Every Information Technology discipline has a lifecycle process. Before you choose a Cloud solution, there is a lifecycle process to follow that will match your business need with the right cloud solution. (You don’t need to be an IT geek to get this.)
Step 1. IDENTIFY what you have.
ALL businesses are required to keep certain types of information.
(The first step in determining whether a cloud solution is right for your business is NOT to pick a cloud type. All clouds share fundamental characteristics and functionality. They use economies of scale to provide shared resources including storage, databases and applications, accessed via the Internet.)
1. Inventory your software applications. If you are running Windows application, you can find all the programs on a PC in the Control Panel function. For IoS and Android applications, go to Settings, then Apps
2. Identify existing cloud applications. Where do you save your business bank statements? Your customer database? Receipts? Odds are, you are using some kind of cloud architecture already.
3. Determine Industry compliance standards that may apply to your business
a. professional licensing boards (like CPA’s)
b. organizational standard boards like International Standardization Organization (ISO)
c. Each state has different requirements at the Department of Corporation – make sure you are compliant with all filings, collecting state sales tax, paying re-employment (previously unemployment) taxes, etc.
4. Define regulatory and corporate requirements that apply to ALL businesses
b. Canned Spam Act (mass emailing people for business is spam)
c. Fair Credit Reporting Act (if you base employment decisions on credit scores, this applies to you
d. HIPAA (compliance requirements for doctors/hospitals who collect, maintain and store patient information)
e. Data Retention requirements (how long you need to maintain critical data)
f. Data Disposal policy that identifies destruction method, i.e. key destruction, overwrite, magnetic overpass (degaussing) and/or physical destruction
g. General Data Protection Regulation (GDPR)
5. Examine stakeholder-centric data (ex: email address, payment preferences, survey results). Does this data contain?
a. Personally Identifiable Information (PII)
b. Credit card payment information (PCI DSS)
c. Protected Health Information (PHI)
These are only some of the examples of laws and governing bodies and policies that apply to data and software applications and the collection of information.
Now is a good point to determine if you have overlapping applications, software that is out of date and whether or not you need all the information/data you have collected and/or stored. If you don’t need data for regulatory, compliance and/or business continuity purposes – don’t collect it. The more information you collect from your business stakeholders, the more cumbersome and complicated the requirements for data protection, access and storage become.
Never buy cloud services just because someone tells you “everyone needs the cloud”. There are some great Cloud Service Providers (CSP’s). But there are also a tremendous amount of businesses claiming to be CSP’s who can seriously jeopardize your business. CSP’s are NOT legally responsible for data breaches or losses!!!
Step 2. CLASSIFY the data by risk
1. High – this is data at the greatest risk, meaning loss or compromise of this data would put you at high risk of going out of businesses
a. Intellectual property
b. Proprietary corporate information
c. Protected by law or regulatory body
d. Compromises of this type of data carry the highest penalties and present the highest risk to business continuity
e. This data may also be identified as top secret or sensitive
2. Moderate – this is data at moderate risk
a. Internal emails/policies
b. Trend Reporting
c. Compromises of this type of data may carry penalties and jeopardize business reputation and revenue
d. This data may also be identified as confidential, private or proprietary
a. Marketing materials
c. Mission statements
d. Real time updates
f. This data may also be identified as public or unclassified
Step 3. SELECT & IMPLEMENT your Cloud
1. Understand that NO cloud solution is 100% secure. Period.
2. It’s more than likely that your cloud solutions will contain multiple characteristics:
a. Encryption levels
b. In transit/At rest
c. Key access, maintenance and replacement
d. Virtual Private Network (VPN)
e. Service Level Agreement (SLA)
f. Public, Private, Community and/or Hybrid
Step 4. MONITOR with a Risk Management policy
There is absolutely no sense in going to all the trouble of identifying your storage needs, finding the right CSP, then not defining a policy of access.
1. Who needs to access your type of data?
a. Build access and “need to know” policies by type of data
2. Two Factor Identification required
3. Inaccessible via external devices
4. Significant Monitoring
1. Department Heads
2. Need to know personnel
4. Two Factor Identification required
5. External device access clearly defined by policy
6. Significant monitoring
1. Read only access for all employees/public access users
2. Random, routine monitoring for exploits/attacks
2. What are the regulatory and compliance requirements for your type of data?
a. Define Corporate, Compliance and Regulatory best practices by type of data
1. This was previously defined in the IDENTIFY step
3. When will the data need to be accessed?
a. Archive and Access Policy
i. Constant vs intermittent
ii. Short, medium, long term
b. Platform dependencies
i. Software as a Service (SaaS)
ii. Platform as a Service (PaaS)
iii. Infrastructure as a Service (Iaas)
4. Where will your type of data be stored?
1. On premise
2. In the cloud
a. Public, Private, Community or Hybrid
5. Why do I need policies on data collection, storage, access and protection?
a. Business Continuity
i. Small businesses that experience a breach go out of business within six months
d. Business reputation
6. How do I monitor my business cloud compliance?
a. This should be identified in your Service Level Agreement (SLA). It may also be listed under “Terms and Conditions”. These are MUST read documents.
b. Consider hiring an outside auditing firm
c. Work with your Cloud Solutions Provider to identify and test vulnerabilities
As small business owners, we wear a lot of hats. And sometimes we think we could save some money by cutting corners….but as the world becomes more global and the IoT expands, I think the small businesses that will survive are those that have been early adopters of best practices in information and emerging technologies.
Links are provided for information only.
Governments, Business and People rely on us for survival strategies. Call us for your strategy.