We are living in unprecedented times. And while many companies have been planning and executing their thoughtful journey to the cloud, many have had to change or accelerate those plans in response to the global pandemic. In a matter of weeks commerce across the globe ground to a slow crawl:
Businesses went virtual or closed
Individuals stayed home and purchased less
Society moved at a glacial pace
CIO’s, Chief Risk Managers, Chief Privacy Officers, and Chief Information Security Officers have found themselves dealing with situations that were unprecedented. We now have to simultaneously:
Maintain business integrity by preventing Security Incidents emerging from known and unknown vulnerabilities,
Manage the introduction of new attack surfaces resulting from changes in technical and physical security posture as a result of Planned & unplanned environmental change,
Manage investment based on the correct risk profile,
Future proof and align Business Continuity and Disaster Recovery and alignment of policies and procedures with technology and security solutions
Scale to enable IT efficiency programs and paradigms.
With the sudden shift for many organizations to an almost entirely remote workforce also came a rapid “ready or not” acceleration into the use of cloud technologies—like Microsoft Office 365—and a virtual explosion of data. However, whether data is generated by and within your organization or collected by your organization from a third party (customer, vendor, partner, or other), the only way you can effectively protect it is by understanding it.
Does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information, health information, financial data, and so on? Specifically, what is the impact of this dramatic shift to the cloud in terms of corporate risk management?
So why would you put your data, systems, or even host your infrastructure on someone else’s computer? The immediate draw to cloud computing is clear: a reduced total cost of ownership and less hardware for IT administrators to maintain. Hosting your applications and storing your data in the cloud could reduce costs and improve global access to content.
Cloud computing offers many advantages to the IT teams of organizations large and small as well as technology providers and their customers, allowing companies to invest far less in infrastructure and resources that they must host, manage, administer, and maintain internally. This allows them to invest in the advanced applications they build on an externally hosted and fully redundant environment—and they can do this at a fraction of the cost.
At the same time, for organizations subject to regulatory requirements, the move to the cloud is not without risk. Five important variables to consider are:
1. Access and Control
Some enterprises have significant concerns about storing business data outside the walls of their enterprises due to non-employee IT administrators possessing a high level of access and control over information; available technology options to secure and manage user access and authentication; or even intentional or accidental actions of employees or contractors.
2. Sensitive Data
For companies that are considering whether or not to move to the cloud, it’s not a question of IF they are going to go to the cloud, but a question of WHAT they’re going to put in the cloud. With very few exceptions, most organizations will move some data to the cloud be it on purpose or not.
For some companies, individual employees are already putting data in their personal cloud stores like Dropbox or Yahoo. They do this most frequently for “ease of use and access.” IT administrators and Security Officers are constantly frustrated by this, but this often happens when companies make their own enterprise systems too difficult to use.
3. Service Provider Dependency
You must consider your level of trust in your proposed cloud provider. Your confidence in the cloud provider you select and their transparency with regards to the security and data protection practices must factor into your decisions. For example, what can they tell you about their back up and data recovery procedures?
4. Data Sovereignty
If your company is subject to data sovereignty requirements, you must not only ensure that data is kept “in country,” but also that backups for that data remain “in country” as well. The same reasoning applies to defensible data destruction and records management requirements. Make sure you know where all of the copies of your data reside. This is a challenge for most companies on their own systems. Be sure that you set these clear expectations with your cloud providers, too.
5. Control Over Functionality
Next, be sure that you have a clear understanding of how your cloud provider will roll out “new enhancements” to the service they are providing for you. One of the great advantages of the cloud is that service providers like Microsoft, Amazon, and others can continually innovate and update their offerings. While this is a great advantage from a technology perspective, it also may create privacy and data security implications.
In fact, it’s no surprise—data privacy and security are still top concerns when moving to the cloud! Privacy teams, security teams, or CISOs often turn off features in Office 365 like external sharing, OneDrive storage, or Yammer for fear they won’t be able to control the behavior of their users. However, know that this may be turned on by default!
One simple way to address this is to ensure that any updates provided to your environment will first be done in a “test” or non-production instance of your tenant, so that your security and data privacy teams can fully assess any risk before you introduce the new features to your production data and systems. At the very least, you should request a time period to review any new features with your privacy, security, and compliance teams before you move forward!
Data is everywhere; structured or unstructured, at rest or in motion, it flows through information gateways, web sites, and web applications, is shared through instant messaging and collaboration systems on-premises and in the cloud, and “sleeps” in data repositories, databases, and file shares.
As I have discussed in the past,data tagging and classification allows an organization to gain better insight and control into the data that they hold and share. Metatags allow organizations to optimize their e-discovery and record retention programs while protecting and controlling the flow of information.
Many organizations have Data Classification policies that are theoretical rather than operational. In other words, there is a corporate policy that is unenforced or left to the “business users”/”data owners” to implement. The challenge presented by a business user-driven “trust” system, is that it’s difficult to predict the appropriateness and level of data being properly tagged. Are inappropriate discussions happening? Is sensitive or confidential information being shared? Are privacy and compliance policies being circumvented, either deliberately or inadvertently? Who do you trust—user or machine?
AvePoint Compliance Guardian provides an effective, automated, and operational risk management framework that will allow your organization to have policies and controls that reflect real life data protection and risk management within your organization. Compliance Guardian further supplements Office 365 with important features including:
Classification policies that extend beyond Office 365 to on-premises File Shares or SharePoint.
File Analysis reports to help customers get ready for migrations to the cloud before moving sensitive data.
Enterprise Risk Reports that identify potential points of over-sharing or sensitive data across multiple systems.
Action policies and incident workflows that help customers reduce risk in real-time.
The cloud can make your life much simpler and help you manage your data and systems in a much safer and more extensible manner. Just be sure that from a data privacy and security perspective your feet are firmly planted on the ground as your applications move to the sky!
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities.
Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School.
LinkedIn: www.linkedin.com/in/danalouisesimberkoff/en
Twitter: http://www.twitter.com/danalouise