Should you be so worried about cloud security?
A couple of conversations this week have reminded me why questions I get asked about security are often simply the wrong ones!
Here are a few of the common questions:
How do I know that my files are safe on the cloud?
A better question is “How do I know my files are safe?”
You may know the expression -“There are two types of companies: those that have been hacked, and those who don’t know they have been hacked”, attributed to John Chambers, CEO of CISCO.
Your IT team may be hugely knowledgeable, hugely professional, incredibly well trained.
They may live and breathe security.
They may have bought the best firewalls and virus protection.
They may have fantastic monitoring systems in place. (getting nervous?)
But can they compare with the resources that Microsoft has at its disposal? Can your servers only be accessed using multiple authentication – including badges, smart cards, biometric scanners, and two-factor authentication?
Does your incident management process conform to the National Institute of Standards and Technology (NIST) in NIST 800-61?
Can you compete with their multiple teams of security experts, who switch between ‘defence’ and ‘attack’ modes to identify and fix vulnerabilities?
Are you audited to ISO/IEC 27001, ISO/IEC 27018, SOC 1 Type 2?
Can’t the UK/US government get access to my files if they are on the cloud?
Maybe, maybe not.
Why would the UK/US government want to get access to your files?
What would they do with them, especially as they wouldn’t be able to admit hacking into your systems?
And why do you think they can’t get access to your files now if they really wanted to?
Microsoft undertake to refer any agencies straight to you if they ask for access to your files, if they are legally able to.
If I let people share files, won’t there be files shared everywhere and I’ll have no control over my security?
But you allow people to email files as attachments….
Once a client of yours has a file as an attachment, they can print it, forward it, put it on facebook.
You have no way of auditing this, or realistically find out who is emailing what (without some very expensive monitoring software).
With sharing, you can control which libraries can be shared, report on what is shared, and revoke shares that you are not happy with. You can share a document as read-only, prevent the download or printing of the file, and set an automatic time-out of the link.
This is far more managed than using email.
If I give people access to files at home or on their mobiles, won’t they be able to download them and send them to whoever they want?
You think they can’t at the moment?
I’ve been in very few companies that restrict the use of USB drives, Google Drive, DropBox, Hotmail. And if they are restricted, do you monitor what people are zipping up and sending to their personal email accounts?
The reality is that if your staff want to purloin some documents, they probably will.
If the documents live on the cloud, you have easy access to reports to see who has downloaded what – all you now have to do is monitor these reports, or check them for evidence once a breach has occurred.
What if staff lose a mobile device with company documents on it?
Microsoft has fantastic tools that you can use to manage your files on mobile devices.
Even if the devices are owned by your staff, you can protect the Apps that they use to access files, and wipe these if they leave the company or lose their device.
Security is a business problem, not an IT problem
These questions are all ‘technology first’ questions – they worry about what can physically go wrong, rather than the business implications.
Security should be a business led discussion.
What is it about a certain set of documents that means they must be tightly controlled? How should this control work, and how vital is it? What is the impact of documents getting into the wrong hands?
Based on the answers to these questions, a cloud security plan can be drawn up that will enable your staff to work in new, flexible and progressive ways that will be of huge benefit to your business, and at the same time help make your business safe and secure.