Be careful with cloud-based file sharing
Cloud-based file sharing services are very
popular in the consumer space, which is fine, but if your employees decide to
bring these services into the workplace without your knowledge, “who knows what
you’ve done to your security environment?” cautions Bartoletti. That’s why you
need to establish controls that will limit the types of data that can be placed
on file sharing sites and prevent sensitive information from exiting the
company.
Be
careful with cloud-based file sharing
Sloan says that some file sharing services
are better than others when it comes to integration and control. One such
service features an enterprise version that can be integrated into “Active
Directory management for access” as well as SharePoint, he says. This not only
unlocks file sharing functionality in other applications, but also gives the
company much more control over the data that can be moved into the cloud or
downloaded from the cloud.
However, if you integrate a file sharing
service into your business and put the appropriate controls in place, you may
still encounter instances where those controls aren’t working and “you’re
finding that people are copying sensitive data up into the cloud instances. If
this is the case, you may need to reevaluate those workloads and determine
whether or not they are a good it for a cloud environment.
Know what data belongs & implement
usage policies
Some data and applications are a perfect it
for the cloud, while others simply don’t belong. For instance, Bartoletti says
that “systems of engagement,” such as Web presence systems that allow companies
to interact with customers, are great for the cloud because you can “launch
them quickly, you don’t have to buy a bunch of new infrastructure to build out
a new offering, and the kind of data you put on their generally isn’t that
sensitive.”
Sensitive
data and applications are always in danger of being moved to the cloud simply
because of human error or lack of employee education
However, “systems of record,” like
transaction, accounting, and ERP systems, “are probably not the best first it
for the cloud because they contain sensitive data,” says Bartoletti. Plus,
these solutions are often “high-performance database applications that require
a lot of processing power,” he says. Bartoletti admits that it may seem
attractive to move these to the cloud to save money on internal resources, but
that it’s “probably not worth the loss of control to put it up there, since
your business is really based on those systems being secure.”
Sensitive data and applications are always
in danger of being moved to the cloud simply because of human error or lack of
employee education. To help counteract this, Bartoletti recommends that
companies put cloud usage policies in place to limit access to certain types of
data as well as help you segment your workforce into much more manageable
groups.
“It makes sense to think about developing
cloud usage policies and doing it for different business groups,” says
Bartoletti. “This business group may have one set of policies and this other
business group might have another because they’re not customer-facing and they
don’t touch sensitive data. A great way to get control over cloud in the
organization is to start thinking about what your cloud usage policies should
be.”
Communicate with service providers &
vendors
Speaking to your service provider about
identity and access management is crucial, but you also need to discuss SLAs
(service level agreements) as well as what you can expect from the cloud
provider in terms of security and transparency. “How much will the service
provider tell them about how things are run, what geography data will be kept
in, and what certifications the service provider has to date?” Bartoletti asks.
“Big service providers are always actively getting more and more certifications
so that they can handle more and more sensitive data, so you may want to talk
to them first to see what kinds of certifications they have in place.”
Private
clouds can come with their own control and management issues
When it comes to SLAs, it’s common for
cloud providers to “do their best to give you a certain number of nines of
availability” (referring to the number of nines in an availability percentage),
but if for any reason they don’t hit the goal detailed in your SLA, you need to
know what the compensation will amount to, says Bartoletti. You will feel much
more in control of the cloud if you know where you stand with your service
provider. You need to know if they’ll give you your money back in the event
they don’t hit a certain availability figure or if they’ll “own the problem and
try to fix it,” says Bartoletti.
If you are working with a private cloud or
want to build one, then service providers won’t be involved, but vendors will
be. Private clouds can come with their own control and management issues, so
that’s why Bartoletti says that many “virtualization vendors offer suites of
management tools that can help you turn a set of virtual resources into a cloud
environment.” But they can also help you “manage things like security and
multi-tenancy.” You may want to invest in licensed or open source cloud tools
that not only let you build clouds on top of your existing virtualized
infrastructure, but also help you “isolate groups from one another and
automatically allocate resources as people request them,” says Bartoletti. It
all comes down to discussing available options with your vendor and finding the
solution that fits your best.
