As I discussed last time, one of the most important aspects of cloud is the leverage cloud resources give to business units to collect and process information on a scale previously unavailable to them. One of the biggest drawbacks follows directly: the creation of data and information silos. A corollary to the Balkanization of the data is inconsistency in data management and security that can seriously compromise compliance and good stewardship of confidential or sensitive data.
IT needs to provide expert guidance to the lines of business, especially on the subject of securing data. While the IT staffs (in most companies) are well aware that, for example, employee social security numbers are not to be put anywhere where they will be visible to the broader Internet, it is unlikely that everyone in all the lines of business has that same understanding. And it is downright probable that most staff in the company will not understand that unsecured storage of that same data, even if it is not by default generally visible to the world, is still a violation of company policy and (possibly) of the law.
IT is not in a position to roll back the tide. Instead, IT leaders need to take a multipronged approach to the problem so that they can actually lead. First and foremost, IT needs to be working with line-of-business leadership to position itself as the “guide by your side” for adopting cloud services responsibly, the folks who can help get the business doing business at cloud speeds without sacrificing necessary security. If you can steer folks away from vendors whose data handling or infrastructure do not meet your company standards, you can save everyone a lot of time up front.
Second, IT needs to continually spread and refresh data management and data security mindsets, through training and outreach directly to end users. Many IT security folks we interview say user education and security awareness is still the most successful security “technology” they deploy. One great way to minimize the leakage of protected data from a cloud environment is to minimize the amount of protected data going into it in the first place.
Thirdly, IT needs to be actively seeking and deploying the security technologies that will give the organization the security it needs. This may be an encrypting proxy to make sure confidential data is encrypted as it heads out to cloud systems, or a set of configuration standards for cloud-hosted virtual machines, including encrypted storage and access to a robust key management system. Included in the mix should be some tools for monitoring the flow of information among cloud systems.
Bottom line, thanks to penalties, lawsuits, notification costs, and bad publicity, mishandling enterprise data in the cloud can create an existential threat to the organization. IT is the only group well positioned to mitigate that threat through leadership, education, provision of tools, and monitoring. In doing so, IT can help restore itself to leadership in the organization’s use of the cloud.