Data Governance in the Cloud

Jonathan Leach, Principal, Cyber Risk Services, Coalfire

Data governance is something your organization has likely considered, put into action, and implemented. The question is, to what degree is the data actually being governed – or not?

Storing data in the cloud is also something that your organization is likely already doing regardless of the degree to which the data is actually being appropriately governed.

Before diving deeper into cloud data governance, a quick review of data governance basics may prove helpful. At a high level, data governance is ensuring that an organization’s data is of high quality, readily available for use by authorized employees, consistent in both form and function, and most importantly, secure while in use, in transit, and at rest.

The level of an organization’s data governance proficiency, like many other aspects of data security and management, can be placed on an optimization or maturity spectrum. On the low end of the spectrum, data governance is informal, undocumented, or not at all considered. On the high end of the data governance maturity spectrum, organizations have established, well-defined data management and security models managed by specified users following published policies and procedures.

Organizations should ensure their ability to control, manage, and secure data on-premise before moving to cloud-based solutions. As the number of applicable regulatory frameworks grows, organizations must consider data governance not just for efficiency, optimization, and security, but, more importantly, for the potential legal, regulatory, and reputational effects should they lose, mishandle, or disclose any sensitive information in an unauthorized manner or to unauthorized parties. The potential legal ramifications, monetary fines, and damages to company perception far outweigh the costs of operationalizing a documented, repeatable Data Governance Program.

Recommendations for establishing general data governance include:

  • Conducting a thorough asset inventory of hardware, software, and data
  • Establishing a data classification schema, supporting program, and tools
  • Including a role-based access control (RBAC) policy and associated RBAC matrix that defines which roles have access to specified assets based on data security level and job function requirements
  • Defining a top-down management structure to ensure ongoing reliability and accountability of those responsible for maintaining the various aspects of the Data Governance Program 

The most important considerations for incorporating cloud-based solutions into a Data Governance Program include documenting all data flows from on-premise devices to those hosted in the cloud, cloud-to-cloud, and from the cloud back to on-premise devices. Additional considerations include monitoring the aforementioned data flows to ensure adherence to the program policies and the incorporation of an ongoing Change Management Program to ensure all new cloud devices and respective data flows are accurately diagrammed and documented.

Data governance can seem like a daunting task, which is only further complicated by incorporating cloud storage, hosting, and data transfers. To implement a successful Data Governance Program, data owners must ensure the proper buy-in, management support, and top-down leadership are all in place and all parties understand the need and importance of supporting the Data Governance Program as well as the liabilities they could face should the program not be followed.

Jonathan Leach


Jonathan Leach — Principal, Cyber Risk Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS