We hear a lot of questions about how organizations should handle the increasing consumer use of IT services based on the cloud. Services like Dropbox, Google Apps, Github and many others offer unique and powerful tools for users that they have come to depend on in their personal lives, and thus, some of those tools “leak” into their work lives as well. Often this means that data that was once considered corporate in nature is increasingly in play in these largely consumer-focused services. In fact, with the coming iCloud integration from Apple on the horizon into all iOS devices, some organizations are in a down right panic about how to manage these new services in their user populations.
We want to offer up three suggestions for organizations facing these issues (most of us):
- Accept that these changes are coming and that they are impactful. If your security focus is still on the “perimeter”, this should be the last of the warning bells. That ship is sinking and FAST. Today, organizations need data-centric controls that allow for flexibility in data usage and protection. Users are in a rapidly dynamic set of locations and using data in a very dynamic set of ways. Your IT architectures and controls need to allow for those changes or face increasing levels of danger and obsolesce. You can not stop consumer cloud services from leaking into your enterprise. Accept it and figure out how to adapt or you will be left behind by competition and brain power.
- Create a dialog between users and technology teams to discuss how consumer cloud services are being used today and how they could be leveraged tomorrow. The greater the dialog, the better the insight your team will have into exactly how data is REALLY flowing in and out of your enterprise and how users are getting their work done in the real world. These discussions require trust and ongoing relationships, so begin to foster them in your organization.
- Understand your threats and controls. In this new cloud-focused world, especially when consumer-grade tools are all the rage, organizations MUST begin to switch their thinking away from “do the minimum” attitudes and tunnel vision on compliance. Instead, they must create effective security initiatives that focus on the specific data they must protect, the controls they have in place that they have to manage and monitor and the threats that data face when in play. If they build proper security programs around these ideas, not only will their risk decrease, but their compliance problems will likely be automatically ensured as well. At the very least, they will find that the resources needed to comply with regulation x or guideline y has been largely reduced to academic exercises, since they will have data properly mapped, segmented and controlled.
We know these three suggestions have a “soft skills” feel. Maybe you expected a suggestion for more firewalls, detection tools or crypto? But, the real story here is, we need not only better tactical approaches and toolkits to solve the coming security issues we face, but we need a holistic strategy to do it effectively as well. That said, before you invest in another round of cloud-based detection thingees or a new quantum cryptography system with geo-spacial locations for keys, how about we all take a moment, sit down, discuss how users are really working now and what they want for the future? Maybe if we think this next huge step forward through a bit more and take a more strategic approach, we can figure out how to make users happy AND secure their data. Hey, I can dream, can’t I? 🙂
