- Posted by: Malcolm
- Category: Business / General
©This article is copyright to Communicat Business Solutions Pty Ltd, all rights reserved. Information in this article may be quoted freely provided it is attributed to Communicat Business Solutions Pty Ltd
Cloud Computing Policy
We advise our clients to issue the following statement of policy (or similar) to staff on the topic of Cloud Computing:
[quote align=”center”]”[Your organisation name] wishes to advise all staff of our policy that our data must only be stored on systems or devices that are within the security control of our organisation. Consequently data must not be stored on public cloud computing and data storage websites unless prior written approval has first been obtained from [name authorising person e.g. Managing Director / General Manager]. Data must also not be stored on USB devices or personal computing devices that are outside our organisation’s sphere of data security management.
The confidentiality of our commercial information is extremely important to our organisation. There have been many announcements in the media regarding security breaches with Cloud Computing. These breaches recur on a regular basis and are an indication of the inherent security flaws of the Public Cloud.
Examples of Cloud Computing and Data Storage methods that are not permitted include Microsoft Windows Live www.live.com , Dropbox www.dropbox.com , YouSendIt www.yousendit.com , Google Docs www.docs.google.com
Instead of using the Public Cloud, it is our intention to use a Private Cloud strategy whereby security can be controlled within our organisation based on Microsoft Sharepoint and similar Private Cloud technologies.
If you have any questions in relation to this policy please speak to [person’s name].”[/quote]
What is “Cloud Computing”
Cloud Computing refers to data management and storage on an internet-connected system, so that the information can be accessed by an internet-connected device. Examples of the “Public Cloud” include include Dropbox, YouSendIt, GoogleDocs, Microsoft SkyDrive, etc. An example of the “Private Clould” would be Microsoft Sharepoint.
For a complete description of Cloud Computing refer to the Wikipedia page http://en.wikipedia.org/wiki/Cloud_computing “The Cloud” service model has evolved quickly and there are now thousands of cloud service providers. In this article we are mainly focusing on the Cloud as a data storage service.
There are generally two types of cloud… the “Public Cloud” and the “Private Cloud”.
The “Private Cloud” refers to the hosting of data within a single organisation, e.g. your own company, and making that data accessible to multiple locations and devices operated by authorised persons, e.g. your own staff. The leading technology infrastructure for the Private Cloud is Microsoft Sharepoint.
Background – Should I be concerned about the cloud data storage issue?
During the past few years major changes have evolved in the way users want to access their data files. Users want the convenience of accessing their files over the internet from a variety of locations and using multiple devices, e.g. accessing data from work, home and mobile and also using different devices e.g. iPads, mobile phones, etc. “The Cloud” has emerged as a method to meet this need for multiple ways to access data.
As with any innovation, there are advantages and disadvantages of “The Cloud”. Plus there are different types of cloud services which vary with regard to the benefits and disadvantages provided by each service.
In the case of storing a person’s own private information in the cloud, it is up to each individual to make their own independent assessment regarding the degree of risk and to weigh up the risks versus the benefits of cloud storage. Each individual makes their own decision and is responsible for the consequences.
In the case of information which is owned by an employer, it is strongly recommended that employees should first seek clear instruction from their employer before storing any data in the cloud. Where an employee stores their employer’s data in the cloud, it is highly likely that they are inadvertently breaching their duty of care to their employer. Such a breach of confidentiality is a serious matter and could lead to termination of employment. Therefore it is important that employees are aware of their obligations. It is also important that employers are pro-active in providing clear instructions to their staff to prevent them inadvertently placing commercial data at risk.
Many people discover the convenience of the cloud from their experience in storing personal information on cloud services, e.g. their personal contact database, photos, email, spreadsheets, etc. with the benefit that the user can then access this data from a variety of devices. Once a user becomes “hooked” on the cloud for their personal data storage, it is only a short step to an individual then extending this approach and placing their employer’s business files in the cloud. In doing so, they are almost certainly (albeit inadvertently) breaching their employer’s (explicit or implied) security policies.
Let’s recap on the duty of care and obligations of employers and employees in relation to confidentiality…
Employees have a duty of care to protect the confidentiality of their employer’s business information, both in order to protect commercial-in-confidence information and also to comply with their employer’s legal obligations under privacy laws.
