Everyone from my kids to my mother and business partners is embracing cloud computing. Small and medium businesses are going at it like gangbusters. Large companies are moving slowly, but just about everyone is looking to move some of their operations into the cloud.
My business runs almost exclusively in the cloud. It’s true that we have desktops, laptops, smart phones and tablets, but all our important information lives in the cloud. I use DropBox, DocuSign, Freshbooks, GMail, EverNote, Skype and a host of other services.
Before using any computing system, we have to decide what information is sensitive and what is not. And should we put those documents and pieces of information into a cloud-based service?
There seem to be 3 schools of thought when it comes to putting information into the cloud.
- All our information is sensitive, so we need to keep all of it on premise.
- Some of our information is sensitive, so I’ll only put unimportant and trivial information in the cloud.
- Let me determine what is sensitive information and then take appropriate measures to lock it down before putting it into the cloud.
The latter is clearly the most sensible, but also takes the most work. Putting information into the cloud is no different from putting it anywhere else. Some people and organizations view the cloud as some great amorphous blob that floats in the sky. The cloud is really just a new way of computing that brings tremendous flexibility and scalability to an organization. It consists of servers and hard drives and software and everything else we associate with our laptops, desktops and tablets. Securing information in the cloud is really no different from securing it anywhere else.
The best way to secure your sensitive information is by encrypting it. There are lots of software packages and encryption schemes out there, but at a minimum, make sure that you use something as strong as AES 256-bit. This is what the US government and many organizations use.
Your first step should be deciding what is sensitive information. If you maintain anything that contains employee, customer or patient PII (personally identifiable information), that’s sensitive and must be encrypted. Contracts, financial data, product designs and any information that affect your stock price is sensitive and business critical.
After that there is a lot of leeway. The confidential nature of some information is time sensitive, such as earnings reports or product design information. Everyone puts out press releases saying they will announce quarterly earnings or the next big product. Memos and spreadsheets fly around the organization and finance crunches the numbers prior to the big announcement. Once the CFO and CEO announce earnings, the information is public. So what about all those internal memos and spreadsheets?
If any of that information gets outside of the company prior to the announcement, it could have devastating effects. The company, its officers, board members, auditors and others could be brought up on charges of insider trading or violating other SEC and regulatory rules. So clearly there is time associated with the confidentiality of this information. If the information in the internal documents is all made public after the announcement, those documents are no longer sensitive.
Whether those documents live inside an internal email system, your on-premise SharePoint servers or a cloud-based service, you need to take the same care. If you have a document sitting in SharePoint that should not be seen by anyone outside finance, you better lock it down with a persistent security policy. When or if you move it to the cloud, the same security should apply. Cloud services are just the same as your local environment. The differences are that you let someone else manage things.
Deciding what is confidential and business critical requires more than just looking at the information once. You need to decide how long something remains confidential. PII is always confidential. Business contracts are confidential until both parties decide to disclose them. Price lists are confidential until the next one comes out. Product design information may be confidential or may not be, depending on how you do business. If you are writing open source software, that is most likely not confidential.
Deciding what is confidential, for how long and to whom, requires some thinking. Once defined you can decide how to lock it down and where to put it. Don’t assume your on-premise systems are safer than a cloud service or vice versa. Cloud providers are in the business of keeping their systems running and keeping your information secure. That’s all they do. If they don’t, they will go out of business quickly. Your IT department is charged with a lot of things and may not be expert at everything. Security may be good, but IT has a lot of other things to worry about.
Assess your information, decide what is sensitive and lock it down. With all the data breaches we hear about daily, this is more important than ever. Most of the compromised systems we hear about are on-premise. And the compromised cloud systems, like the recent Sony troubles, are because they didn’t even use the most basic of security measures.
Whether you put your information in the cloud or not, the same issues apply. Lock down you sensitive information. You’ll sleep better.