As security and risk professionals continue to find ways to wrap their arms around the problem of managing risk across both on-premises and cloud environments, data classification is gaining steam as a fundamental process. According to security and business process experts, data classification makes it easier to decide to evaluate the risk of specific cloud services based on the data to be processed, and also makes it easier to keep tabs on sensitive data throughout its life cycle -- no matter where it resides.

This is crucial because we'll see in 2013 a continuing evolution of the extended relationships between public and private clouds, says Toby Weir-Jones, head of portfolio marketing of BT Assure for BT Global Services.

"When the idea first emerged, the metaphor suggested a vast blue sky with a single cloud, distinct and separate," he says, "but, in fact, we're rapidly approaching an overcast condition where the clouds and their intersections are the dominant feature of our data ecosystems."

As a result, organizations have to redouble their efforts in the coming year to classify data and the risks to that data as it is processed both in and out of the cloud. They also must be involved in "planning for scenarios in which they cannot directly monitor or control their data once it's moved out of their own data centers," Weir-Jones says.

The obvious first benefit of a solid classification process to cloud risk management should be apparent during the first stage of cloud engagement: evaluation of services.

"People treat cloud technology like it's something completely foreign. Let's set the record straight: Evaluating the security of a cloud vendor doesn't require a specialist or a completely different set of tools," says Andrew Storms, director of security operations for nCircle. "The cloud should not be viewed as something alien, scary, or weird. As with any new technology, you should fall back on best practices and adhere closely to the basics of risk management to help you evaluate available vendors."

And part of those basics are the table stakes of asset management and data classification, which should be a prerequisite to assessing the risk of any infrastructure meant to process said information, says Andrew Wild, chief security officer at Qualys.

"Before considering the use of cloud services, organizations should have an asset management and information classification process in place," he says, explaining that it's just not possible to assess the risk of using a cloud service without understanding the importance, sensitivity, and value of the information that will be processed and stored through that service.

It isn't until the organization has clearer visibility into the value of the data through classification that it becomes useful to take a deep dive into information about the cloud provider's security controls.

"Organizations should determine if the controls are appropriate based upon the classification of the data, as well as the risks," he explains.

[Why do so many risk assessments go wrong? See The Trouble With Security Metrics.]

The ROI of data classification for managing cloud risks reaches beyond evaluation, though. Once the cloud service is woven into the enterprise fabric, well-classified data also helps "firm up" relationships between corporate customers and cloud vendors, Weir-Jones says.

"The point of tagging or classification is to try and improve your chances of both finding out about problems and being able to reconstruct what happened," he says. "Say you've got three broad categories, and you can define three use cases for how the classification models might be applied to each. If you can define all those, the benefit is if the data leaks, it will be easier to figure out who stole it and how they stole it, and hopefully contain it."

Not only that, but classification processes make things a lot easier in a complex cloud or hybrid environment when auditors come knocking.

"Anything that allows the auditor to get to the answer with higher confidence and less time is not only going to save you money in terms of audit cost, but it's going to improve the quality of the finding," Weir-Jones says.

He says that in the coming year he expects to see a renewed interest in digital rights and tracking systems to better measure risk exposure and implement enforceable data classification at the enterprise perimeter.

"Hooks into smart content-aware proxies will expand, as well, in order to centralize the compliance efforts, rather than relying on individual users to do the right thing," he predicts.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.