At the moment, it sounds like a situation of free-for-all chaos with no oversight in place. Hopefully, employees are not allowed to download and install any software they choose, so why let them use unapproved services?
The first thing that should be done is to bring all cloud usage by your employees under control. If you are in a medical environment, you cannot risk being non-compliant with regulations such as HIPPA when it comes to handling sensitive data; the potential fines and the damage to your reputation could be crippling.
Implementing cloud governance involves establishing and enforcing policies to control the use of cloud services. They should be treated like any regular application. This means your cloud policy should state that no one is allowed to use a cloud service before a business case for its use has been approved and a risk assessment carried out. This will put the security team back in control and in a better position to prevent the leakage or inappropriate use of sensitive information.
For those in a situation of having to play catch-up, a good starting point would be to poll all employees with Internet access and ask them which cloud services they use, what for, why and how often. It's also important to ask which services they prefer and why. While completing this survey, analyze your network logs to build up a factual record of who uses what cloud services and how often. With these two reports, you should be able to get a handle on how cloud services are being used and for what purpose.
The next task is to carry out a risk assessment to see if any of the most popular services can be justified and how they may be safely used. This will involve looking at the cloud provider's service-level agreement and assessing how tight and well defined their security policies are. Certainly any service featuring weak password security should be ruled out given you are in the medical industry.
If senior management does decide select employees can benefit from using certain cloud services, you will need to develop a policy that clearly states what they can and can't do and what types of data they can use in the cloud. All employees will need security awareness training to ensure they're aware of the new rules and responsibilities in place.
To back up this new policy, I would strongly recommend deploying a data loss prevention (DLP) product to detect and prevent the unauthorized use and transmission of confidential information outside of your network. There are several DLP products that specialize in protecting Electronic Patient Health Information (ePHI), such as the Websense Inc. Data Security Suite and Trend Micro Inc.'s Enterprise Security. Your cloud policy will be far more effective at protecting your data if employees know data usage is monitored and any violations will be picked up.
It may sound as if I am against cloud computing, which I'm certainly not. Large cloud providers have highly distributed, robust systems, often providing better security and disaster recovery than many organizations can deliver themselves. But like any IT service, it needs to be used under the control of a rigorous and enforced security policy.
This was first published in February 2011