Australia has privacy laws which require organisations and individuals to take precautions to protect the privacy of information about individuals. It is also an explicit requirement of most employment agreements that employees must not compromise the confidentiality of commercial information. Even for employees who have not signed employee agreements, there is an implied expectation that the confidentiality of their employer’s information will be respected by the employee, and that the employee will cooperate with their employer’s obligations under privacy laws.
Our advice to employees is: before placing any of your employer’s data in the cloud, you should first request written approval from your employer. Most employers will either refuse to allow business data to be stored in the cloud, or will place stringent conditions on cloud storage.
If you go ahead and store your employer’s data in the cloud, without first gaining permission from your employer, it could well cost you a formal warning from your employer, or may cause you to lose your job.
How secure is the Public Cloud?
There have been numerous breaches of security in the public cloud, including some of the leading cloud service providers. If you google “Cloud Security Breaches” or “How Secure is Cloud Computing” you will be able to view the latest major breaches.
For example, recently Dropbox pushed out a system update which inadvertently allowed anyone to log into any Dropbox account without a password. This is just one of many major security breaches emanating from cloud service providers.
The simple fact is that the public cloud is not secure. Communicat strongly recommends that our clients should not use the Public Cloud for confidential information. Commercial use of the public cloud should be limited to information that is publicly available, as defined by the management of your organisation. For example, you may find some advantage in using the public cloud to store your product brochures or instruction manuals.
What is the Private Cloud – The safe way to gain the benefits cloud data storage whilst avoiding the downside
It is possible to gain the advantages of the cloud without the downside risks. This can be achieved using the Private Cloud method.
The private cloud is provided for a single organisation. It may be managed within an organisation or management may be outsourced to a specialist support service provider. In either case, security is controlled by your own organisation.
Currently one of major providers of the Private Cloud is Microsoft with their Sharepoint application. Sharepoint is typically deployed to provide a wide range of data storage and information management within a web portal environment.
Sharepoint and the Private Cloud offer some major improvements over the public cloud:
- Security is controlled by your own organisation and/or your appointed IT support company (e.g. Communicat).
- The user interface, workflows and applications can be tailored to the needs of your organisation.
- Multi-level security can be implemented, e.g. different users can have access to different functions, workflows and data within the Sharepoint system.
Summing up – What is the future of the Cloud – Public Cloud v. Private Cloud
The emergence of the cloud concept has led to some people over-simplifying the situation and saying that “The Cloud is the way of the future”. There is no doubt that the Public Cloud will continue to grow, but the most important development from a business perspective is the emergence of the Private Cloud as a secure method to provide information access. The Public Cloud will continue to be relevant for individuals and for very small organisations who cannot justify investing in setting up a secure cloud service. For most organisations, the Private Cloud will be a much more important information management method.
The Public Cloud offers many enticing benefits… it is available at a low cost and provides portable access to information. The downside of the Public Cloud is that it comes with some major risks.
Benefits of the Private Cloud
The Private Cloud offers all the benefits, without the downsides of the Public Cloud.
- The Private Cloud can be tailored to provide secure access control over who can access your data. With the Private Cloud your data access is managed by persons you know, employees and your contracted IT support company. You can gain a much higher level of protection against security leaks and other risks inherent in the Public Cloud.
- Once a user has authenticated access to your Private Cloud, the second issue to consider is what level of access should be granted to an individual employee. One of the benefits of the Private Cloud is that you can control the level of access permitted for each individual. For example, you want to allow all of your employees to access information about your organisation’s policies, and to access an online form to apply for annual leave.Some of your users may be permitted to access to information about a your customers in the NSW region, whereas other users may be given access to your customers in Victoria, or to access their team’s Payroll/Human Resources data.
In short, the Public Cloud has many inherent risks. You may wish to dabble with the Public Cloud as means to familiarise yourself with the topic and then consider how you can benefit from using the cloud, but you should not use the Public Cloud for confidential data.
The Private Cloud is the only Cloud method that can meet the security needs of an organisation.
If you have any questions please call Communicat on (03) 9320 0000 or email firstname.lastname@example.org