Photo Credit: jeffbalke via Compfight cc
One thing up front: This is not, in case you were hoping, an attempt at adult InfoSec fiction.
Rather, it should resonate with anyone using, or planning to use cloud solutions and anyone who’s seen or heard of a celebrity being caught unawares by paparazzi. If you’ve ever registered the latter, you probably thought one of the following;
“Serves them right for behaving like a moron” or
“Poor sod, that’s their career over”
On the other hand, you might have spotted the story, but not summoned the energy to care. That’s almost certainly because a red hot PR machine sprang into action to spin it just right then make it disappear.
If you have an example in mind, keep it there while reading on.
—————————————————————————————————————
Clouds and Cleavage
When deciding what to wear on a night out, if a woman has any social awareness, she will want it to be appropriate for the occasion.
Sometimes, with some groups, it will be ok to wear that shorter skirt. Sometimes it may even be ok to give the girls a bit of an airing, but the bits in between are strictly reserved for a very limited audience.
Make the wrong choice and you lose control over your image in the eyes of those present and if cameras are around, you may lose control of your image all together. It is hard to build a reputation, but even harder to rebuild one if you mistakenly expose yourself in the wrong circumstances.
The same is true for your cloud usage choices. What do you want to expose in the cloud? Not all cloud environments, like not all crowds, are equal.
You’re fairly free to expose what you choose in your own house, where you have the keys, do all the decoration, plan and host your own parties and have full control over who visits. Like a private cloud offering in your own, or dedicated managed, data centre.
Then there are other meeting places, where you hire a room, pick the décor, pick the food, pick the music, dictate your guest list and your preferences for the door policy, but you won’t know who else is in the building. Something like a co-location facility, or dedicated space from an Infrastructure as a Service (IaaS) provider.
At yet another level, there are rooms where you can chose the entertainment and your guest list, but the rest is laid on for you. Again, you could be in the room right next to a tabloid media convention, but that’s the risk you take. A Platform as a Service (PaaS) arrangement.
Stepping down another level of control, there are niche venues, with more or less selective guest lists, door policies and facilities and with a wide variety of entertainment. You can choose who you bring with you and they’re cheap, unless you start changing things. You can hire the VIP area, or dictate the music, but it will cost you. Think Software as a Service (SaaS)
Then, at the other end of the scale, there are the large public venues, often with a lax or non-existent door policy, where you have no control over anything except how you present yourself and behave. That’s your social media.
Swinging back to clothing choices, what will you wear? What will you put on show?
The cleavage question is about image, appropriateness and privacy. The legs question is the same.
The fallout from a clothing malfunction, or an otherwise inappropriate clothing choice, will depend on your brand and the circumstances surrounding the exposure. How public was it? Were there cameras? Was it a loyal audience, or were there enemies in the room (or with access to it), who have an interest in embarrassing you?
Showing anything else, anything intimate, is too big a risk for anyone who values their reputation. Even in your own home, the bathroom has a lock on the door. On the same basis, layered defences should exist in your own datacentres and servers to protect your secrets.
As a business, it’s not just you who can be humiliated. If customers and partners trust you with their sensitive data, you’re effectively in charge of their reputation too.
That’s why data classifications, cloud strategies, cloud usage policies and associated controls exist. Everyone in your business who interacts with data, will have subtly (or less subtly) different attitudes to privacy and confidentiality. With the undeniable and growing power of generation Y, who see information sharing as a way of life, educating users and aligning your expectations, has never been more vital.
Analogies like this can help, but you are going to have to adapt to an increasingly cloud hosted world.
Either you pay through the nose for venues you can control, or you make sure you know all about the controls around hired rooms and open venues before you turn up. Understand the door policy, clientele and whether the entertainment is right for you. In essence;
a) Whether it’s somewhere you want to be seen at all given your public image and the risk of harmful interactions and
b) If you are going, what you wear to maintain that image (bearing in mind the nature of the environment) and how will you behave to keep the risk of inappropriate or accidental exposure to an absolute minimum.
The enormous initial and high on-going costs associated with buying/hiring, staffing, equipping, configuring, protecting and maintaining a dedicated hosting facility, are powerful drivers to investigate cloud options. The advantages are undeniable. Speed to production, rapid scalability, recoverability, cost and….well….cost. But, that can never, ever be divorced from the potential damage to your reputation and to others who have tied their reputation and financial welfare to yours.
You might have no reason to expect a clothing malfunction, or if there is one, paparazzi to be there with cameras at just the right angle. Or, god forbid, you’re at an overseas do and unwittingly contravene a local decency law. However, all the cleverest operators do their research, know how to avoid places and clothes that increase risks and if something does go wrong; they have a smart entourage to keep the noise and fallout to a minimum.
Can you say the same about your cloud solution choices, cloud usage choices and the security due diligence, on-going assurance and incident management you have in place?
Your best bet is to have a well-known plan for different options and circumstances (aka a cloud policy), something that all stakeholders understand and sign up to. A document that is explicit about what is and isn’t a tolerable risk and the related oversight and controls that need to be in place.
Build your entourage, specialists who understand the different environments (including cross-border privacy legislation) and can advise on appropriateness of different degrees of exposure. Enable them to assess your risks before you ever accept that invitation, or in the business world, sign that contract. Then support them to assess your risks, against agreed benchmarks, for the lifetime of your agreement.
It’s easy to be seduced by a cheap ticket to a glitzy function, especially if most of your peers have already RSVP’d, but as all smart women will tell you, you don’t pick an outfit and rock up somewhere new, without first understanding what’s what, and when you get there, keeping your wits about you.
—————————————————————————————————————
This is my entirely personal take on the risk of brand damage if sharing anything sensitive in the cloud. It doesn’t delve in to other key considerations like availability, interoperability with existing systems, or how the heck you trace data once it’s out there. Perhaps things for a future analogy.
Returning, finally, to that newsworthy celebrity incident I asked you to think about. Put your company in their place. Imagine something has gone badly wrong operationally, or data has gone missing from one of your cloud hosted services. Ignore legal recourse for a moment. Lawyers can repair your balance sheet, but can’t do anything about loss of customer or partner confidence.
What would the fallout be? Would it be a well spun flash in the pan or an avalanche of headlines in the mainstream press? If you are confident you could keep a lid on things, how likely is it to happen again? Could you spin it the same way twice?
Leveraging cloud solutions is not wrong and is very far from insecure, if done with the right planning and oversight. There are also great resources out there to help you understand your risks. The Cloud Security Alliance is a good place to start. But do get a handle on things soon. Shadow IT isn’t all media hype. If you don’t agree and share your policy for cloud usage soon, your staff, seduced by the scent of cheap, quick and easy, will decide their own.
