In my first post in this series I covered the steps that healthcare organizations should take in preparing to move patient data to the cloud as well as how a cloud DLP solution can facilitate a secure transition. Once the decision is made to proceed with the cloud and a DLP solution, the following steps should be taken to prepare for and execute the migration of on-premise data to cloud storage. Leveraging DLP and data discovery tools in the process will ensure that regulated information will be properly identified, categorized, and protected or removed before it may be uploaded and exposed to access in the cloud:
Scan Data Already in Cloud Storage
Use the DLP discovery tool to inspect all previously stored information in the cloud to bring it under the same policy levels as will be applied to the newly migrating data. This will assure uniformity in that newly adopted policy rules will be applied to any older data already placed in the cloud. When selecting a DLP solution, make sure that it has cloud discovery capabilities.
Identify Assets for Migration to the Cloud
Identify information assets that are candidates to move the cloud. This will require identifying and categorizing the information on all storage under control of the organization, including file servers, file shares, SAN, SharePoint servers, user home directories, workstations and laptops in order to determine the best candidates to move the cloud. For example, it might be an easy decision to consider moving a marketing file to the cloud to facilitate sharing with an external design agency.
Scan the Identified Assets for Regulated and Sensitive Data
Once candidates have been selected for cloud migration, the next step is to identify any potential regulated or other sensitive information within the data set. Use your DLP discovery tool to scan and carefully assess data. Where needed, apply protections to specific information assets prior to migrating them to cloud storage. An example might be to encrypt any files containing personal health information.
Review Any Sensitive Data Found
The DLP discovery scan will produce a list of any potential regulated or sensitive information detected. This output will help determine any further actions required before moving the data to the cloud.
Protect Any Sensitive Data as Appropriate
Protections should be applied to any potentially sensitive data both during and after the discovery scan. These include: encrypting data, moving files to secure vaults, deleting unneeded files, or applying rights management. If the objective is to move a data set to a cloud storage provider, then all sensitive data (including regulated information) must be secured or simply removed altogether prior to moving.
Move the Information to the Cloud
Once the data has been identified, analyzed, and protected (where needed), it is ready for migration to a cloud storage provider. If any data has not already been sanitized then apply DLP to scan and block any protected data prior to transmission. By making a thorough review of all information that will be moved to the cloud, you can prioritize and protect sensitive data appropriately before exposing it to increased risk. Of course, the job of protecting sensitive data isn’t done once that data hits the cloud – in my next and final post in this series I will cover how to keep cloud data secure.
