Google

Security mysteries: The case of the cloudy data

It is of the highest importance in the art of detection to be able to recognize, out of a number of facts, which are incidental and which vital.

"It is of the highest importance in the art of detection to be able to recognize, out of a number of facts, which are incidental and which vital." --Sherlock Holmes

When Arthur Conan Doyle created the character of Sherlock Holmes in 1887, he also created John H. Watson. Watson serves as the narrator of nearly all of Holmes' adventures as a consulting detective. The stories often begin when a potential client visits Holmes' residence at 221B Baker Street in London.

Holmes and Watson typically view the same scene and hear the same story, yet Watson consistently fails to grasp details that Holmes observes. Holmes sees details that Watson overlooks. These details, woven together, provide the evidence necessary to solve the case.

Here is our mystery: Where is your organization's data? Let's review the particulars.

Data: Confused cloud

Cloud computing remains a mystery to the general public. "51 percent of respondents, including a majority of Millennials, believe stormy weather can interfere with cloud computing," according to an August 2012 study paid for by Citrix.

The same study found "A majority of Americans (54 percent) claim to never use cloud computing. However, 95 percent of this group actually does use the cloud." The study goes on to cite how respondents use online banking, shopping, social networking, online games, and photo sharing. Like Sherlock Holmes, IT professionals grasp the significance: those activities all involve cloud computing.

The evidence suggests that users might not understand where data is stored.

Data: Cloud control

Cloud computing systems enable rapid access to processing and storage systems outside of an organization's walls. The PC revolution put a computer on every desktop: users had control. The client-server revolution connected PCs to a central system: system administrators had control.

With a client-server setup, your data is on the server. With a 100% cloud setup, your data is on someone else's servers. With a virtual desktop system, your data resides on your virtual machines. And there are various ways to make your data available both on-site and off-site (via VPN, remote access tools, or cloud sync tools).

The evidence suggests that your data may be scattered across multiple servers and vendor systems.

Data: More mobile

Yet, there's another revolution taking place: people are moving to mobile devices. The Pew Internet and American Life reports that 45% of American adults own smartphones (September 2012), and 25% of American adults own a tablet (August 2012). The smartphone is the new PC: users often have control.

The evidence suggests your organization's data is also on smartphones and tablets.

Solve the cloudy data mystery

1. Pay attention to your service level agreements

In the cloud era, your data almost certainly will "live" on someone else's servers. Power shifts to those who control the clouds (or, more technically, the APIs). Amazon Web Services dominates the space in which Microsoft, Google and many others also compete. Your IT team needs to negotiate, manage and monitor Service Level Agreements.

2. Manage and secure your mobile devices

The NIST document, "Guidelines for Managing and Securing Mobile Devices in the Enterprise" (PDF) provides a useful introduction to the topic of mobile security. Practically, though, you need a system for mobile device management. Both Office365 and Google Apps enable administrators to enforce password requirements, auto-lock settings, and require data encryption as well as remotely wipe mobile devices.

3. Design as secure a system as possible (and educate your users)

Time after time reports show social engineering or user behavior contributes to corporate data breaches or loss. Above all, you need to design security into your systems: choose settings that favor security over convenience (e.g., require 2-step authentication). A well designed system minimizes the need for user training.

Bottom line

Understanding where your corporate data is - and securing it - is not, as Holmes might say, "Elementary." Instead: "It is of the highest importance in the art of detection to be able to recognize, out of a number of facts, which are incidental and which vital." That seems like excellent advice for tech professionals today, even though it was spoken by Sherlock Holmes in The Adventure of the Reigate Squire, published in 1893. Tools change, but logic doesn't. Case closed.

Also read:

About

Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.

4 comments
dogknees
dogknees

Are we now calling everything that stores data on someone else's hardware "cloud applications"? If so, then virtually everything you or have ever done online is "cloudy". Now, if my bank is running their storage and processing on shared cloud servers/services, I could agree, but if it's on there own servers, it's just client/server or plain old web applications. How does broadening the definition to include pretty much everything help when explaining what the cloud is to people? Sounds like cloudists are trying to achieve some degree of relevance they don't currently have. Or, that they are using the argument "you've already been using cloud for years, so there's nothing to be worried about" to promote their systems and deflect legitimate criticisms of, and concerns about the cloud concept.

Mark W. Kaelin
Mark W. Kaelin

Your data is likely scattered across servers, cloud services, and mobile devices. What's the biggest security flaw you see in your organization today?

Michael Kassner
Michael Kassner

I doubt most banking CSOs would agree with your saying using their banking app or online banking and in-house systems is the same as using the cloud.

andy
andy

Maybe my writing was unclear (or, pardon the pun, cloudy). Enterprise data today is scattered across in-house servers, on external hosted systems, and yes, even on true cloud systems. I.T. roles to secure those three areas extend from just system administration to include external contract (SLA) review, monitoring and auditing. The role of I.T. shifts from internal ("we do it ourselves") to external ("we integrate internal, hosted and cloud systems"). As for relevance, I see Microsoft, Google and Amazon all moving toward a world where MORE data and apps live "outside" an organization's internal networks. Thanks for reading! --Andy

Editor's Picks