Creating a Data Loss Incident Plan
Questions and recommendations for businesses to consider while building a data loss incident plan.
When Google gets behind a technology, it's a safe bet that your staff members are going to be using it sometime soon, with or without your supervision or consent.
And so this week's formal announcement of Google Drive, the search giant's latest push into cloud services targeted directly at storage, has security officers and risk managers wondering how best to tackle the inevitability that users will soon be sending sensitive corporate information off to Google with little thought for compliance, leakage, uptime - all that fun stuff.
First off, let me say that cloud services in general fall into an overlap between the formal disciplines of security and risk management. Corporations essentially decide whether or not they want to allow users to employ services like Google Drive, and then set out to implement guidelines and preventative measures, as warranted. That's mostly security with a little governance thrown in for good measure.
You can view anything as a cost/benefit curve, of course, but risk managers tend to find the fact that data is being managed entirely outside the corporate umbrella a little frustrating, if not unnerving. This evergreen advice column at Risk Management Magazine lists the fact that not all data can be subject to consistent governance standards as a major risk with cloud storage. (It also frets about the possibility that your vendor may go out of business, which is probably not going to happen with Google).
With Google Drive, the most imminent risk is a consumer-grade solution being employed for storing and transmitting what might be pretty juicy info. This post from security vendor Sophos specifically addresses the issue of encryption and how clumsy, albeit possible, it can be with Dropbox, a leading cloud storage service that Google is targeting with Google Drive. The author concludes that a centralized solution for encryption key management and reporting (which Sophos happens to produce) to be used with bring-your-own-service (BYOS) cloud storage tools is probably a better solution for business.
Regardless of the final solution IT decides on, risk managers at least need to be able to cite the issues associated with consumer or dedicated cloud services, including storage. (The InformationWeek piece we pointed to earlier in this post notes that Drive is really little more than an extension of Google Docs - in all cases, you are trusting your data to somebody else.)
Both this piece at SearchConsumerization.com and our own Paul Mah note that most cloud services rely on simple, static passwords for sign-on - well below even SMB networking best practices. Paul also smartly warns that having your data physically stored across the globe may open a weird matrix of legal regulations - no fun for your compliance office - and that cloud storage should be viewed as a single backup, from a disaster recovery perspective. Be sure to check out his post.