Worried About the Cloud? Always Plan Ahead
December 21, 2012
Contributed Article. Author: Tim Sedlack, Senior Product Manager, Quest Software (now part of Dell)
Worried About the Cloud? Always Plan Ahead
I talk to IT departments around the world about compliance and auditing. These are people who are part of large, global organizations to small 1 man IT shops. What I can tell you seems to be a universal truth today – they are all worried about the cloud. They are worried about security and the cloud, they are worried about the seemingly unending ways corporate data can get to the cloud and they are worried about engaging with auditors and having to prove control over resources that have ended up in the cloud, usually without their knowledge.
I can certainly understand the concern – it’s a big wide world and it seems like it’s all out their control. Well, for the most part, it is.
I’ve written previously about people making use of the cloud without engaging IT (or, let’s be honest here, even thinking about IT). Stick this in Dropbox and share it out, upload that to SkyDrive to save some drive space, move this other thing to Google Docs for some quick cross-company collaboration… it’s an all too familiar story. What you don’t know is exactly what people are storing out there. Oh sure, people are storing pictures, songs, videos and documents of all sorts – but have any of those been put under the microscope to ensure you’re not storing data you cannot audit in a location that can’t be audited?
Most regulations are very specific about the type of data that needs to be protected. PCI-DSS for instance, is very clear about credit card numbers and account names. And the US Government Healthcare regulation – HIPAA – is very specific about what you can do with all kinds of patient data. None of the regulations talk specifically about managing this data from a cloud perspective – but there’s a ton of advice out there. For example Wired’s Andrew Hay wrote a great article about PCI-DSS and the cloud. I’m not going to reiterate what others may have already told you (and probably express it much better than I can!).
What I will do is recommend a best practice. This practice shouldn’t take anything more than management approval and a brief communication with users. What is it? It’s a simple policy: Declare what type of data CAN be stored in the cloud and educate your users. By making users aware of the need to keep confidential and protected data from being stored in the cloud, you’ve placed the onus on the end user to make certain they understand which data should never have a chance of being exposed – either from misuse or neglect. Once you’ve taken this step – you have something you can tell auditors, should the situation ever arise where compliance data is discovered in the cloud.
Now if it were to end there, it would OK, but to ensure your users understand the type of data, you’ll need to explain to them, in simple terms what data is forbidden from being stored in the cloud. An additional level of safety can be achieved when you describe example cloud services. Sure Dropbox, SkyDrive and Google docs are probably obvious to most users, but what about Microsoft’s Office 365 and even Salesforce.com as repositories for information that may raise an eyebrow of an auditor if customer privacy information ends up somewhere that users access to the data isn’t restricted and/or audited.
Of course the easiest course of action, simply not doing anything is always an option, but ignoring the problem won’t make it go away and more likely than not just add to the chaos! Until the cloud has options that allow you to fully track and audit users actions, and put controls in place to manage the content from a regulatory compliance perspective, you can only train your users to act in your best interest. In this way, IT can be ahead of the curve not only with cloud security and auditing, but internal policy as well, which ultimately will only make you look more proactive and responsible to the CIO and CISO.
###