A critical element of a company’s security program is the establishment and maintenance of a comprehensive business continuity plan (BCP) that covers the restoration of both technology and business operations in the event of an unplanned event.
The planning process for the BCP should include risk analysis, business impact analysis, recovery strategies for different scenarios including geographic/regional events, pandemics, natural disasters (e.g., tornado, hurricane, flooding, fire, power outage) and security breaches.
Typically security and IT teams plan and test around these events based on the likelihood of a particular event happening.
No one saw COVID-19 happening.
As a result, companies that didn’t have their modern workplaces fully established are now jumping from one cloud technology to another in a rush to enable remote work. Their IT teams are struggling with under-licensed environments, and even experimenting with free technologies like Zoom that have been facing increased scrutiny for their privacy and security practices.
This haphazard approach is not without its risks.
I’ll discuss how to mitigate these risks, but to do so we need to understand the context and best practices for how we have dealt with past ad-hoc, unofficial cloud usage, commonly referred to as “shadow IT.”
The Risk of the Cloud
For organizations subject to regulatory requirements, the move to the cloud is not without risk. Some enterprises have significant concerns about storing business data outside the walls of their organization.
This is due to:
- Non-employee IT administrators possessing a high level of access and control over information.
- Available technology options used to secure and manage user access and authentication.
- The actions of employees or contractors — both intentional and accidental.
Companies no longer face the question of if they are going to go to the cloud — it’s a question of what they are going to put in the cloud. Most organizations will end up having their data in the cloud, whether it’s intentional or not.
For instance, many employees are already storing and sharing business content in personal cloud applications, like Dropbox or Box. They typically use these due to ease of use and access — often leaving IT administrators and security officers with little control over how the information is managed.
In reality, no matter where your data lives, whether it’s in on-premises systems or in the cloud, you are still responsible for it. Not only do you need to negotiate adequate protections to ensure your cloud provider will respond to incidents in a timely manner, but you must also plan what kinds of data, applications or infrastructure your organization is comfortable moving to the cloud.
In a perfect world, before moving to the cloud, you would first understand the data that you hold. Only through knowing what data you hold, along with internal company policies and external regulatory requirements, can you begin to take a risk-based approach to storing it appropriately.
This knowledge allows you to make informed decisions including:
- Where it should live.
- Who can access it.
- What kinds of controls you need to put around it.
Understanding Your Data in a Pandemic World
However, in the current circumstances, many companies find themselves in the cloud and working with a number of unexpected and possibly unvetted cloud providers.
What should you do?
First, consider reviewing your policies to look for any exceptions that need to be addressed. It's better to be proactive than reactive.
Understand that while you are operating under emergency circumstances, you are going to still be accountable for whatever is and may be happening with your data and systems. Your customers and employees may cut you some slack, but ultimately you are responsible for protecting sensitive data.
This means you should quickly determine how you will be able to both search for and find sensitive data. This includes identifying your sources (Office 365, Box, Dropbox, Yammer, etc.), the type of sensitive data (CCPA, GDPR, PII, PCI, ITAR, PHI), and the risk and exposure involved.
Your workforce needs to understand how, where and when they should be working with sensitive data, and who has access to it. Ideally they should work with it only in an approved way.
Training and automation of a classification schema for protected data can provide a big boost with these efforts. This may involve a quick decision about whether you will use labels or system of file data classification (available through systems like Microsoft Teams).
Related Article: The First Steps to Take on Your Data Security Journey
Trusting Your Cloud Provider
After this discovery phase, you must consider your level of trust in your current and new cloud providers. Their transparency regarding security and data protection practices must also factor into your decisions.
For example, what can they tell you about their backup and data recovery procedures? If your company is subject to data sovereignty requirements, you must ensure data is kept within the country, along with the data backups.
The same reasoning applies for defensible data destruction and records management requirements. Make sure you know where all of the copies of your data reside. From the outset, you need to set clear expectations with your cloud providers.
Addressing Future Updates
Next, be sure you have a clear understanding of how your cloud provider will roll out enhancements to their service.
One of the great advantages of the cloud is service providers — such as Microsoft, Amazon and others — can continually update their offerings without requiring maintenance on your end.
While this is a great advantage from a technology perspective, it also may create privacy and data security implications. One simple way to address this is to ensure any updates provided to your environment will first be done in a test or non-production environment. This way, security and data privacy teams can fully assess any risk before you introduce the new features to your systems.
You Can Still Protect Data in Today’s Environment
The cloud can make your BCP planning (and life in general) much simpler and help you manage your data in a much safer manner. Just be sure that from a data privacy and security perspective, your feet remain firmly planted on the ground as your applications move to the cloud!