Information Management, Cloud Computing, NSA Row Highlights Cloud Security Issues for Content Management + Collaboration
I have to admit, as an ex-Military communications specialist, when the whole “NSA is spying on us all” storm broke, I yawned, rolled over and went back to sleep while thinking “and …? They have been doing it for decades ....”

My cynicism may or may not be misplaced. However whether you look at the whole NSA spying debacle as either a storm in a tea cup, as the NSA and some cloud vendors would like you to; or as a serious hurricane blowing over troubled international relations waters like the German Government for example, there is an impact for cloud content management and collaboration vendors and solutions.

Cloud Security

There were many excellent articles last month about the future of Microsoft’s SharePoint platform, and how it currently integrates with Yammer, and how in the future it may be branded as Office 365 rather than boring old on premises SharePoint. Before we even go anywhere near the thought of a super powered foreign spy agency sifting through any of our data that transits the public internet (I am a Brit who lives and works in Canada!), I'll just point out that I work in the financial services industry.

So there are various regulatory agencies that specify rules and regulations, and we have big Information Security and Corporate Compliance divisions that takes those rules and regs, and parses them down to the point that we get a "direction" that we can’t use tools such as Yammer or SalesForce Chatter because they don’t encrypt data at rest (back to that later), and therefore don’t meet the needs of our regulatory regime.

I am sure there are plenty of readers out there saying “well, sucks to be you, because we are in FS, and we use cloud services!” Well that is good for you and it’s true, we don’t all have to work under the same set of constraints, but that leads me to my first point: reading the inter-webs and listening to the podcasts over the last couple of weeks, there are some people who are worried about the potential negative economic impact that the NSA “revelations” might have on the U.S. economy as both individuals and enterprises worry about the privacy implications of storing data in public cloud services.

Whether you’re a private citizen of the U.S. (or other nations) or a multi-national corporation, there are plenty of ways to encrypt content as it moves back and forth including TLS (HTTPS) and Virtual Private Network (VPN) “tunnels.” There are even ways to encrypt the data at rest in a cloud service, or to deal with it in other ways (again we will return to that later). As an Information Management professional, I am interested in -- even worried about -- the integrative and user experience elements.

Social, Local and Mobile - and Secure ?

Here is a quick scenario: You're using on premises SharePoint 2013, behind your firewall(s) for document centric collaboration, but you're using the Yammer integration in order to provide mobile access to social collaboration features via a range of devices as part of your Bring Your Own Device (BYOD) program.You have software available via the BYOD program for securing and wiping corporate data on the mobile device, and you have a VPN setup for secure transport of the data. You even have an encryption gateway provide that integrates with Yammer, encrypting your discussions about which competitor to buy next before it leaves your network and ends up on a disk in a server farm who knows where ....

So you're good, you have all the angles covered; but it sounds a little complex right ? There are lots of moving parts to manage there, especially if you’re a big organization. Other enterprises do though, right? So the fact that it turns out to be really, really expensive is ok, because everyone else has to cover that expense too?

Yes I am deliberately trying to sound like a bit of a scare monger. For sure there are excellent products out there, in use by hundreds if not thousands of major companies for securing your organizational perimeter, for encrypting data in transit and at rest in the cloud, and even on a user's personal device.However the point about complexity of architecture and expense is very real.

Yes, cost is relative, and your ability to absorb that cost depends upon your industry, your risk profile and how much your investors want to let you re-invest internally this year, but no problem is insurmountable (if you have enough money).

Learning Opportunities

The Information Management User Experience

So when you have these potentially highly complex but very secure architectures in place to allow you to reap the benefits of public cloud, private cloud or even hybrid cloud services, what happens to the user experience ?

Do mobile users have to re-enter credentials to “log in” to a service like Yammer every time they want to read or post ? Do they have to use a two or even three factor authentication schema? Is your enterprise file sharing/syncing service (like, MS SkyDrive, OT Tempo, EMC Syncplicity or HP LinkSite) integrated with SharePoint or other ECM systems at the back end? Is saving a local copy of content disabled?

How do you manage to do multiple source enterprise search across ECM systems, thousands of SharePoint team sites, file synching systems, email, social conversations, etc., if some of that content is stored in the cloud and encrypted at rest for security purposes? I suspect the answer is “not easily” (but please comment and tell us otherwise!).

So what is the real point of my rant you may ask ? Well as you can tell from my earlier blasé cynicism, I am not personally all that worried about the NSA (or Canada’s CSEC or the UK’s GCHQ) but there are plenty of threats out there depending upon your industry; hackers for hire who will steal your data in order to blackmail you, to sell it to your competitors, or screw over your customers' bank accounts.

As information management or knowledge management professionals working with content management, collaboration and social technologies, we have to be aware of the real threats and the risks, we need to develop good relationships with our Info Sec and Compliance colleagues and we need to be discerning when attempting to understand the true costs and benefits of cloud technologies.

Title image courtesy of Everett Collection (Shutterstock)

Editor's Note: Want more from Jed? See his As Social Tools Mature, Does the Social Enterprise?