Laxity on cloud storage could see data disappear
AN information security expert has told a Geelong business forum of the hidden dangers in outsourcing company data to the cloud.
Strategic security adviser Craig Horne said businesses had no visibility of a range of possible back-to-back agreements involving server hosts that could make the data vulnerable.
“They could be backing up your data overseas,” Mr Horne said. “There is a risk of loss of control … unless you can control it with your terms and conditions and legal agreements.”
Mr Horne, the Australian Computer Society vice president, was the guest speaker at the event hosted by eHealth Information Security and Privacy Services and Xtreme Technology at The Village Geelong on Wednesday.
He said there was a case for outsourcing data storage but it should be done according an information security strategy involving a proper risk assessment.
“Organisations can take a riskbased approach to information security and think about, ‘What are our crown jewels inside the organisation?’” he said.
“What’s the key information that we need to achieve our vision and mission over the next five years and do we need to protect that information?
“Once they know what their key trade secrets are, that will inform them on whether that can be stored on outsourced infrastructure.”
Mr Horne presented a framework for working through information security strategy, which he said was an under-researched area.
The process for selecting a security strategy included information discovery profiling and classification, analysis of information for strategic value, and assessment of outsourcing constraints.
“Not all information needs to be high value,” Mr Horne said. “You can choose to have low-value data stored in your organisation.”
He said company executives should prepare a report identifying the key bits of information within the organisation and put forward a strategy for the future direction of the safekeeping of that information that could be approved by their board.
“That then informs funding decisions and other decisions that are made at an operational level within the organisation,” he said.
Those decision could be on data storage, access of external contractors, use of external infrastructure, the kind of nondisclosure agreements it needed and whether employment agreements needed to be reshaped to stop employees going to work for a direct competitor and “sharing the information hosted in their brains”.
He said outsourcing data storage made sense for some companies, particularly smaller organisations.
“Most business leaders I speak to would agree that what Microsoft is doing to secure its environment is far greater than what a small to medium enterprise can do to protect their information.”