Much has been written about how to secure data that's hosted in the cloud, and there's no question that company information residing there raises poses profound data security risks.
But an issue that has received far less discussion is the need to apply the same scrutiny to data held by organizations that are closer to the ground, so to speak. Consider your company's business partners, for example: You may share sensitive information with partners, even though they are not cloud service providers.
Sending this data outside your company's four walls presents security challenges as well, and companies need to apply the same level of rigor and skepticism to third parties that they do to cloud-based services.
This lesson is extrapolated from the recent security breaches at Target, Michael's, Neiman Marcus and Bank of America, among others, during which the sensitive information of more than 70 million people ended up in the wrong hands. In these instances, the afflicted were consumers like you and me, and the unfortunate truth is that the outcome was the same for folks who write their PINs and passwords on the back of their credit cards as for those who lock their information down tight.
For more on information governance
Data security in the cloud is about sharing responsibility
Three ways to ensure that corporate content is secure
The implications of these security breaches is that it didn't matter whether the affected folks tightly controlled access to their important data: Once they turned information over to a retailer -- or "business partner" -- there was nothing more they could do to prevent the breach from occurring or to limit the scope of the damage.
This is how it is in the business world as well. As hard as we try hard to promulgate policies of protection, our efforts are necessarily limited to the confines of our own organizations. The fact is, once we relinquish direct control over our information by passing it to, say, a vendor from which we electronically order and pay, all we can do is hope the right things happen next.
It's not the cloud; it's governance
As noted, many virtual and print pages have been devoted to describing the kinds of nightmares that can develop when your cloud-based data is hacked. But as the situations at Target et al. indicate, the issue isn't limited to the cloud, and it isn't a function of where the data is hosted anyway.
Rather, it's all about governance, which I often describe as regulating the "care and feeding" of organizational information. One objective is to minimize the risk of data misuse, and this applies not only in the cloud but to the affiliates your operations tie into: suppliers, fulfillment houses, contract call centers, records archives, etc.
Companies need to apply the same level of rigor and skepticism to third parties that they do to cloud-based services.
When advising clients about their strategies for the cloud, I constantly reinforce the need to incorporate the answers to the big questions about a provider's service-level agreement (SLA). Thanks to these recent high-profile breaches, I'm now singing the same song when the conversation turns to interoperability with external systems. The goal is to encourage companies to take the same approach with partner agreements as with cloud contracts to ensure clarity, accountability and remediation regarding data protection and issue response.
This is where SLAs and management become critical, so you need to map out your SLAs and the questions you will ask in advance of these agreements. If you are working with partners, here are just a few of the questions to ask:
- What kinds of security technologies and protocols are in place to secure information where it resides?
- How do and will these systems work with your systems?
- Who's responsible should a breach occur? How is this determined?
- What are the limits of liability?
- What is the recourse, and are there different outcomes associated with different kinds of breaches?
- What procedures are triggered after a breach occurs?
- What notifications need to be sent, how quickly, to whom and by whom?
The bottom line is that you need to think about any party with which you share information in the same way you think about a cloud provider. In "regular" business relationships, the issues are just as important as they are in the cloud. Like it or not -- and realize it or not -- all of you are in it together, and what happens to them certainly affects you.
This was first published in February 2014