Keeping company data in the cloud sounds like a great idea. Cloud storage provides a common place that everyone can access. Your IT team can spend time building new services and products instead of managing servers. Cloud providers are pretty good at securing all that data, too.

SEE: Cloud data storage policy (TechRepublic Premium)

This convenience, however,  does involve a few tradeoffs and more than a few risks. Before deploying a cloud service it’s important  to put in place a policy that guides how data in the cloud will be managed. The IT department should start discussions with cloud providers, and business units should join in those conversations  to make sure that their concerns are addressed as well. In tandem with these plans, business owners and the IT team should set a plan for how to handle internal issues.

Setting expectations with cloud providers

Cloud providers have their own standard practices, but customers need to make sure these designs are robust enough to serve their corporate needs. 

This is good list of questions to start a conversation with a cloud provider:

  • Does ownership of the data change?
  • What is the backup schedule?
  • What service level agreements are available?

Security issues require a separate conversation. That discussion should cover the basic security features as well as:

  • Specifying security controls
  • Spelling out key management 
  • Ensuring compliance with relevant regulations

Establishing internal best practices

Once the ball is rolling with a provider, the next step is to set parameters for team members who will be using cloud storage for corporate data. Determining what data will and will not be stored in a cloud instance is the first topic to discuss and define. It’s also a good idea to review all corporate data sets to determine whether the cloud is an appropriate place for these valuable assets. No personal data should be in corporate cloud storage. 

SEE: Cloud data storage policy (TechRepublic Premium)

Another important issue to address is access–both who has it and how it is managed. This should be addressed in the policy and actively managed by the IT department. Access should be based on group or role permissions, not on an individual basis. This conversation should include a password management plan as well. 

SEE: Cloud data storage policy (TechRepublic Premium)

Developing a cloud data storage policy also presents an  opportunity to address shadow IT installations. It’s tempting for people outside the IT department to set up personal cloud accounts to solve one-off issues. This opens up security risks that the IT team may not know about. 

TechRepublic Premium’s cloud data storage policy covers all of these details and more. You’ll find advice on managing access, deciding what materials to put in cloud instances, and expectations for vendors.