Three Things About Consumer Cloud Technology

Thursday, July 07, 2011

Brent Huston


We hear a lot of questions about how organizations should handle the increasing consumer use of IT services based on the cloud.

Services like Dropbox, Google Apps, Github and many others offer unique and powerful tools for users that they have come to depend on in their personal lives, and thus, some of those tools “leak” into their work lives as well.

Often this means that data that was once considered corporate in nature is increasingly in play in these largely consumer-focused services.

In fact, with the coming iCloud integration from Apple on the horizon into all iOS devices, some organizations are in a down right panic about how to manage these new services in their user populations.

We want to offer up three suggestions for organizations facing these issues (most of us):

Accept that these changes are coming and that they are impactful

If your security focus is still on the “perimeter”, this should be the last of the warning bells. That ship is sinking and FAST.

Today, organizations need data-centric controls that allow for flexibility in data usage and protection. Users are in a rapidly dynamic set of locations and using data in a very dynamic set of ways.

Your IT architectures and controls need to allow for those changes or face increasing levels of danger and obsolesce. You can not stop consumer cloud services from leaking into your enterprise.

Accept it and figure out how to adapt or you will be left behind by competition and brain power.

Create a dialog between users and technology teams to discuss how consumer cloud services are being used today and how they could be leveraged tomorrow

The greater the dialog, the better the insight your team will have into exactly how data is REALLY flowing in and out of your enterprise and how users are getting their work done in the real world.

These discussions require trust and ongoing relationships, so begin to foster them in your organization.

Understand your threats and controls

In this new cloud-focused world, especially when consumer-grade tools are all the rage, organizations MUST begin to switch their thinking away from “do the minimum” attitudes and tunnel vision on compliance.

Instead, they must create effective security initiatives that focus on the specific data they must protect, the controls they have in place that they have to manage and monitor and the threats that data face when in play.

If they build proper security programs around these ideas, not only will their risk decrease, but their compliance problems will likely be automatically ensured as well.

At the very least, they will find that the resources needed to comply with regulation x or guideline y has been largely reduced to academic exercises, since they will have data properly mapped, segmented and controlled.

Cross-posted from State of Security

Possibly Related Articles:
Cloud Security
Service Provider
Data Leakage Cloud Security Enterprise Security Managed Services Controls Architecture
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.