With 80% of businesses already deploying or embracing cloud solutions, two-thirds of CIOs will have placed ‘Digital Transformation’ at the heart of corporate strategy by 2017. If that’s the reality, and given concerns about cloud security and identity access, how can you work to ensure what you’re doing is safe and secure? With the threat landscape constantly evolving and stricter data protection regulations on the way, what are some basic questions that CEOs, CIOs and data protection officers need to ask?
How can you be cloud confident?
Our approach, at the beginning, is to “keep it simple” in a complex world. Otherwise, the scale of the challenge might seem a little overwhelming. A good way to start is focusing first on what’s really important to you: dealing with the top priorities first as you start the journey towards complete cloud confidence. (We define cloud confident as “Being able to take advantage of all cloud applications in the safest possible ways: to increase your productivity and performance whilst ensuring control of your data, security and regulatory compliance.”) Today’s challenge is to make sure your business and employees are using cloud services – whatever services you want – in the safest and smartest ways, avoiding any data leakage and accessing all the benefits of cloud without the risks. The costs of failing to secure your cloud can be significant and longlasting, from data breaches, loss of intellectual property assets and business disruption to reputational damage, regulatory fines and lost profits. The cloud really should be an enabler for your business; you want to be able to embrace it fully, and not be fearful of what else it could bring.
We’ve broken down “cloud confidence” into four key elements, aligned with but extending the Gartner, Inc. four pillars of cloud access security: Visibility, Compliance, Data Security and Threat Protection. And with more than 100,000 apps already discovered and the number rising steeply, it starts with understanding how your app infrastructure holds together and where the vulnerabilities may be hiding.
- Discover – reveal the true costs and risks you face, identifying unsanctioned and shadow IT
- Aware – create appropriate access, usage and security policies, and educate your people on the threats
- Comply – police and enforce your policies: monitor, manage and alert
- Certify – ongoing scrutiny and regularly refresh of your access, security and data protection policies
Six questions you should ask
In a blog post a few weeks, I wrote about the European Union’s new GDPR (General Data Protection Regulation) framework, and mentioned a few questions organisations really need to start asking about their security and access regime. Such questions may not have easy answers, but that’s the point. The first stage on the road to cloud confident is asking questions and building understanding, so you can plan the next steps with confidence. So here are six simple questions to ask about your business; you may be surprised by the answers you get.
- Where do our cloud apps process and store data?
- Do our apps adequately protect data from loss, alteration and unauthorised processing?
- Have we executed a data processing agreement with the cloud apps that we use?
- Do our apps collect only “necessary” data – and limit processing of “special” data?
- Do our cloud vendors forbid use of personal data for other purposes, such as third party sharing?
- Can we erase the data when we stop using an app?