As you begin to move your company away from a physical infrastructure and into the cloud, it's important to make sure that proper security policies are in place. While you may have a general information security policy, don't think that absolves your organisation from the need for a specific cloud security policy. The dangers that come along with using cloud software or infrastructure are markedly different than those of the typical security concerns encountered by most organisations.
1. The biggest risk for most cloud applications is a breach of the cloud provider's security. Your sensitive data could be leaked.
Take the recent Ashley Madison dating website hack - it is believed that 252,000 people in Sydney alone have had their private details leaked.
There is no real way to create a policy averting this risk, so the ideal solution is to look at things from the perspective of risk management—all cloud providers need to be evaluated for risk, based on their history, the architecture they use, stated security measures in place, and the value or risk of data being stored on that cloud platform. Do they encrypt their data? Do they offer dual factor authentication?
2. The second biggest risk for organisations is employee negligence and inappropriate cloud usage. Curbing this risk requires several steps. First is identifying a point person in your organisation, usually the IT manager, who will evaluate cloud services and approve or deny requests to use certain cloud providers. Next, employees need to be informed that they are not to use cloud services unless they have been vetted and approved by the point person. Third, employees need to be trained on how to identify security risks themselves. Finally, organisational data needs to be stratified by level of security it requires, so that cloud services can be evaluated for certain levels of security. For example, while one service may be perfectly fine to temporarily store or transport low–security information, it might not be secure enough for high–security information. Employees must be made aware that using cloud services is a major risk, and not to be done without authorisation.
All cloud policies should integrate a worst–case–scenario plan. This can include plenty of redundant backups in case the cloud service storing your data goes down. It should also include a communication plan to inform your clients and customers in the event of a security breach at your cloud service provider.
Cloud services can offer your business a lot of flexibility and significant savings, but unless they are approached in a methodical and cautious manner, they can result in significant risk. A good cloud service policy is the biggest step towards minimising this risk.
Contact your IT Manager to ensure they have implemented the right risk reduction techniques that put you back in control and let you implement and enforce the policies you want.