Santander recently announced its intention to offer cloud storage to its business customers. Speaking in an interview with the Financial Times, the bank’s chairman Ana Botín explained Santander’s view that providing secure storage for information is a natural step for banks. After all, they’ve been looking after our money for years so you’d hope they might have picked up more than a few security pointers in that time. "One of the things that banks have is trust and resilience and, with all the cyber risk, that is incredibly important," Botín said.
This is a smart commercial decision. Some commentators have suggested that this cloud storage offering arose from Santander’s wish to build its own internal cloud storage solution to enable more control of its own data in the cloud. Once built, it then made commercial sense to offer the service out to customers to drive revenue.
It’s hard to argue with that reasoning, but most organisations don’t have the resources or the inclination to build their own cloud storage solution from scratch. As regulations on data protection are scrutinised and updated, all companies want greater control over their data – although most stop short of building their own cloud storage solutions or gigantic data centres.
So for those businesses, here are five practical tips to ensure the safe enablement of those cloud storage apps already on the market:
1) Secure sensitive data in corporate cloud storage
Many businesses choose to standardise on a cloud storage solution like Box, Dropbox, Egnyte, Google Drive, or Microsoft OneDrive. If that’s the case, start by getting your arms around your sensitive content in that app.
Netskope data shows that eight percent of files in corporate cloud storage apps violate a data policy – for example, they might be customer payment or health information, or source code. Of that eight percent, one quarter have been shared outside of the organisation. Scary thought, isn’t it?
2) Standardise on one app (or cut down to just a few apps)
For businesses which haven’t harmonised on a single cloud storage solution, select one based on employee feedback and how well it meets organisational requirements.
Of the 28 cloud storage apps in the average enterprise, only about one quarter of these are enterprise-ready. This figure is based on Netskope’s objective criteria adapted from the Cloud Security Alliance checklist of security, auditability, and business continuity measures.
3) Monitor usage across the category
As well as discovering apps in use, organisations must also monitor activity within these apps to build a full picture of the potential risks posed. This means monitoring data in transit to and from corporate apps, but also across any unsanctioned apps in use within the corporate environment. It’s also important to monitor for risky or unusual activity, as well as app access by employees who have had credentials compromised in a data breach.
4) Secure the ecosystem
Next, think about the ecosystem of cloud apps that sit around or integrate with your corporate cloud storage solution. Some examples are apps that allow secure document signing, enable efficient project management or make data visualisation possible. There are tens of apps in any organisation’s ecosystem which help the business run more smoothly, either by sharing data, or forming solutions with your corporate cloud storage app. These are undoubtedly useful to the business, but the flipside is that some of those apps may not be enterprise-ready. And if they aren’t on the organisation’s radar, the IT department may not have the same ability to manage these apps, or enforce policy in them as it does in sanctioned corporate cloud storage solutions.
5) Think of your users as clients or partners
Ideally the IT department should be able to treat its users as clients. Users have a job to do, and often they have little interest in security: put simply, they just want to get the job done as efficiently as possible. If the IT team can do the thinking on behalf of its users, this provides employees with the freedom to work however they want, without compromising security. In practical terms, this means letting the business operate however it wants but asking the IT department to lead on security decisions. For example, the business chooses an app it would like to use, then IT enables that app to be used safely by enforcing granular policy and coaching users away from risky behaviours. In this way, employees are empowered to work however they want, without posing a security threat.