Grounded in the Cloud
Showing results for 
Search instead for 
Did you mean: 

Compliance in the Cloud: Data Protection


This is the fourth blog in a series of blogs and podcasts that provides the information surrounding the concepts of compliance in a cloud environment. In this series, we will greater insight into the concepts and best practices for many of the considerations that are generally part of a cloud compliance program. In the previous blog, we reviewed “End User Security”. In this installment, we will be discussing the topic: "Data Protection”.

ComplianceInTheCloudSeries.jpgArguably, the most important aspect of an enterprise’s information security program is centered on data protection.  Data protection is a key capability that explains how data is secured at all parts of the process from loss and/or corruption.  A cloud compliance program should have data protection as a primary evaluation as part of a larger set of security controls that protect the environment, and should be evaluated at all points of the infrastructure. 

When creating compliance controls for data protection, it is important to go back to the basics:

How is the data secured?

As with all technologies, there is a variety of methods of securing important data in a cloud environment. For the most part, the major public cloud providers encrypt data stored on their environments while at rest, but is that enough? It is important to know how data will be protected before migrating to a cloud solution. There are many types of key management solutions, and it is critical to find one that integrates with the cloud solution, while also meeting your key management and compliance needs. Often, a cloud solution will deploy with a key management solution, eliminating the need to purchase a third party management tool.  Some cloud solutions allow the end user / company to manage keys while other requires that the keys be managed by the hoster.  Depending on the industry and the nature of the data, different regulatory frameworks may have different requirements.

Where / When is the data secured?

There are three basic states for data protection, and data should be protected at every state: when it is being stored (at rest), when it is being sent across a network (In motion) and when being used by an application or database (in use).  Any data encryption and cloud solution should have a method of protecting data in all of it various stages.  As before, there are numerous technologies for securing data at each of these states, and a company should pick a solution that is in line with their overall security needs. 

Why is the data secured?

Some companies choose to encrypt everything all the time, and that is certainly one approach.  However, knowing what data is being exposed to a cloud environment is as important as encrypting the data itself.  Performing a data inventory is the first step to understanding the types of data that is included in a cloud solution. From there, the data can be classified, evaluated for risk, and stored (encrypted) appropriately.  Also, completing a data inventory is the first step in fulfilling the types of privacy requests that may be required by those companies needing to comply with the newly adopted US-EU Privacy Shield agreement. 

Data protection considerations should be one of the – if not the – primary factor when creating a set of security controls for cloud compliance.  The importance of securing data – in a hybrid, private or public cloud model – cannot be emphasized enough.  Much of the legislation that continues to evolve around the world is designed specifically to address data protection and privacy. How a company achieves regulatory compliance will be directly related to how their data is protected and secured.

For the next blog in this series, we will discuss the compliance topic: "Priorities – Security vs. Compliance.” To learn more about cloud compliance and hybrid cloud security, download the whitepaper from 451 Research Group. You can also learn more about the HPE Right Mix hybrid cloud, as well as the Right Mix approach to cloud security.

To find the additional parts of this series, please search for Compliance in the Cloud. Click here to find a list of all of Chris Steffen’s blogs on Grounded in the Cloud and here for his posts on his Medium site.

0 Kudos
About the Author


Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that works to educate and promote information security as it relates to cloud computing solutions. Before joining HPE, Chris spent over 15 years as an IT executive and security practitioner in multiple industries, including financial services, manufacturing and government. He is a noted industry expert, and has multiple technical certifications, including CISSP and CISA. You can follow him on Twitter at @CloudSecChris.

See posts for dates
See posts for locations
HPE at 2018 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2018.
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all