Cloud storage is a solution that users are driving IT organizations to use whether we want to or not. Just ask a sales person what they use. They will tell you how great it is and how they use it. As IT organizations, we need to take notice and understand the impact to our process and the effect to the data stored outside of our organization. Here are five things commonly misunderstood about cloud storage.
1. Account management – Access needs to be controlled and managed through periodic user account reviews. If users create their own access they may use personal information to set up an account. The IT organization would not have access to any of the company data the user has stored. Throughout the course of using cloud storage, users can provide others access, such as non-employees. However, failure to remove access of individuals may provide information that should not be shared or is sensitive. I recommend users review who they have provided access to every 6 months or at least yearly. The users need to review and remove any shared access no longer needed.
2. User termination management – When a user exits the company, a plan is needed for the cloud account and the data. This is an extension to #1 above. The termed employee should have their access removed from internal and external partners as part of normal off boarding. A plan for the data should be developed. This could be that the former employees’ manager is now the owner of the account and the data, but there should be some management and not let the account go dormant. Be sure to keep logs, records or require details documented in helpdesk tickets of who ends up with the data so a good trail of ownership can be established.
3. BYOD policy – Many things need to be considered in a BYOD policy and cloud use and access should also be included. Cloud data is designed to be accessed by many devices, including phones and tablets. Without a strategic approach on how cloud data is controlled, data loss can occur through stolen or lost devices. Encryption should be considered as well as wiping the device. Policy should be set at an acceptable level, balancing the risk the company is comfortable with. It may be appropriate to not allow access with these devices; however, users will always want more convenience to access cloud data.
4. Data retention – Cloud storage services often offer the ability to apply retention to the data stored. I recommend adding this to the list of requirements for the service. Retention is often overlooked and is a major factor of why we have Big Data challenges today. Don’t increase the problem by letting data sit in the cloud forever. Chances are, there is a retention schedule. The challenge is determining how the data aligns to the retention schedule. One consideration is to treat data stored in the cloud like the inbox of email. Consider it in transitory or in work with limited life and applied retention. Make sure you include your records manager in the discussions as they often have repositories or locations for required records to be stored.
5. eDiscovery – Litigation is on the rise and IT is often required to produce data related to legal matters. Cloud storage will be scoped as needing to be collected, just as personal and group shares. Without proper account management access, this may not be possible (see #1 above.) The log mentioned in #2 above, becomes helpful when identifying the current owner of former employee data. Legal matters often arise after terminations. Six months or a year later don’t rely on the help desk techs to remember who ended up with the data. Many cloud services don’t have good legal hold functions yet. Applied retention is often not easy to suspend on an account by account basis which should be required when a legal hold is mandated to a user. The legal organization needs to understand the implications of the technology and discovery collection procedures need to be approved and in place prior to user onboarding.
Before engaging in a Cloud storage service, define your requirements. Account management, terminations, BYOD policy, retention and eDiscovery are the areas often overlooked. Make sure to include other organizations that will be impacted, such as Legal and Records Management. By doing this, your company or organization will ensure that corporate data is protected and managed in a controlled environment with the company’s interest in mind.