At the moment, it sounds like a situation of free-for-all chaos with no oversight in place. Hopefully, employees...
are not allowed to download and install any software they choose, so why let them use unapproved services?
The first thing that should be done is to bring all cloud usage by your employees under control. If you are in a medical environment, you cannot risk being non-compliant with regulations such as HIPPA when it comes to handling sensitive data; the potential fines and the damage to your reputation could be crippling.
Implementing cloud governance involves establishing and enforcing policies to control the use of cloud services. They should be treated like any regular application. This means your cloud policy should state that no one is allowed to use a cloud service before a business case for its use has been approved and a risk assessment carried out. This will put the security team back in control and in a better position to prevent the leakage or inappropriate use of sensitive information.
For those in a situation of having to play catch-up, a good starting point would be to poll all employees with Internet access and ask them which cloud services they use, what for, why and how often. It's also important to ask which services they prefer and why. While completing this survey, analyze your network logs to build up a factual record of who uses what cloud services and how often. With these two reports, you should be able to get a handle on how cloud services are being used and for what purpose.
The next task is to carry out a risk assessment to see if any of the most popular services can be justified and how they may be safely used. This will involve looking at the cloud provider's service-level agreement and assessing how tight and well defined their security policies are. Certainly any service featuring weak password security should be ruled out given you are in the medical industry.
If senior management does decide select employees can benefit from using certain cloud services, you will need to develop a policy that clearly states what they can and can't do and what types of data they can use in the cloud. All employees will need security awareness training to ensure they're aware of the new rules and responsibilities in place.
To back up this new policy, I would strongly recommend deploying a data loss prevention (DLP) product to detect and prevent the unauthorized use and transmission of confidential information outside of your network. There are several DLP products that specialize in protecting Electronic Patient Health Information (ePHI), such as the Websense Inc. Data Security Suite and Trend Micro Inc.'s Enterprise Security. Your cloud policy will be far more effective at protecting your data if employees know data usage is monitored and any violations will be picked up.
It may sound as if I am against cloud computing, which I'm certainly not. Large cloud providers have highly distributed, robust systems, often providing better security and disaster recovery than many organizations can deliver themselves. But like any IT service, it needs to be used under the control of a rigorous and enforced security policy.
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.