming convention for sensitive files or folders, or more advanced such as document headers or footer, digital watermarks and full-scale digital rights management (DRM).
Another crucial component of storing data in the cloud is a data map. Data maps should be created or updated to note all data in the cloud, the data classification and who is responsible for managing its security.
Step 4. Implement strong access controls in the cloud
The same strong control over who can access sensitive files in the firm’s datacenter needs to be applied to data in the cloud. Depending on the cloud platform or service management in use, services like Azure Active Directory or a Cloud Access Security Broker (CASB) can maintain management awareness of active cloud services and ensure password, multi-factor authentication (MFA), least privilege, and other policies are enforced.
“A CASB can also help firms identify ‘shadow IT,’ cloud services used by members of the firm that IT management is not aware of”
A CASB can also help firms identify “shadow IT,” cloud services used by members of the firm that IT management is not aware of, and make sure they are secured in accordance with the firm’s policy.
Step 5. Use data loss prevention (DLP) tools to track and secure data
A breach is defined as the unauthorized disclosure of data. DLP tools exist to prevent certain types of data from being disclosed to people or in ways that are not authorized and thus prevent breaches. All DLP solutions out of the box can identify credit card or Social Security numbers. Many can be tuned to identify the labels, headers, or watermarks your firm has deployed with DRM and prevent them from being printed, copied, or emailed.
“All DLP solutions out of the box can identify credit card or Social Security numbers.”
These solutions can be deployed at network, storage, and application points to address the many ways data can leave your network. An ideal DLP solution, often using a variety of tools, monitors all of these and blocks behavior that violates the firm’s policy.