Fine-tuning Cloud routes to protect your data

Data protection is of great importance. Currently, NIS2 (the Network and Information Security directive) is a hot topic and widely discussed in the media. A successor to the first NIS guideline has been drafted from the government, designed to raise the overall level of cybersecurity in the EU. When we put this in the context of Cloud routes, we see a new element determining the choice of a Cloud platform: regulation and legislation. But we also see a trade-off between classification and regulation. In this article, we explain this.‍

‍
In last week's article, we saw that because of growing data volumes, it is necessary to make a breakdown in the value that data has, this is what we call: data classification. A number of classifications have been established:

1. Public data: general information that is publicly available to everyone and does not pose a security threat. This includes, for example, the data on an organisation's LinkedIn page, press releases and other generic information.

2. Internal data: data that is for internal use only. Although it does not contain confidential information, this data can be harmful if it gets into the wrong hands. Examples include internal e-mail exchanges or documents concerning projects.

3. Confidential data: this is data that contains highly sensitive, business-critical information. This could be customer information, contracts or employee information.

4. Secret data: highly confidential data that could even cause irreparable damage to a company if it gets into the wrong hands, such as business plans or information about an upcoming takeover.

From this classification, the desire arises to impose a certain level of protection, with the government also steering through regulation and legislation. NIS2 is a guideline and is not imposed with a translation towards the design of Cloud, but it does require measures to be taken that adequately protect data and thus forces to consider measures.

One of the measures is the choice of the Cloud platform. From regulations and classifications emerge requirements that determine the direction of solutions, think for instance about elements such as data locality (where may the data be stored?) and which certifications describe the right set of measures to provide sufficient protection for the specific data class/classification.

An example is shown in the figure below:

‍

In conclusion, we see an interaction between data classification and regulation on measures (either from the government or from a framework of standards/certification). This involves components such as data locality, compliance with legislation and data protection as well as confidentiality. By taking these components into account, a smart sovereign Cloud strategy is created, in which the requirements stemming from data classification match the Cloud platform. One such Cloud platform is the sovereign Cloud, such as the one Fundaments also offers. We will discuss all the components of this sovereign Cloud in our next blog, using the Sovereign Cloud Framework to explain this Cloud route in more detail.