Business leaders are adopting cloud software at an extraordinary pace. Enterprise applications, file storage, email, and line of business applications are all moving out of corporate data centers as business managers take an active role in driving application selection, and often an inadvertent role in shaping information security policy.
This is happening at a time when corporate data is under continuous and increasingly sophisticated assault from both organized syndicates and cyber vandals. The confluence of these two forces must drive a thoughtful approach towards information security and the cloud. Continued adoption of the cloud is a reality so as leaders we need a fresh perspective on how to engage vendors and our employees to minimize the threat to the critical asset that is our corporate data. This topic can’t be exhaustively covered in short discussion, but we hope to start the conversation today and provide a deeper dive into each topic in coming weeks. Here are the 5 keys around which we organize our approach:
1. What is your associated risk with moving business applications and data to the cloud?
Every organization is unique and the first step to making good cloud choices is to evaluate the specific risk for the organization. It begins with managing internal data and cloud migrations and extends to securing information in diffuse, cross-organization applications and services. Organizations need to consider the risks and develop a strategy for moving applications to the cloud. The following risks need to be considered when assessing the cloud: Financial, vendor, regulatory and compliance, data, operational, and technology.
2. How committed is the cloud vendor to information security?
It’s common to hear from vendors that security is a top priority, but it’s critical for vendors to back this up on multiple dimensions. A quick checklist can include:
- Is there an executive level position accountable for the security of the product and privacy of the data?
- Does the organization adhere to industry standards for privacy and security?
- Is there a clear and specific approach for communicating security issues to customers? Specifically how has the vendor responded to recent security threats?
3. How strong is the ecosystem of developers around the vendor?
Even a vendor delivering on the above key elements will often need to be surrounded by software partners who can layer deep industry specific best practices and tools on top of their baseline security implementation. Our experience is that the best vendors have a vibrant ecosystem of apps that can provide finer grain user management, permissions, encryption and industry specific support for regulatory requirements. This should be a key consideration in any vendor selection.
4. How clearly are my organization’s standards and requirements defined so that I can effectively evaluate the risk of any given vendor against my needs?
Just as with traditional software selection, it is extremely important to have clarity from the outset on your organizations true needs with respect to information security. This includes not only the vendor’s architecture but also you permissioning requirements, encryption needs, access limitations, and monitoring requirements. At this level it’s important to go beyond industry certifications and dive into the specific business risks and policy needs.
5. How effectively trained are the end users with regard to organizational policies and good information security habits?
The nature of security breaches is such that often the point of entry will be through end users. With that in mind, training and good habits are a critical defense mechanism in maintaining the safety of corporate data. With cloud vendors this can be even more critical as users must be trained on the expected behaviors when accessing data from the cloud that often times feel more like personal services than does data stored on the corporate network.
We’ll dive into each topic in upcoming posts, but please do send us your comments or feedback as we hope to have an active discussion around this important topic.