Konfuzius-1770 A couple weeks ago I made mention of The Coin Operated Cloud in passing and decided to expand on it.  Isn’t that how blogs are supposed to work?  It’s no secret that The Cloud has given many organizations and individuals alike the computing power to host, store, transmit, broadcast and generally enable a huge swath of resources.  (Not sure if I like that sentence structure, but you get the idea).  Small and Medium sized business gain access to pay-as-you-go and Large Enterprises can realize economies of scale.  Cloud Computing also opens the door to just about any individual with a credit card.  That can be good and bad.  Good if you need to provision services in an instant; bad if you’re dropping a corporate entity out there without anyone’s knowledge.  Employees no longer need to submit a ticket to your IT department to toss up a web site or service.

That open access for anyone to deploy services can create a security nightmare.  Ponemon Institute recently reported that ‘more than 50 percent of IT professionals surveyed say their organization isn't aware of all the cloud services employees are using -- and few were evaluated for security before use.’  These sites and/or services might contain sensitive company information yet no one, except for the individual or department, has a clue that it’s out there.  Usually those employees are not looking to break the rules but simply get their job done.  The problem arises when considering things like; how do you maintain compliance, consistency, standardization, change control, management, access control and a whole host of application deployment challenges when it is essentially a rogue site?  Rogue, not in the traditional sense of delivering malware or committing fraud, but a corporate off-shoot of your online presence.  Typically, IT Web Services departments are responsible for and have control over the web facing properties but if they are unaware of these ‘additional’ entities, vulnerabilities, exposure and other risks are impossible to control. 

Kim Boatman, in this article, gives a few pointers on how to get a handle on your cloud computing presence.  She recommends doing a Cloud Inventory to evaluate all cloud activity.  This is not a IT focused survey but a company wide analysis.  IT may have not embraced the cloud but employees may have already.  It’s also important that IT becomes the preferred method to deploy cloud services to gain a better control over security risks.  Create a catalogue for employees to use when they need such deployments.  In addition, examine the cloud providers you currently use to have a clear understanding of the security implications of the blending of data.  There may also be alternatives for the type of content that employees need in the cloud verses IT.  Finally, as with anything IT (or business related), create a policy around cloud computing.  This allows IT and employees alike to understand when/how cloud computing is appropriate.  Sensitive data in the cloud has it’s own challenges and there are laws surrounding the protection of that data.  If it gets lost, it’s the executives not that employee that will ultimately have to answer for it.

And one from Confucius: It does not matter how slowly you go so long as you do not stop.

ps

The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15

Resources:

Digg This