Achieving Data Resiliency with Data Classification and the Shared Responsibility Model

Solutions Review’s Premium Content Series is a collection of contributed articles written by industry experts in enterprise software categories. In this feature, Clumio co-founder and CTO Woon Ho Jung offers commentary on achieving data resiliency with data classification and the shared responsibility model.

The last year brought with it a number of high-profile data breaches at prominent companies such as Uber, T-Mobile, Rackspace, and LastPass – leading to all manner of frustrated customers and compromised data, not to mention class action lawsuits. More specifically, ransomware attacks are becoming more expensive and time-intensive to recover from, increasing in 2022 by 41% in cost and 49 days in recovery time. This threat is lethal to businesses that overlook their data protection strategies.

If the past year has taught us anything, it’s that anyone can be vulnerable to attacks in the cloud without proper protection—from the largest organization to the smallest startup. Modern applications are powered by ephemeral compute, yet persistent data—vast data lakes and data warehouses. As this data continues to grow exponentially, the attack surface for breaches, ransomware, and even accidental deletions keeps increasing. While the last decade focused on putting data to use quickly, this decade will be about reining it in—bringing organization, structure, and resilience to this data in order to ensure proper protection.

Data Classification & Shared Responsibility

The Call for Classification

As multi cloud environments become more common, it not only becomes more difficult for customers to enhance the resiliency of their production workloads, but even the process of identifying and locating their data across cloud environments becomes a greater challenge. Organizations must think of the cloud and data stores as rooms in a house. It has become incredibly important to go through each repository of information, clear out unnecessary material, and know where and how data is stored to ensure it is also being protected.

The ability to look inside storage and backups by means of an index and catalog also helps understand its usability and lineage. This is critical for compliance audits and proving disaster resilience. It’s time to clean out those old snapshots, replicas, and archives, and consolidate data archival and backups into a well-cataloged, searchable platform that ensures efficient storage and observable data trails that are easy to maintain on an ongoing basis.

Such organization calls for data classification—a key shift from protecting all data en-masse toward implementing tiering and group-based classification systems. This not only strengthens data security, but delivers financial savings for businesses. Take, for example, a healthcare data lake. A majority of information that is backed up from that data lake requires only 30 days of retention for operational recoveries, but the data lake may also contain health records that need to be retained for 6 years to comply with the Health Insurance Portability and Accountability Act (HIPAA).

In this case, rather than backing up all the objects that comprise the data lake for 6 years, data classification during backups can reduce costs by over 90% without any compromises to security and compliance. Classification by access patterns, object tags, tiers, and other metadata also allows businesses to store their data in a way that’s neither overprotected nor under-protected, but perfectly tailored to the unique aspects of that dataset. Classifying data in this way best protects it while reducing costs and meeting compliance standards.

Taking on the Shared Responsibility Model

There are two key threats to data resiliency in the cloud—the misconception that your cloud or SaaS provider will ‘automatically’ safeguard your data, and thinking that cybersecurity is the same as data security. Customers need to remember that the validity, security, and resilience of this data is the customers’ responsibility, clearly stated in the Shared Responsibility Model of most cloud service providers’ terms of service. Customers also need to understand that cybersecurity alone doesn’t suffice. A huge component of data security is protection against accidental deletions, disasters, and misconfigurations—most of which are user-driven.

In addition to the regulatory commitments of an organization, data needs to be operationally resilient. For example, many architectures on AWS, even those that split workloads into multiple availability zones, have one central data lake or bucket. The biggest myths in AWS architecture are often related to resilience. The service is resilient, yes, but there is no guarantee for the resiliency of the data, configuration, or other components that turn building blocks into functional applications.

Even though cloud providers are responsible for maintenance of the hardware and data centers that run their cloud services, customers still need to improve their data protection and resiliency in the event that the provider suffers a large-scale outage such as an availability zone failure. With the growing threat of ransomware, cloud customers should also consider adding immutable storage to ensure that hackers or other security threats do not delete, corrupt or encrypt valuable production data residing in a cloud environment.

Restructuring cloud storage with data classification and promoting the Shared Responsibility Model will be key to effectively protect organizational data in the cloud and ensure data resiliency. While business continuity is about emergency preparedness, data resiliency is an ongoing, 24/7 activity. Data resilience is about ensuring that any data that is deemed critical is protected from operational deletes, ransomware, cyberattacks, and the like — all the time.