By Dana Simberkoff, Vice President, Risk Management & Compliance, AvePoint.
For most organisations worldwide, it’s no longer a matter of “if” they will move to the cloud but rather “what” they will put in the cloud. Keeping everything on-premises within the walls of an organisation is unrealistic. Cloud is increasingly a part of more and more IT business strategies, at least judging by the rapid spending on cloud-related services. According to a recent IDC study, public cloud services spending will reach $98 billion USD in 2016, with a compound annual growth rate five times that of the IT industry overall.
Why? Companies are constantly looking for ways to do more, to collaborate better, to create more product, to continue pushing the revenue needle forward – all the while, enabling an increasingly global workforce. Cloud computing offers many advantages to technology providers and their customers, allowing companies to invest far less in infrastructure and resources that they must host, manage, administer and maintain internally. This instead allows them to invest in the advanced applications they build on an externally hosted and fully redundant environment that they can access at a fraction of the cost - not just for saving costs on what is traditionally capital expenditures on hardware, but more so for business agility. The business landscape has never been more competitive, and every enterprise is looking for an edge. Judging by the numbers, many believe utilising the cloud to manage enterprise systems and content with repositories such as Microsoft SharePoint Online will help pave their way to victory.
With this great reward, however, comes great risk. Hosting SharePoint through Microsoft Office 365 could reduce cost and improve global access to content. However, for organisations subject to regulatory requirements (and that’s essentially every organisation today regardless of size, vertical, or geography), the move to the cloud isn’t without risk. Enterprises have tremendous concerns about storing business data outside their own walls because it means relinquishing control – control of information, user access, authentication, and data exposure (whether intentional or accidental) of sensitive personally identifiable information, classified information, or otherwise non-compliant content.
So you accidentally let someone take a peek at the wrong data – how much harm can that data breach possibly do? About $5.4 million USD worth, according to a recent study by Ponemon. The study found that the average organisational cost for a single breached record – a document, user ID, email, email address – is $188 USD. Think about the number of emails clogging up your own inbox, and documents in your shared drive right now … it adds up very, very quickly.
Before you call your sales representative selling you a cloud platform and tell her no thanks, consider this: There is a way to gain value from cloud computing while addressing compliance concerns. Many companies are offloading select content or workloads into the cloud, and keeping their most regulated content on-premises. You won’t be alone. Many organisations are following this approach, a report by IDC found that 80 percent of the world’s 2,000 largest companies will still have greater than 50 percent of their IT onsite by 2020.
So, what’s your move to start the migration from your old on-premises technology platforms to the cloud? Here’s your four-step playbook:
1) Assess existing sites and content. Identify at-risk content and sensitive data within your “as is” on premises environments – including SharePoint or file share content – that could potentially violate your compliance policy. Perform a risk analysis to understand exposure levels for a defined scope of content, as well as the effectiveness of existing controls to determine the overall sensitivity of an existing SharePoint environment.
2) Report on and classify content. Implement an effective and realistic compliance program that can be enforced, measured and modified as needed. Identify what data your organisation collects, processes and stores (and where it comes from) and decide on applicable/mandatory privacy and security requirements – what, where, why, and how. Provide information classification based on risk exposure to the organisation. Define minimum content and physical security access controls based on risk classification. Assign metadata and restrict access to sensitive content.
3) Design compliance information architecture. This is your chance to expose, access, and manage all content residing in your network and/or the cloud for centralised document management in SharePoint based on your specific business requirements – such as restructuring permissions, and adjusting access, metadata and security settings of content. Strictly regulate user-generated content to prevent the creation or uploading of non-compliant, harmful content.
4) Determine cloud migration approach. Utilise content and site assessment reports and subsequent tagging to develop a best practices approach to migrate select content and workloads to the cloud. You can do so by identifying cloud-appropriate content for migration with customisable filters based on metadata or content types you established in Step 3. Scan, flag and/or block all contents prior to upload to ensure compliance. Detect and make changes to content and/or user permissions and access that violate your policy. Then, just as in any other migration – determine your schedule and project milestones to ensure that the project meets your business needs and keeps your end users focused on what they should be focused on: doing their jobs.
As companies and government agencies move their applications increasingly to a cloud based infrastructure, they must also understand and fully review the associated privacy and security considerations. Privacy is a global issue, and one thing is certain, even if you build software applications to serve a very specific market segment - you cannot ignore privacy as a fundamental issue that your customers will demand. Change can be hard, but this is a positive change. You’ll be utilising a new way of working in the cloud that can vastly improve your business agility, while keeping traditional hardware costs low and safeguarding your sensitive data. In the meantime, keep your feet firmly planted on the ground as your applications move to the sky!
I am a great believer in cloud services but making unqualified statements like "Keeping everything on-premises within the walls of an organisation is unrealistic." is not a helpful message. The companies that are wary of moving to cloud are also very wary of this kind of evangelism.
For most organizations, hosting their own services has been a realistic choice for many years and the emergence of a new way to do it does not change that. A better statement would have been something like: "Keeping everything on-premises within the walls of an organisation is becoming less attractive".
Other than that, nice article!
To "Assess and classify data" sounds a very neat approach but business will continue to avoid this as it isn't practical. Whilst databases are not too tricky the general office document content is. Managers or their staff do not have the time to assess every document as secret or not, everything gets bundled together and the easy way out-as their is no penalty, is to say that everything is secret. This defeats any serious exercise, why would staff be motivated to do anything different, what's in it for them?