Let’s give the “I” in IT the attention it deserves. Traditionally, IT professionals have devoted their focus to the “T” - technology - paying attention to endpoints, patching, anti-malware, perimeter tech and the like in an effort to create an impenetrable firewall.
And while we can’t ignore security policies and tools to prevent data loss, we need to go beyond prevention.
Today’s environment requires us to build on these prevention activities and add rapid detection to the mix, which requires IT to pay closer attention to the “I” - information (aka data). As we put more and more data in the cloud, it will interact with other data, and we need to find ways to constantly monitor, interact with, control and manage that data.
We have to ask: If this data falls into the wrong hands, do we have the appropriate measures (key logging, audit journals, etc.) to see who accessed it and when?
We need to “parent” our data
The shift that IT professionals need to make to focus on data should establish a relationship not unlike that of a parent and a child.
As parents, we buy the best car seats, find the top schools and serve the healthiest food to our children. These activities are similar to traditional IT firewall activities - they aim to create a bubble of safety around the child (or data). And that brings us to the heart of the matter, as it’s really the well being of the child/data that drives these efforts.
In the parenting scenario, we do more than create a protective bubble; we teach our children what to do when problems arise and hope to establish an open line of communication so that they come to us for help when they get in trouble. And we do this because we recognise that we can’t protect our children from everything life will throw at them.
The same should go for data. Particularly as shadow IT inevitably grows, we won’t always be able to create that protective bubble around our data. In those cases, we need to have good measures in place to detect and react to any issues that arise. We need to make sure we govern our data in a way that keeps it safe regardless of where it lives.
4 steps to create a cloud era security policy
To make this a reality, follow these four steps as you develop your cloud security policy and consider adding new products and vendors to your application stacks.
1) Understand Your Data
If you don’t understand the different dimensions or kinds of data you’re hosting, you’ll never be able to develop a comprehensive plan to protect it. Start by reviewing the scope of your data, including the sensitivity, commercial value and confidentiality requirements as well as who might want this data and how valuable it would be to them.
Understanding these dimensions should help frame your thinking about how to protect your data, detect issues and outline a fallout plan should a breach occur.
2) Analyse Your Risk
The best place to start in analysing your risk is to understand what has occurred previously, as the past will be the best predictor of the future. With this in mind, I recommend paying close attention to internal risks (especially networks) and social engineering, both of which have been behind many recent attacks. In general, you should identify areas of exposure and pay attention to third parties and individuals who have access to your networks.
Additionally, you should classify your data at a high level. For example, you might classify data as public information (e.g. marketing campaigns), internal but not secret information (e.g. organisational charts), sensitive internal information (e.g. items subject to nondisclosure agreements), compartmentalised internal information (e.g. compensation details) and regulated information (e.g. PII).
3) Develop Your Ideal Information Architecture
Once you understand your data and how it could potentially be compromised, you can develop your ideal information architecture. This step is where product and vendor analysis come into play. You should consider SLAs and history of performance/outages, with an emphasis on the latter (again, history is the best predictor of the future), as well as compliance and statutory requirements.
Other key considerations include admin and governance capabilities (will you have the necessary level of granularity?), integrations with existing systems (including how you will manage that access) and vendor culture (does the vendor publicise breaches or keep them secret, and which approach do you prefer?).
Equally as important is your exit plan. Should something go wrong, how will you recover and protect your business? What will it take to get everything back up and running? And will you be able to get your data out in a format that is still meaningful?
4) Consider the Ecosystem
Last but not least, you need to consider the ecosystem of any products/vendors you’re evaluating. You don’t want to put yourself in a land-locked silo. Rather, you want an ecosystem of partners and solutions so that if your needs change down the road or you need something more sophisticated, you have access to a robust community of options.
Additionally, you should consider your ability to control how your users can interact with that ecosystem and how those third party products can interact with your data.
Although these four steps are just the beginning, they’re a great place to start to protect your data as it “grows up” and spreads its wings beyond your firewall.
Matt Johnson is vice president of advisory services at Cloud Sherpas.
Image source: Shutterstock/faithie