Data protection is a key concern for organizations seeking to leverage the cloud—and rightly so. It’s no small matter to send sensitive business data like customer information, financial records, legal documents or intellectual property outside your on-premise infrastructure. But security concerns don’t have to pose a barrier to the benefits of the cloud. “With the right measures and best practices,” Stan Black, Citrix Chief Security Officer says, “you can move the right data to the cloud, the right way, to take advantage of benefits like flexible on-demand storage and anywhere, any-device access with manageable risk.”
Make sure your strategy for data security and privacy is comprehensive, up-to-date and complies with legal mandates, and that your workforce is fully trained on your policies and practices. At the same time, you shouldn’t expend resources protecting specific types of data beyond the levels they merit. Use a data classification model to differentiate among public data with no confidentiality, privacy or compliance implications; confidential data that isn’t meant to be public, but poses minimal risk in the event of leakage; and restricted data posing a significant risk of non-compliance, reputational damage, lost business and other material impact. This will help you assign an appropriate storage and access permissions policy to each type of data, including the suitability of cloud storage and access.
As you evaluate cloud providers, pay close attention to their service commitments and security procedures and practices. Your due diligence can encompass a detailed questionnaire, onsite investigation and references from other clients, along with any certifications and attestations offered by the provider. Trust and transparency are critical—make sure to get the terms of service in writing, data retention and return procedures, penalties for audit failures, how outages and security breaches will be handled. Monitor compliance with your contract as long as the provider holds your data.
A cloud provider’s contract will also give you a basis for comparing its levels of service and security to your own internal capabilities. Any compromises should be factored into your assessments of the relative costs and benefits of putting your data in the cloud. This should also include the risks involved in data transfer, storage and access over third-party infrastructure. The cloud can also have an impact on employee and business productivity and mobility—consider this from the perspective of key use cases in your organization.
If your cloud initiative includes regulated data, make sure that both your strategy and the capabilities of your provider are designed to meet mandates for compliance, privacy and governance. These can include FTC consent decrees, HIPAA privacy and security rules, European Union restrictions on cross-border data transfer, and U.S. and E.U. safe harbor principles addressing the precautions to be taken to protect personal information. One consequence of rising regulatory compliance requirements, as well as high-profile data losses, has been a dramatic increase in the use of encryption to protect business data. As part of an effective approach to encryption key management, you should control the keys for your own encrypted data in the cloud.
Your security strategy for data in the cloud is only as effective as its implementation. To prevent lapses, educate employees, contractors, partners and service providers about best practices for using the cloud securely to access business data, such as the risk profiles associated with different access methods, devices, locations and types of data. Review and update your policies for security, bring-your-own device (BYOD), mobility and acceptable use regularly, and inform users promptly about any changes, trends or concerns.
Given the relative newness of the cloud, it’s understandable for IT to be wary of the security of moving business data to a third-party infrastructure. In the words of Stan, “By giving your security strategy for data in the cloud the same level of thought and rigor as for your on-premise assets, you can realize the full benefits of the cloud without introducing additional risk.” To learn more visit citrix.com/secure
About the author
Stacy Bruzek Banerjee is the director of solutions marketing for Citrix and is responsible for global security, business continuity and BYOD solutions. Prior to Citrix, Stacy worked to build Guidewire to explosive growth and a successful IPO. She has held marketing leadership roles at Oracle, Symantec and VISA, where she focused on data management, security and collaboration. She holds a bachelor’s degree from the University of Minnesota. Feel free to read more of Stacy’s blogs.