Educause Security Discussion mailing list archives
Re: Trying to manage the move to the cloud
From: "Jeffrey I. Schiller" <jis () MIT EDU>
Date: Fri, 11 Mar 2011 11:11:48 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Mar 11, 2011 at 10:37:16AM -0500, Bob Bayn wrote:
Our Information Security Policy includes this little statement: "Offsite storage, processing or backup of PSI/CID [private sensitive information/critical institutional data] must use service providers evaluated and approved by the responsible data steward in consultation with OIT. OIT is directed to publish standards that conform to this policy<https://it.usu.edu/policies/htm/information-security/selection-of-cloud-computing-services>."
I like this approach. I am not a big fan of "You may not do that, period." style policies. If central IT has comparable solutions to a service in the cloud that someone wants to use, that is one thing. However often this isn't the case. So if you say "you must use central IT's services" and the person needs to use the cloud service to do their job, in effect you are saying "you cannot do your job." Guess what happens then. And yes, I know that they probably can do their job without using the particular cloud service at issue, but it probably requires more work (which may not be appreciated by their supervisor!). One of the big challenges that we have in security is getting security to align with human nature. When we ask people to do something that goes against the grain of human nature, compliance will always be low and risk will always be increased. I can rant more on this topic, but I won't pollute this thread with it :-) I would recommend first, a data classification policy. Followed by an evaluation of various offering out there and a mapping of which class of data is appropriate for which cloud service (if any). -Jeff - -- _______________________________________________________________________ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room N42-283 Cambridge, MA 02139-4307 617.253.0161 - Voice jis () mit edu http://jis.qyv.name _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNeknD8CBzV/QUlSsRApWmAJ9sIk964Vz5chRhNfvznHBD+KDa1wCg2u3n EfgMFVPwex0/4bo4FqcGpaM= =Jr4w -----END PGP SIGNATURE-----
Current thread:
- Trying to manage the move to the cloud Chancellor, Beth C. (Mar 10)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
- Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
- Re: Trying to manage the move to the cloud Lorenz, Eva (Mar 11)
- Re: Trying to manage the move to the cloud Neil Sindicich (Mar 29)
- Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
- Re: Trying to manage the move to the cloud Shamblin, Quinn (Mar 11)
- Re: Trying to manage the move to the cloud Bob Bayn (Mar 11)
- Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)
- Re: Trying to manage the move to the cloud Nathan Zierfuss (Mar 11)
- Re: Trying to manage the move to the cloud Leon DuPree (Mar 29)
- Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)