Eric Schmidt has repeatedly asserted that the notion of privacy is coming to an end and that people need to simply change their ways. While I've long believed privacy on the Internet is incredibly hard to maintain, the issue of privacy - particularly as it relates to personal and corporate data protection - needs to be considered by anyone using a cloud-based service.
What is being posted on the Internet?
I'm consistently amazed at what people are willing to post online, even amid the clamor for privacy on the Internet. While some have locked down their Facebook/LinkedIn/Twitter accounts, many people continue to upload and post information about themselves that could be damaging at some future point in time. Moreover, that feeling of freedom in the personal realm easily transfers into the corporate arena. I remember having to be more careful than usual with whom I share information with to avoid it going up on Twitter 5 minutes later because some people just want to share everything.
It's critical that companies have not only policies, but also training (with examples) on responsible corporate data stewardship. If people don't internalize when it's appropriate to share information, they're more likely to inadvertently disclose that information.
Is it really more secure when it's on your computer(s)?
I've talked to different people who are uncomfortable using the cloud for data storage because "I want to control and know who can access my data". After many years in IT, I'm confident that even when a company owns all its IT assets, people don't know who has access to what data. Permissions get added, but never removed. Poor processes and procedures lead to people long gone from an organization still having access to data. IT people the end-users have never met, like sysadmins, DBAs, and programmers, often have access to data because of inherited administrative privileges. Often, this adds up to a lot of people.
In addition, according to the Digital Forensics Association, almost half of all data breach incidents in the past five years occurred because of laptop theft. Of those, about 1/3 are stolen from the place of business. In the financial industry, penetration into the corporate data center by an outsider accounted for the vast majority of incidents and records disclosed.
What does this all mean?
To start, end-users and admins alike need to be well-versed in how to protect IT assets and data from being taken by an outsider. Organizations also need to make sure to include physical security as part of the overall data protection strategy to help protect against theft. IT then should enact measures to log and audit all data access, including itself.
Most importantly, organizations need to determine how best to protect data at rest and in motion and understand their own capacity to execute on those requirements. IT and business leaders needs to take an honest look at the company and identify both what data is truly critical and what investment they're willing to make to mitigate the risk of a breach. It may be that a cloud provider, who must ensure customer data is unavailable both to its administrators and to other customers, has invested more in security than your company has and can offer a more secure and cost-effective solution. Decision-makers who are still locked into the narrow "if I can see the server, I know where my data is" view without training end-users and understanding all available data protection options are costing their companies in more ways than one.
No comments:
Post a Comment