Gap Analysis

Once the data flow is mapped a clear picture emerges of all the critical assets that need protecting, Motiwala said. A gap analysis is then conducted taking into account the company policies and requirements, he said. An organization's requirements can be a variety of security controls from single-sign on, federation, and data loss prevention to encryption, tokenization, and SaaS identity and activity monitoring, Motiwala said. This stage begins by looking at the company's existing policy and driving changes to the policy based on the requirements they have identified. Existing policies typically try to retrofit policies that addressed on-premises technology, so the challenge is to help the organization think through the analysis from a cloud perspective, Motiwala said.