Bridging the cloud security gap
The sun rising tomorrow morning is almost as inevitable as the cloud's integration within every enterprise in 2012. Now that the “if” portion of the cloud question has been answered, the populace is now moving onto the next stage when discussing migrating to a cloud collaboration platform like Google Apps or Office 365: Is it secure?
The ensuing conversation is usually focused around the vulnerabilities and strengths of the infrastructure, whether or not the cloud application provider can see customer data and whether hackers can attain access to all of the information a cloud provider manages. Once those fears have been allayed, the cloud security conversation is over. The only problem is that these discussions overlook one critical fact: cloud security isn't really about the cloud. It's about people.
The complexities of the cloud bank
Think of the cloud as a bank. Banks have security guards, video cameras and high-tech intrusion prevention systems to keep your money safe. However, all of these systems won't be able to keep a penny in your account if you give your debit card number and PIN out to everyone. This illustrates the user's small, but essential, role in security.
The cloud operates in much the same way. Google, for example, has a stellar track record for protecting data stored in Google Apps. How many times have they lost customer data? Exactly zero. Information that has been lost within Google Apps is always due to a company or user's failure to comprehend the platform's collaboration intricacies. It's not about the security of the infrastructure, it's about how users share data both internally and externally. All the security certifications in the world are irrelevant if an employee shares the salary spreadsheet with everyone in the company or customer credit card info with anyone on the Internet.
Prior to the cloud, IT departments spent a huge amount of time, effort and money on controlling access to data on-premise for things like e-Discovery, governance, risk management and compliance (eGRC). IT staffs used a host of solutions like data leakage prevention, enterprise risk management or network access control to control how information flowed into and out of the corporate architecture. There was a defined border that could be guarded to prevent hackers and insider threats alike. But the public cloud doesn't come equipped with any such point that can be fortified which makes cloud data security an altogether different animal.
Cloud data security = secure collaboration
Collaboration is one of the cloud's primary benefits for enterprises. Unfortunately, it's also one of the major security vulnerabilities as access and usage rights permissions for files are largely left to the users. IT administrators who have long wielded the power in the data security equation now find themselves in a reactionary position. Like on-premise, fundamental cloud eGRC best practices start with understanding how information is flowing throughout the organization, both internally and externally.
Data security traditionally has been viewed as a Wild West movie: the “white hats” attempt to keep confidential information secure while “black hats” try to take it away by any cunning and nefarious means necessary. The cloud makes that viewpoint obsolete. Cloud platforms' high level of security allows enterprises to focus on the finer points of data security. In other words, organizations have to guard the money, not the bank itself. This is a much easier proposition as IT administrators can now focus on access and usage rights for specific documents rather than securing every endpoint and server.Focusing on implementing the same IT controls for data in Google Apps and Office 365 as the data that used to sit on on-premise file servers is the gateway to experiencing the cost savings and collaboration benefits of the cloud.The best part is that this strategy will equal the level of security of your on-premise infrastructure, if not surpass it.