Whether or not your
organization is officially looking into cloud computing as a potential business
tool, chances are that your employees are already be using cloud-based
applications without you knowing about it.
Cloud-based
applications are already widely used – some of the better known examples being
Google Docs, Windows Live, Salesforce, Acrobat.com, Dropbox, and KnowledgeTree.
And they don’t require IT approval for a user to set up an account – anyone can
sign up with a credit card.
Once employees start
using a cloud-based application, security questions start popping up very
quickly. Where’s the data being stored? Who has access to it? How is it being
backed up? How stable is the cloud service provider?
It’s possible that
most use of these services by your employees involves only data that’s
unclassified. But that’s not a risk that you can afford to take. And use of a
cloud-based application could break the law, and/or agreements with partners –
especially if an employee uploads data to a cloud service that stores data in
another jurisdiction e.g. out of the country.
You could try restrict
use of these applications by blocking access from your network, but that’s
probably impractical. And, as with many things, it’s likely that users will
find ways to bypass your security measures.
So what’s the
solution? Clearly, the first step is to establish a clear IT policy that covers
the use of external services. This will probable be part of, or a supplement to,
your Acceptable Use Policy. Make it fair and reasonable, or users will find
ways to circumvent it.
Then, as with all
policies, you’ll need to tell your staff about:
§ Why the policy is
needed, and the implications of failing the follow the policy.
§ What employees CAN do
with cloud-based services – probably a list of approved cloud-based services.
§ What employees CAN’T
do with cloud-based services.
§ Who to talk with if
they have questions.
The final point is
particularly important since cloud computing is such a new field that many of
the legal and technical issues have yet to be resolved.
