A cloud policy is essential for any organisation’s ability to remain secure and grow competitively — and the responsibility for developing one remains squarely with you, not your cloud services provider. While a cloud policy is needed regardless of delivery model, SaaS used without clearly defined user guidelines in particular leaves the door open for employees to consume public cloud services that could be putting data at risk without you knowing it. Consider some of the findings revealed in a recent survey of 500 leading companies by Symform:
- Nearly 20 per cent of surveyed organisations have no established security policies or standards for departments using or considering cloud computing.
- Of the 39 per cent who claimed their organisations are not using cloud solutions and have no established policies, nearly two-thirds of this group allow employees or teams to use cloud services. Even more frightening, over one-third of the group allow employees to store organisational data in cloud solutions.
- Nearly 70 per cent are against storing credit card information in the cloud, yet have no policies in place to prohibit workers from doing so.
Unfortunately, the presence of cloud policies does not guarantee proper enforcement. A Symantec-sponsored study showed:
- 81 per cent of IT executives claimed their organisations had cloud security policies that stipulated clear-cut consequences for violating these policies, yet 55 per cent of surveyed end-users said they “didn’t know these policies from Adam” and 49 per cent of end-users were unaware of any consequences.
- Some enterprises have completely blocked internal access to Dropbox and iCloud, commonly deemed as insecure for corporate data, instead of putting policies in place to control their use.
The surveys and studies speak volumes. But the questions remain: Where to start in a cloud policy — and what to include? As experts in cloud services, we’ve developed a four-step methodology to help organisations of all sizes develop their own cloud policies.
1. Codify all the steps necessary to deploy a solution. When departments or individuals in your organisation express interest in cloud solutions, you must have a framework for evaluating these cloud services. Establish a process for obtaining all the technical information, such as understanding:
- Everything the cloud initiative entails
- Methods for accessing the cloud data
- The necessary governance and security
- What test resources and pilot individuals and/or departments are appropriate
- What IT resources are necessary to launch and maintain the cloud initiative
- The resources the requestor and IT need post-launch
- How and when the cloud initiative will be evaluated post-launch to ensure performance
2. Ensure the cloud solution address “The Top 5”. The criteria above address the request and how IT will support the new cloud computing initiative. But IT’s role isn’t solely understanding and supporting cloud solutions. As the experts, the IT department must perform due diligence on the proposed cloud service to ensure it meets “The Top 5”, meaning the cloud initiative is:
Remember: The requestor is focused on solving a problem. IT’s role is to ensure that solution cuts the mustard.
3. Determine how well the cloud solution considered can achieve the objective. Once the project is fully understood, extend IT’s technical expertise to determine if the requestor has found a solution that fully addresses the need, or if the solution will require customisation in order to meet the basic objectives.
4. Delineate employee access rights and possible workflows. Most requestors err on the side of allowing more access than needed. While this may not be a large concern for small initiatives, or ones handling non-sensitive data, cloud solutions that involve highly sensitive information should be limited to authorised personnel only.