Cloud and the new rules for the IT department

Over the past decade, cloud has changed the enterprise technology infrastructure dramatically. Organisations are now adopting the cloud to drive productivity and efficiency.

As a result, enterprise data will travel beyond the network boundaries and outside traditional technology controls. Data protection must now extend into the cloud.

Out with the old

The temptation is to cast a technology organisation’s role in cloud information protection as that of a restrictive agent, especially for organisations in strictly regulated industries.

Traditionally, adopting the cloud forces technology groups to surrender some control over enterprise data, which can be uncomfortable or unacceptable for many. As result, some choose cloud prevention over cloud protection.

But vetoing third-party cloud services is much easier said than done. The boom in cloud application discovery software provides proof of the shadow IT problem.

With no officially sanctioned cloud applications, workers and, in some cases, entire business divisions are adopting cloud services without the knowledge or participation of the technology team.

Today’s technology organisations must focus on enablement because the cloud isn’t going away. Employees want it and businesses see cloud applications as a way to gain competitive advantage.

Today’s reality means organisations must develop data-protection strategies that will enable cloud adoption without losing control of their data or falling out of compliance.

This means that business, technology and information security need to establish and maintain a dialogue.

Banish shadow IT and tighten security controls

You can’t control what you can’t see. So to better control data as it moves past the network perimeter, enterprises need tools to discover all the cloud applications their employees use.

The cloud discovery solution should also be able to score the potential risks associated with each application. Ideally, the tool should scan network logs on premises.

To maximise cloud discovery benefits, make sure the tool connects into a data loss prevention (DLP) system that can enable security controls such as encrypting or tokenising data to go beyond simply blocking and quarantining certain applications.

An encryption scheme that provides limited, controlled, enterprise-exclusive encryption key access is increasingly adopted by modern technology groups. Information remains illegible to unauthorised viewers who cannot decrypt the content without the encryption keys.

Another cloud security control is tokenisation, which replaces the data itself with a placeholder. The data is stored within an enterprise’s perimeter, and only the token is transmitted to the cloud.

This process plays a vital role in a company’s regulatory compliance strategy by mitigating risks for sensitive information in the cloud.

Ongoing assessment

Security postures need to stay dynamic for quick response and over time to respond to the changing risk landscape. To do this, leverage a DLP solution that extends into the cloud to continuously monitor the ecosystem for unusual activity. When the tool detects something unusual, it then enforces the appropriate security action.

By implementing a cloud information protection strategy across the enterprise, technology can enable employees to conduct business and take full advantage of cloud applications while defending against the risks. The enterprise no longer has to choose between security and agility. Employees can use the tools they need and technology can make sure sensitive data is secure and complies with regulatory requirements.

By successfully adapting to the cloud, technology and security groups can swap their outdated naysayer image for that of the enabler of business and create a win for the entire enterprise.

Image courtesy Perspecsys under CC