(Forcepoint, Oct 2018) The promises of the cloud include enhanced collaboration, easier access to information, and reduced cost and complexity. But there is a downside. When your data resides in the cloud, you lose some ownership and control of that data.
But that lack of ownership and control doesn’t change the requirement to protect information assets and ensure compliance.
Compliance can have different meanings, depending on your business function or the internal or external regulations that apply.
External compliance requirements, dictated by governments, organisations, and industries, typically focus on privacy. PCI DSS is a great example. Whereas internal compliance is usually more focused on protecting valuable data such asintellectual property, strategic plans, and business records.
Developing Compliance Policies
Compliance programs are rooted in managing the interactions of people, data, and critical IP while adhering to federal and state regulations and laws. An increasingly critical component of the business landscape, compliance programs are also challenging to establish and maintain.
Policies form the cornerstone of an organization’s compliance and security program, but developing good policies takes time. The first step to developing compliance policies is to create classifications for data, users, and applications to define interactions. Before classifications can be developed, you must determine the relative value of each asset to the organization.
Data Classifications – What classifications of data will you allow to be created, manipulated, and stored in the cloud? Who may access data in each classification, and under what circumstances?
- Establish data classifications that map to organizational impact.
- Establish data types that map to functional utilization such as sales reports and marketing artifacts.
- Establish a matrix of classification types and determine eligibility of each element for use in a cloud setting, along with any required safeguards that inform eligibility, e.g., the absence of public file sharing.
- Determine authorized users of the data and permissible actions, such as access, delete, and storage constraints by time, date, geography, and device.
- Determine response and remediation to actions inconsistent with policies created.
- If theft, destruction, or corruption of data in a classification represents risk to maintaining compliance, establish safeguards to evaluate and make a final determination of the risk/reward of that data classification residing in the cloud.
User Classifications – What specific actions can a user perform—such as create, share, and modify—with certain types of data, and under what circumstances?
- Establish group and user classifications that map to authorized data use.
- Establish acceptable usage parameters for each user and data matrix element considering action (e.g., create and delete), geography, chronology, and device (including device characteristics).
- Determine policy exceptions based on organizational needs such as business travel, specific roles, and individuals.
- Identify user behavior that may indicate either unintentional risky behavior or potentially malicious activity and determine the triggers and responses that correspond to risk levels using an “If-Then” approach.
Application Classifications – What cloud apps will you allow, and how will you apply data policies to their use?
- Clearly identify what constitutes a user application, in contrast to a passive website.
- Establish acceptable application risk metrics based on regulatory requirements, industry certifications, and internal benchmarks. Pay attention to data manipulation capabilities like sharing, auditing, and change control over actions like deletion.
- Establish acceptable usage parameters for each user application matrix element that considers type of application, geography, chronology, device, and device characteristics.
- Establish acceptable simultaneous use of applications with additional considerations for corporate and personal accounts.
- Establish application approval policies for new applications, including the classes of applications that will NOT require approval.
- Determine response and remediation to actions inconsistent with created policies.
Getting these policies right from the beginning takes time and resources, but it’s a necessary investment. Without them, you risk exposing your critical information and facing the negative consequences of failing a compliance audit. For more information on cloud security and compliance, watch the Forcepoint webcast: Mastering Policy Setting and Control in the Cloud.