The jury is no longer out about the cloud. What was once regarded as a misunderstood buzzword about our increased reliance on the Internet, is now a critical puzzle piece for any successful and innovative 2015 enterprise business strategy. According to a recent survey, software-as-a-service adoption in organizations has more than quintupled, moving from just 13 percent to an astounding 72 percent in 2014 alone. While adoption and implementation is rapidly increasing, there are important practices and truths every organization should keep in mind in order to make the most out of their cloud strategy and, most importantly, keep their cloud technologies secure.
Before we begin, it’s essential to remember a core governing principle; despite what many may believe, your data always remains your data. Sure, another organization may be tapped to host your data, but regulatory guidance regarding data ownership and protection is increasingly clear across the board: the roles and responsibilities for protecting and managing your data remain with the originating enterprise, regardless of other entities, which may be contracted into a business partnership. Therefore, it’s important to assess the risks to your data, including the probability of a breach or the impact of a loss. Just because a loss event hasn’t happened yet doesn’t mean you have immunity; no organization does.
Based on his experience and conversations with industry peers and experts, MetricStream‘s David Williamson has identified five tips that can help you keep your organizations’ cloud technologies secure.
Cloud Security: Clarify, Clarify, Clarify
Click through for five tips that can help your organization keep its cloud technologies secure, as identified by MetricStream’s David Williamson.
Prioritize Your Data
Prioritize the value of your data, whether private and public.
You’ll find many different “important first steps” depending on where you look, but almost all experts would agree that a critical step, early in the process of your cloud strategy, is to assess the actual value of your data. That’s because not all of your data has the same value, and therefore should not be treated the same way across the board. Ask yourself, what data matters most to the organization. Ask what kind of loss event would damage your business in financially or reputationally devastating ways. Ask what kind of data is most valuable – the data whose loss keeps you up at night.
Take a look at your assets, and be prepared to defend them in proportion to the value that they carry. You can’t defend all of your assets with the same level of security measures – this is unrealistic due to team resources, limited budgets, or operational limits. Instead, prioritize your efforts based on what you believe to be the most valuable and essential data. For example, trade secrets, litigation information, confidential user information, or the secret ingredient to your market-leading product – every organization will focus their resources in certain areas.
Consider the Consequences
Consider the different ways a loss event would impact your organization.
It’s not uncommon to see headlines of a successful hack or data breach in today’s world. In fact, between hacktivism, the rapid adoption of cloud systems by the enterprise, and the utilization of increasing complex systems and expansive supplier ecosystems, data breaches are more likely than ever before. Therefore, it’s invaluable to take the time to deliberately plot the different ways a data loss event would impact your company, customers, service offering, stockholders, or business partners, and then prepare for those events.
The exposure of data can do everything from simply creating embarrassment for your company to inciting a damaging loss of public confidence in your enterprise. A loss might put your organization under the scrutiny of legislative or regulatory entities. You’ll want to know what specific scenarios may affect you and how, and the various legal or regulatory consequences. Identifying and managing all of this as you go is not a strategy. Plan for a loss before it occurs – plan ahead now.
Set Loss Prevention Protocols
Monitor and manage third-party relationships with specific loss prevention protocols.
Like most organizations, you are probably reliant on third-party vendors and business partners, who help to supply a service or product offering, or simply take on a process that your organization benefits from outsourcing. Since the core principle is that the originating organization is responsible for all data collected, you must follow specific safety protocols when working with other partners. It’s vital that your business partners understand your expectations in regards to data protection, security operations and protocols.
Begin by vetting and selecting your partners and vendors carefully – it’s tempting to partner with the vendor who comes in at the lowest bid, but you’ll want to consider track records and expertise just as much as cost. Take additional steps to ensure you’re managing risk that’s naturally prone to occur as you expand your circle of operations – and CIOs, take note! Two-thirds of information loss occurs through third-party channels, so limit access to your network to only those entities who require it, and don’t stop there. Identify and put parameters in place to safeguard your network and assets.
Test Your Network
Test your network for weaknesses – and address them swiftly.
The concept of ‘white hat’ testing is one that not all enterprises are immediately comfortable with, but it’s important to try and negotiate white hat testing with your cloud service providers. Test, test and test – when you think you’ve tested enough, keep testing. Faith is not a reliable concept in the server room, and it’s better to have those seeking vulnerabilities in your network working for you than against you. Some public and consumer facing companies have even “gamified” this process, offering bounties for customers or enthusiasts to successfully identify security vulnerabilities in their product or service. No matter the method, a white hat attack and defense mechanism is a good strategy to consider – and your organization should consider security team recommendations to execute this.
Dedicate resources to information stewardship
We’ve touched on data management and ownership, and it’s a topic worth diving further into. Within your own organization, understand who manages your data, whatever data that may be. For example, data managers or “stewards” could be IT, the legal department, the finance team, or the Board of Directors. You should have a clear definition of this, and if you do not, take the necessary steps now to identify clear owners to manage those assets. Determining information stewards is beneficial to your daily operations and critical during a loss event.
However, keep in mind that various managers need to work in tandem with one another. Why? Imagine several “owners” of a service delivery model. It’s not uncommon for different departments or people to have varying priorities or business objectives. This introduces an unnecessary risk where you’ll struggle through a misalignment of priorities and thus, ways to operate or safeguard data. Some best practices around stewardship are to ensure that everyone in the service delivery chain is compensated for success and penalized for failures, as well as documenting clear roles and responsibilities. Simple measures like these can contribute to establishing clear operational and safety protocols.
You may have noted that an important and recurring ingredient for success when it comes to cloud technology is clarity. Establishing clarity regarding your goals helps you to implement the best cloud model for your organizational needs. Establishing clarity regarding the expectations of your business partners helps mitigate risk, and so on and so forth. What may instinctively seem like unnecessary or cumbersome steps are anything but; documenting “the obvious” pays off in spades when it comes to the cloud and securing your data.
It’s interesting to note the rapid growth and innovation in cloud computing – oh how far we have come! It is hard to even imagine the future landscape just one year from now. We’ve seen tremendous innovation in e-commerce and mobile payments – transactions no longer rely on credit card number themselves, but rather a unique text string, protecting and bypassing the need to collect specific sensitive user data. As technologies like these continue to evolve, we need to ensure an even higher degree of focus on data stewardship and protection. We all share an important objective here; to make sure that we are protecting our customers, our employees, and our organizations at large. This requires that we act responsibly, identify valuable data, plan for loss events, monitor our business partners, test our network, and identify owners. Our collective efforts will pay off in terms of helping define the future of a more safe, risk-aware, and better governed cloud and digital environment.