The rapid transition of critical data into the cloud and the use of SaaS for business processes mean that organizations need to have a solid approach to manage the business risks of cloud. We have worked closely with customers and Cisco’s own IT department to identify some initial steps that organizations can put in place to mitigate the risks of cloud services with IT governance.
Revise how your company data classification system applies to cloud services.
Businesses typically have already established a tiered classification system including private, confidential, public, etc. This system needs to be revised to detail what and how information should be shared in the cloud. These policies also need to take into account any regulatory or compliance requirements.
Communicate an employee policy specific to cloud service usage.
Recently, I was speaking with a large healthcare provider about what policies they had that outlined what employees could share in the cloud. The customer’s IT group believed that a general company code of conduct safeguarded them. However, as the conversation progressed they realized that their current policies were not explicit as to how this applied to cloud.
Employee policies need to clearly outline what can and cannot be shared with approved corporate cloud vendors. For example, even though a vendor like Salesforce.com or Box.com might be approved, an organization may not want certain confidential information to be shared with an outside vendor. Additionally, these policies also need to address personal use of cloud services (file sharing services, for-free email accounts, etc.). These policies need to be periodically communicated to employees as well as how their actions might be monitored to ensure compliance.
Discover and determine the risk profile of shadow IT.
1) Assess and onboard critical cloud applications.
2) Block risky cloud applications with secure web gateways or data loss prevention solutions.
3) Monitor applications and as-a-service usage with alerts for unusual activity.
Establish a data security assessment process for new cloud services.
A vital way to ensure that business data is kept safe is to have a thorough risk assessment process as cloud vendors and services are brought on-board. This process should take into account the following five elements:
Initiation – Establish what elements of your business a vendor will be involved in and what data will be shared with the vendor. Will they handle confidential/private information or only public data?
Data encryption and integration – Test the encryption of data as it passes from the organization to the vendor as well as how the data will be stored at the vendor’s data center. Understand how a vendor would integrate with your systems (creating single sign-on, pull corporate data, etc.).
Vendor data security policies– Can the vendor uphold the policies for protecting your corporate data based on the classification system defined above, and do so the same way or better than your IT department would? Evaluate the vendor’s disaster recovery plan, compliance and regulatory processes, and identity and access controls.
Vendor stability and proprietary policies – According to Gartner, 1 out of 4 cloud service providers will be out of business in two years. This is largely due to financial instability or acquisitions. Businesses need to ensure that vendors they choose to work with are financially stable. Find out how the vendor would handle your data in the event of a business closure or acquisition. Additionally, do they use a proprietary technology approach that might lock you into using them? Insist that vendors use an open source approach that would help you transition to a new vendor if an SLA was not met or if the vendor was acquired or went out of business.
Ongoing vendor monitoring – Establish a process to regularly review vendors (annually for those dealing with business critical processes, less regularly for those with less impact).
These are some initial steps to managing the business risks of cloud. However, businesses that are looking to reap the benefits of cloud and avoid risk must put in place a lifecycle approach to manage cloud services.
In the last two blogs, I talked about the reasons for IT Transformation, understanding Enterprise Environment and how to effectively set management goals. As more and more companies begin to move towards IT Transformation, there are mistakes that businesses should be weary of. Today I will discuss the pitfalls that can slump the IT transformation process, as well as, the services Cisco has been developing to help Enterprise on the journey to IT transformation. Read More »
As you may have read, Apple’s iOS 8 will come with some changes to the way MAC addresses are exposed in Wi-Fi probe requests. Apple’s intent was to provide an additional layer of privacy for consumers and target those companies that offer analytics without providing any value to the end consumer. We’ve been getting some questions about what this means and how it impacts our Connected Mobile Experiences (CMX) solution, so we wanted to clear this up for our customers.
What does this mean for you?
First and foremost, Cisco has always been dedicated to privacy for our customers and their end-users. There are four aspects of privacy that are built into our CMX solution:
1. Anonymous Aggregate Information: All analytics are based on aggregate, anonymized location data.
2. Permission-based: Users have to opt-in to join a Wi-Fi network or download an app
3. MAC Address Hash: Users’ MAC addresses can be hashed before exposing to 3rd party apps
4. Opt Out: End-users are always presented with the option to opt out of location-based services
The true value of CMX analytics for organizations is in aggregate location data to be used for business analysis to improve the customer experience for end-users. Providing customers with high performing Wi-Fi not only keeps always-on mobile users happy and opens the doors to delighting customers with more personalized experiences, but also helps provide more granularity to those aggregate trends to feed back into the experience creation machine. Win-win.
What does this mean for our CMX value proposition? Read More »
In my last blog, I established reasons behind today’s need for IT Transformation. We know that CIOs hope to cut their budget in half, but this will be difficult unless they understand their Enterprise Environment, as well as, the management goals that align with their organization’s overall IT transformation efforts. Today we will take a deeper dive into understanding both. Because there is no “one size fits all” way of embarking on an IT Transformation journey, it is important that each organization looking to begin this process makes their own set of assessments, starting with a baseline assessment of their Enterprise Environment: Read More »