How to establish trust in the cloud
Business is increasingly taking place outside the corporate firewall. Employees are using their own devices and turning to consumer-grade cloud file sharing services to allow for access across multiple devices and to collaborate with each other or with outside partners, consultants, prospects, and clients.
Even when the use of services such as Box, Dropbox, SkyDrive, and other similar services is sanctioned by the IT department, businesses have nearly zero assurance of confidentiality when their employees store documents in the cloud. Not only are there few publically documented vendor controls, there is no way for a business to continuously audit the cloud vendor’s entire infrastructure and administrative procedures to ensure that documents remain private.
A troubling example was recently brought to light by WNC Infosec (Western North Carolina InfoSec Community), which found that the Dropbox file sharing service opens certain files after they are uploaded.
While it may be fine for individuals to trust cloud vendors with their everyday material, businesses must adhere to a higher security standard if they are to retain control over sensitive data and meet regulatory compliance requirements. What can be done?
Cloud security requirements
In order to enforce corporate security policies in the cloud, IT needs to know (1) who is accessing and sharing (2) what documents (3) in which cloud storage service, and (4) that the cloud provider cannot override policies established by the business or access the data itself.
Here are four steps for implementing a cloud security strategy:
a) Take a risk-based approach: It is not realistic to “secure everything”. Look at business processes and quantify the risk associated with each one, then match them up with an appropriate level of security and controls.
b) Clearly document the policy and communicate it to employees.
c) Make the security solution easy to use, so that employees will not try to circumvent it in order to get their jobs done. The days of forcing staff to accept whatever IT deems acceptable are long gone!
d) Implement content-based security to eliminate the risk of the cloud provider failing to implement proper security protocols and controls.