This is the next installment of the From Arthur’s Desk series discussing such topics as data loss prevention, compliance and governance and more.
As cloud adoption gathers momentum, many enterprises are making 2014 the year when they decide whether Google Apps, Salesforce, or other providers will supply infrastructures for their vital business processes. They’re learning that these infrastructures represent a new technology paradigm, one leading to different user behavior and a new culture of collaboration and security. If you’re already there, you’ve probably noticed a shift in culture as users and admins become acclimated to storing and using data in a virtualized workspace, sharing rather than sending files, and provisioning their own applications.
Evidence of change is everywhere. Much of IT has shifted its emphasis from technology to people. In many cases, IT no longer manages technology that it builds or owns; today’s job is to facilitate, identifying cloud vendors to support the business. This means finding a computing environment, typically massively virtualized, for users who think in terms of business processes. These processes are commonly modeled on the consumer processes they have become used to. Which leads to the second part of the culture shift. For end users, the device and software are transparent…or if not transparent, more a matter of style than of functionality. Any device, from anywhere, is fine as long as it can access data and allow them to do their jobs.
Organizational culture has moved from one where IT gives hardware, software and access to one where IT enables end users to exercise their consumer preferences at work, choosing their own applications, accessing and using their data at will, and liberating everyone from tethers to networks, devices, and applications. Users are pulling the new technology paradigm into the workplace.
A similar shift is underway in security. For the first time, infrastructure security is built into the technology you license. Google Apps and Salesforce come with great controls. This means Security can shift its attention to the end user and end users’ processes, as IT has done. The trend is leading to dramatic changes. First, IT can think in terms of the strategic issues of security, like data governance and compliance. Patch Tuesday is becoming an archaism. This leads to a richer and more helpful interaction with the business about what their security needs are. Second, users become firewalls. As legacy canons of security like containerization collapse in the cloud, users have to pick up the mantle of accountability for the usage of their data: after all, if Security can’t containerize data logically or physically, end users need to do it as part of their normal course of doing business. The centralized architectures of the cloud allow for simple data classification and risk feedback to end users, making them part of the solution rather than the problem. Unlike the past, when end users asked for permission and security said no, end users today ask for insight on risk and security designs feedback that engages and guides them. Finally, long term, people-centric thinking is possible, with a better ratio of risk-based to standards- and compliance-based practices. Without impacting the business. Simple models and ample data for measuring risk and monitoring the effect of remediation make it possible to make measurable progress against meaningful goals.
The result is a people-centric culture of security, driven by end user accountability, informed intelligently by Security, enabled by IT’s selection of cloud technology. The concept seems new and scary, except that it already exists on other areas. With minimal controls, companies secure trillions of dollars in physical assets every day. As companies think about this culture, the questions isn’t whether but how. What are the things that can influence the subtle yet sustainable shift to data accountability. And how do we implement them so they’re help not invasive.
With CloudLock, the idea is to detect negligent behavior…especially negligent behavior that stems from the cloud paradigm itself…and advise users. This reinforces default good behavior, which characterizes most users most of the time, and reminds users of risks, such as when they share confidential materials inappropriately. This is only possible with intelligent solutions, such as CloudLock’s data classification for identifying confidential information, coupled with policy driven notifications that automatically guide end users to the right behavior without the threat of a scolding from Security. The outcomes are staggering: it’s not quite gamification, but users want to use data correctly and strive to be better stewards of digital assets. And when the users play the right kinds of games with data and data protection, the enterprise is the winner.
Read more of the “From Arthur’s Desk” blog series:
- From Arthur’s Desk: Collaboration Index and Data Containment in Google Drive (December 9, 2013)
- From Arthur’s Desk: A Data Breach Prevented in Time (August 8, 2013)
- From Arthur’s Desk: The Moving Target of Compliance and Governance (August 19, 2013)
- From Arthur’s Desk: Metrics and Rick-Based Data Security (September 18, 2013)