If you look at current discussions between cloud providers and customers, I see it too often that the customer leaves with the impression that the Cloud fixes all their problems. In fact – it does not. Too often I see the Cloud provider telling the customer that they should not care about security anymore – they will do it for the customer. That’s only part of the truth.
In order to shed some light into this discussion, Doug Cavit (a Principal Security Strategist at Microsoft) and me published a paper a few months ago called Cloud Security Considerations, addressing the key areas to consider, when moving to the Cloud. I used this approach very often when talking to customers, regulators and government elites. It works extremely well and seems to cover the story end to end.
Now, Doug stayed busy . He just published together with Javier Salido (a program manager in Trustworthy Computing) a paper called A Guide to Data Governance for Privacy, Confidentiality, and Compliance - Part 5: Moving to Cloud Computing. Behind this long title, there is actually a lot of good content which complements the above mentioned paper.
If you know what the Cloud is, you could skip the pages following the summary. When I talk to customers, I always tell them, that there are a few fundamental things to be in place when you consider the Cloud: Compliance and Risk Management, Identity Management, Data Classification. Fairly early in the paper, Doug and Javier draw the conclusion:
Organizations should implement a data classification policy and procedures for deciding which data is ready for the cloud, under which circumstances, and using which controls.
Usually people smile if I tell them this. And at the same time, we all know that the policy is in place but it is often not really implemented nor is the user given the technologies to really easily implement it. From a technology perspective, I love Rights Management Services and especially its implementation in Office called Information Rights Management. The corresponding templates help to attach the right classification and protect the document with just a few click.
However, this is often an awareness and process problem. Much more than technology! But back to the paper. When it comes to responsibilities, the paper is fairly clear:
Delegation does not discharge the organization from managing risk and compliance, or from having to prove compliance to the appropriate authorities.
I could not agree more! You have to manage your data – it is your data, even if you move to the Cloud! Therefore:
Compliance requirements can be fulfilled by a skilled internal team and a certain level of process transparency on the part of the cloud service provider.
Make sure you have the team in place and then ask your Cloud provider (make sure you follow this sequence ).
There is a lot of additional content in there to consider. But then they move to the point of recommending what you could do or as they call it: Elements to Consider When Moving to the Cloud:
- Viability of the Cloud Service Provider and Potential Switching Costs
- Compliance and Related Issues
And finally, they help to bring the Cloud related issues into the context of the Data Governance for Privacy, Confidentiality, and Compliance framework, something which can give you real hands-on tools and techniques to make it happen.
From my point of view, this is a really good paper, where you can take the parts you need at the moment: Being it a high-level understanding of the problem space or more hands-on tools. Is it simple? No, not really as the problem by itself is complex but it helps you to understand much better, how to approach it