Do any web search on the inhibitors of moving to cloud and you'll find a primary challenge rises to the top-business risk. The benefits of cloud often outweigh risks, which is why more and more business information is being shared in the cloud. In fact, 50% of Global 1,000 companies will have customer data stored in the public cloud by 2016 according to Gartner.
The rapid transition of critical data into the cloud and the use of SaaS for business processes mean that organizations need to have a solid approach to manage the business risks of cloud. We have worked closely with customers and Cisco's own IT department to identify some initial steps that organizations can put in place to mitigate the risks of cloud services with IT governance.
Revise how your company data classification system applies to cloud services.
Businesses typically have already established a tiered classification system including private, confidential, public, etc. This system needs to be revised to detail what and how information should be shared in the cloud. These policies also need to take into account any regulatory or compliance requirements.
Communicate an employee policy specific to cloud service usage.
Recently, I was speaking with a large healthcare provider about what policies they had that outlined what employees could share in the cloud. The customer's IT group believed that a general company code of conduct safeguarded them. However, as the conversation progressed they realized that their current policies were not explicit as to how this applied to cloud.
Employee policies need to clearly outline what can and cannot be shared with approved corporate cloud vendors. For example, even though a vendor like Salesforce.com or Box.com might be approved, an organization may not want certain confidential information to be shared with an outside vendor. Additionally, these policies also need to address personal use of cloud services (file sharing services, for-free email accounts, etc.). These policies need to be periodically communicated to employees as well as how their actions might be monitored to ensure compliance.
Discover and determine the risk profile of shadow IT.
According to a recent Forrester study, 43 percent of respondents believed shadow IT practices were major threats to their respective organizations. It is critical to discover and classify the services being used that have not been approved by IT. Once identified, there are typically three approaches to handling the risks of shadow IT.
1) Assess and onboard critical cloud applications.
2) Block risky cloud applications with secure web gateways or data loss prevention solutions.
3) Monitor applications and as-a-service usage with alerts for unusual activity.
Establish a data security assessment process for new cloud services.
A vital way to ensure that business data is kept safe is to have a thorough risk assessment process as cloud vendors and services are brought on-board. This process should take into account the following five elements:
These are some initial steps to managing the business risks of cloud. However, businesses that are looking to reap the benefits of cloud and avoid risk must put in place a lifecycle approach to manage cloud services.
We recently introduced Cloud Consumption Optimization, an annual subscription service that helps customers govern their cloud adoption from end-to-end and continually monitor cloud use. Learn more about how we can help you govern cloud and manage cloud risks at http://www.cisco.com/go/cloudconsumption