The Doppler Quarterly Spring 2019 - Page 73

As organizations look to leverage their data to the fullest extent, they must develop comprehensive security policies, with data gravity considerations in mind. Data security was a straightforward process back when organizations stored all their data in on-premises IT envi- ronments. Organizations used the “lobster” security model – building hard-shelled exteriors to fend off threats at the perimeter — but they had fewer internal protections for the soft, delicious data inside. In a cloud-oriented world, data protection is much more complicated. Companies are using the cloud for a growing list of benefits beyond scalable compute/storage capabili- ties, while still managing resources in on-premises IT envi- ronments. In a cloud or hybrid environment, the focus should be on protecting the workloads themselves, not just the perimeter. Perimeters are more variable in the cloud. So, lobster models do not work in these scenarios. To protect data in today’s hybrid IT world, organizations need to take a closer look at how workloads behave, and adjust their over- all data protection approach. One way to better understand the changing nature of data protection is to see it in terms of data gravity. While data is stored in a digital format, it behaves like a physical mass – pulling in other resources throughout the IT stack. Simply put, the bigger the mass of data, the more it attracts appli- cations and services to work with that data. In the cloud, data forms complicated relationships with associated apps and services. Organizations need to map these relation- ships, rethink their security strategies and leverage new tools to manage the increasingly complex data protection process. Let us assume your company, in order to compete more effectively, is looking to leverage public cloud to accelerate time-to-value for your customers and optimize IT costs. As you evaluate which applications should migrate to the cloud, you will need to think through how data gravity and data protection needs affect your strategic goals. To create a data protection plan that meets hybrid IT demands, organizations need to consider a number of fac- tors around how data is organized, consumed and classi- fied. They have to classify their data according to a number of parameters, including business needs, regulatory and specific data residency requirements. Each of these factors has a certain weight associated with it. They need to ana- lyze how their data is grouped, and understand which groupings of data exert which kinds of gravitational forces. Doing so will help organizations develop more effective workload and data protections as they consider where their data may relocate. Data Classification If your organization has not done so yet, the first step on the data protection journey is to take inventory of your data and classify it according to various measures. Risk is an essential place to start. Rank your data from lowest to high- est risk, starting with public access content (such as a pub- lic-facing website), moving up through internal business communications, to ultra-secret data (such as trade secrets and regulated content like PII and HIPAA data). Then deter- mine which data groupings relate to other residency or reg- ulatory requirements. (This is always worth reconfirming.) Finally, map out what your business needs are for the data in terms of types and frequency of access by which users in the organization. This mapping is essential to align how each type of data should be treated and protected. Simply SPRING 2019 | THE DOPPLER | 71