As organizations look to leverage their data to the fullest
extent, they must develop comprehensive security
policies, with data gravity considerations in mind.
Data security was a straightforward process back when
organizations stored all their data in on-premises IT envi-
ronments. Organizations used the “lobster” security model
– building hard-shelled exteriors to fend off threats at the
perimeter — but they had fewer internal protections for the
soft, delicious data inside.
In a cloud-oriented world, data protection is much more
complicated. Companies are using the cloud for a growing
list of benefits beyond scalable compute/storage capabili-
ties, while still managing resources in on-premises IT envi-
ronments. In a cloud or hybrid environment, the focus
should be on protecting the workloads themselves, not just
the perimeter. Perimeters are more variable in the cloud. So,
lobster models do not work in these scenarios. To protect
data in today’s hybrid IT world, organizations need to take a
closer look at how workloads behave, and adjust their over-
all data protection approach.
One way to better understand the changing nature of data
protection is to see it in terms of data gravity. While data is
stored in a digital format, it behaves like a physical mass –
pulling in other resources throughout the IT stack. Simply
put, the bigger the mass of data, the more it attracts appli-
cations and services to work with that data. In the cloud,
data forms complicated relationships with associated apps
and services. Organizations need to map these relation-
ships, rethink their security strategies and leverage new
tools to manage the increasingly complex data protection
process.
Let us assume your company, in order to compete more
effectively, is looking to leverage public cloud to accelerate
time-to-value for your customers and optimize IT costs. As
you evaluate which applications should migrate to the
cloud, you will need to think through how data gravity and
data protection needs affect your strategic goals.
To create a data protection plan that meets hybrid IT
demands, organizations need to consider a number of fac-
tors around how data is organized, consumed and classi-
fied. They have to classify their data according to a number
of parameters, including business needs, regulatory and
specific data residency requirements. Each of these factors
has a certain weight associated with it. They need to ana-
lyze how their data is grouped, and understand which
groupings of data exert which kinds of gravitational forces.
Doing so will help organizations develop more effective
workload and data protections as they consider where their
data may relocate.
Data Classification
If your organization has not done so yet, the first step on
the data protection journey is to take inventory of your data
and classify it according to various measures. Risk is an
essential place to start. Rank your data from lowest to high-
est risk, starting with public access content (such as a pub-
lic-facing website), moving up through internal business
communications, to ultra-secret data (such as trade secrets
and regulated content like PII and HIPAA data). Then deter-
mine which data groupings relate to other residency or reg-
ulatory requirements. (This is always worth reconfirming.)
Finally, map out what your business needs are for the data
in terms of types and frequency of access by which users in
the organization. This mapping is essential to align how
each type of data should be treated and protected. Simply
SPRING 2019 | THE DOPPLER | 71