One of the things that I am noticing now with the customers that I talk with is that the euphoria of cloud computing is most certainly giving away to reality of the hard work that needs to be done to leverage cloud computing in public sector. The challenge mainly stems from the fact that the public sector entities really need to understand the intersection of data that they have and the laws that govern the data. Effectively the road to Cloud or any shared services /multi-tenant environment for these customers runs through a data classification activity that will allow them to clearly demarcate what is public and what is not.
As much as this data classification activity looks easy it really is not.
Consider the challenges that come to the front when a data classification activity is undertaken
- Need to first understand the laws that govern the data (HIPAA, HITECH, Privacy laws)
- Need to understand underlying data relationships between the various data elements. This understanding helps one to ascertain whether a standalone data element that can be considered data insensitive, can be considered data sensitive when combined with one or more data elements. For example, having my last name alone may not be considered a data issue, however, having my name and address may be considered sensitive. In that case, Last Name has the potential to become data sensitive.
- Complete the mapping of various data elements to either sensitive or public ( Use a simple nomenclature and don't do too much labelling)
- Mine applications/data (both structured and unstructured) for the sensitive data elements and create a matrix of these applications. There are products out in the marketplace today to mine structured data for sensitive data elements. One can look to also use perimeter network security detection tools to look for data elements that are sensitive as they cross network boundaries.
Now that you have done this data classification activity, you are ready to embark on your next step - which is to assess whether an application or set of applications are "Cloud ready".
Those applications which do not contain any sensitive data elements can be automatically thought of as cloud ready.
The applications that DO contain sensitive data needs to be now looked to see if they are "Cloud Ready".
I will talk about Cloud Readiness model and how to apply that to sensitive applications in a later blog.