As persistently as IT departments have talked about cloud security over the last few years, you’d think we would all have it down pat.
But so far, between shifts in the cybersecurity landscape and shifts in how employees work, new gaps in IT have emerged, making cloud security a source of complexity for businesses.
The challenges today seem to revolve around a few key questions:
As sensitive customer service data is moved to the cloud, how do you find a balance between meeting your workforce’s cloud needs and controlling risk?
Workers today rely on cloud-based software for virtually everything they used desktop software for 10 years ago – a major shift pointing to a larger workforce transformation centered around technology. Depending on the department, that may mean simply storing and sharing files, or it may mean performing accounting tasks, automating marketing campaigns, drafting quarterly earnings reports or even designing the products a company sells.
Notice a theme? Many of the tasks workers perform using cloud-based apps include sensitive customer or company data. Forbidding workers from using cloud services for sensitive tasks can severely hamper their daily productivity. Still, this is the approach many companies would take if not for the next key challenge.
How can you keep employees from implementing unauthorized cloud services on their own (creating shadow IT)?
We’ve transitioned from era in which IT had to educate employees on “the cloud” to an era in which employees may know and use the latest apps well before IT becomes aware of them. So, when companies try to limit their employees’ use of cloud-based services, they often fail to do so, simply because cloud services are so easy to sign up for.
Often, IT teams don’t even know which cloud apps are running on their network, leading to critical security concerns. Think about your digital marketing team alone. Marketing technology is a hot and growing industry with well over 5,000 vendors – many of them Software as a Service companies – vying for your marketing team’s business. When you consider how new some of these companies are (many less than three years old), it’s difficult to blindly trust their security is up to par. How many third-party apps has the marketing department implemented without telling you? The same is likely true of other departments, making shadow IT a challenge that must be addressed.
How do you create a flow of information among employees and third-party vendors without taking on undue risk?
Last year, Dell’s End-User Security Survey found that 72 percent of employees are willing to share sensitive, confidential or regulated company information with other parties. This isn’t typically done out of malice or neglect – it’s simply a reality of today’s workplace that information must flow into and out of your organization.
So how do you enable your employees to collaborate with contractors and other vendors without risking data leakage or opening yourself up to cyber-attacks?
- Focus on the People
It’s common among organizations to find that the Chief Security Officer has a clear plan for cloud-based security that is being just as clearly bypassed by departments across the company. It’s important to make sure your plan is in alignment with the reality of your business’ capabilities.
Include representatives from across the organization in the planning process from the beginning. Ensure you understand the day-to-day responsibilities of each group and the tools they need to meet those responsibilities. Encourage those representatives to have their own breakout meetings with their employees to get a complete picture of which cloud services they use, so you can take that into account in your planning.
- Set Enabling, Rather than Restrictive, Policies
The second imperative is that you set policies that enable and encourage employees to pursue sanctioned routes to cloud services rather than going around you. Have protocol in place for requesting access to new services and make it a priority to respond to requests in a timely manner. This may mean having standardized vendor threat assessments that individual departments can submit to third-parties themselves to get the ball rolling.
Communicate frequently with departments and individual employees about the cloud services they use and those that they may want to use in the near future. The more supportive you can make these conversations, the more likely you are to avoid the growth of shadow IT. You can also remind employees of what’s at stake based on their decisions – a single employee’s actions can lead to expensive data breaches or even fines of up to 4 percent of company revenue if the company falls under the purview of the General Data Protection Regulation (GDPR).
- Gather the Right Tools
Finally, make sure you have the right cybersecurity tools. Too often, tools are the first part of the conversation when they should be the last. It’s of key importance that your approach to tools be to build safe bridges rather than lock down your data behind impenetrable walls.
There are a few ways to do this. First, protect the data itself with encryption that follows it wherever it travels or resides. Make sure access management is part of the solution so you can ensure authorized vendors have permission to work with certain information without putting all of your company data at risk.
Second, try to work with cloud vendors who take security seriously and can pass a basic vendor security assessment prior to working with you or publish thorough information on their security commitment. In the end, the onus is on you to keep your information secure but knowing where it’s being stored and how it’s being treated is part of that equation.
Often data security conversations only focus on the company IT infrastructure. But data security is not about IT. It’s about the organization itself. Organizations live or die by enabling their data to flow reliably, quickly and securely. So rather than just thinking about how to protect data at rest, think about how to ensure your organization is prepared, productive and agile enough to take on new challenges in a secure and predictable way.
Brett Hansen is the Vice President of Client Software and General Manager of Data Security at Dell. In this role, he oversees the business and product management responsibility for software on Dell client systems including global monetization and end-user experience. In addition, Brett leads a virtual organization that encompasses all functions of the rapidly-growing data security business, including overseeing the product management and marketing teams for the commercial client security and management capabilities that differentiate Dell client devices as the “most secure and manageable” on the planet.