This week has seen the debut of a new cloud security certification from (ISC)² and the Cloud Security Alliance with an emphasis on individuals rather than organisations. The Certified Cloud Security Professional (CCSP) will help ensure that IT workers have the knowledge and skills to audit, assess and secure cloud infrastructures. This move is to be applauded.
It is long accepted but not overly publicised, that the biggest data security risk to any organisation is the people working within it. Most of the time, security breaches are caused by human error in making decisions or taking the wrong course of action rather than through any planned ill intent. This is actually true of any situation – not just data security, as evidenced by a recent experience suffered by a friend.
A few weeks ago I received the phone call that many of us secretly dread, the 24th hour plea from a friend who was moving apartment at short notice. Having cancelled all my plans, and warmed the leg muscles up ready for six plus hours of back breaking stair climbing, I arranged to meet my friend at the communal storage facility to collect his belongings. As the door was opened, we soon released that his personal contents had been reduced somewhat. When he had delivered his belongings for storage, the facility was almost full to brim with boxes and he had to make room for his possessions by playing a human version of Tetris before being able to fit his boxes in.
Yet here he was now faced with a half full facility and a depleted number of his own carefully packed cubes of cardboard. He immediately called the facility’s management to request an explanation. The explanation was simple: ‘’One of the other customers must have taken them by mistake, I can try and contact them to recover them for you but I wouldn’t hold much hope as we warn that you must clearly label the boxes to avoid this from happening.’’
Ashen faced, my friend then spent the next hour shaking his head and ruing the day that he had chosen the quick and easy option for his most valued possessions. He had selected the storage facility based upon cost, location and that it ‘seemed like a good idea given the timescales.’In making his decision, he had given no thought to the perils of a shared facility nor how much the loss, and how irreplaceable, his possessions would personally cost him. He had no option to challenge the facility owner as he ‘accepted the clear terms of personal risk’ when signing the agreement.
Hindsight is a marvellous thing but he admitted that he had made a huge mistake.
Now if you replace my friend’s possessions with your corporate data in this tale of woe, you can start to see why I welcome the new certification’s emphasis on the individual.
If you use a shared space within the public cloud to house your data, alongside every other Tom, Dick or Harry, there is a clear risk that someone else’s actions could affect your businesses data security.
Yes, the public cloud is relatively inexpensive, simple to setup and readily available but these conveniences could result in far less control over three key factors. Firstly, who has access to your data? Secondly, where your data is stored? And lastly what are your rights should anything go wrong? Add in the further complication and confusion that up to 40% of your employees might be using public cloud services without your knowledge or control (as a recent survey revealed) and you really do have all the ingredients for a potential fail.
So as I advised my friend – rather helpfully post the event – it would have made better sense to have taken a wee bit of time to have reviewed his needs, sought options and then made an informed choice based on all the facts available to him at the time, rather than simply plump for the first and seemingly easiest option.
And its advice that I would advocate anyone making a step into the cloud takes. The cloud isn’t insecure but the people using it might be!
Digital & Social Media CoordinatorSubscribe to RSS Feed