The past couple of months have seen several leaks of sensitive celebrity pictures and videos. This leak is of course unfortunate and highly embarrassing for all of the victims involved. So how does this security lapse relate to corporate information that may be stored in the cloud?
It is important for all employees of an organisation to understand data of any type rarely resides only on the device where it was created or stored. Once uploaded to cloud storage services, it becomes much more difficult to manage and monitor who has access to that data.
Information security professionals need to provide technical solutions and facilitate improved awareness of how to create, classify and manage data that resides in the cloud.
The two Information Security Forum (ISF) reports Securing Cloud Computing and Data Privacy in the Cloud describe how organisations can protect themselves while moving sensitive information in and out of the cloud.
The recent high-profile leaks can provide an opportunity for the information security function to work closely with business stakeholders to protect critical information and support business agility, while maintaining compliance to information security policies and legal requirements.
Main recommendations include:
- Ensure business stakeholders and users understand the risks of using cloud services and either put in adequate safeguards or accept them.
- Classify the cloud-based systems and data to determine its degree of inherent risk.
- Add processes for assessing and managing cloud risk into the procurement and supplier management lifecycle.
- Assess the adequacy of arrangements for cloud computing services used by external suppliers.
Taken together, these steps will help a business get the maximum value from cloud services, while also ensuring its information remains secure and the organisation does not find itself in an embarrassing and compromising position.
Indy Dhami is a principal research analyst with the Information Security Forum (ISF)