Educause Security Discussion mailing list archives

Re: Trying to manage the move to the cloud

From: "Jeffrey I. Schiller" <jis () MIT EDU>
Date: Fri, 11 Mar 2011 11:11:48 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Mar 11, 2011 at 10:37:16AM -0500, Bob Bayn wrote:

Our Information Security Policy includes this little statement:

"Offsite storage, processing or backup of PSI/CID [private sensitive
information/critical institutional data] must use service providers
evaluated and approved by the responsible data steward in
consultation with OIT. OIT is directed to publish standards that
conform to this
policy<https://it.usu.edu/policies/htm/information-security/selection-of-cloud-computing-services>."


I like this approach. I am not a big fan of "You may not do that,
period." style policies. If central IT has comparable solutions to a
service in the cloud that someone wants to use, that is one
thing. However often this isn't the case. So if you say "you must use
central IT's services" and the person needs to use the cloud service
to do their job, in effect you are saying "you cannot do your job."
Guess what happens then. And yes, I know that they probably can do
their job without using the particular cloud service at issue, but it
probably requires more work (which may not be appreciated by their
supervisor!).

One of the big challenges that we have in security is getting security
to align with human nature. When we ask people to do something that
goes against the grain of human nature, compliance will always be low
and risk will always be increased. I can rant more on this topic, but
I won't pollute this thread with it :-)

I would recommend first, a data classification policy. Followed by an
evaluation of various offering out there and a mapping of which class
of data is appropriate for which cloud service (if any).

                        -Jeff

- --
_______________________________________________________________________
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room N42-283
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis () mit edu
http://jis.qyv.name
_______________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNeknD8CBzV/QUlSsRApWmAJ9sIk964Vz5chRhNfvznHBD+KDa1wCg2u3n
EfgMFVPwex0/4bo4FqcGpaM=
=Jr4w
-----END PGP SIGNATURE-----

Current thread:

Trying to manage the move to the cloud Chancellor, Beth C. (Mar 10)
- Re: Trying to manage the move to the cloud Schoenefeld, Keith P. (Mar 10)
  - Re: Trying to manage the move to the cloud Mclaughlin, Kevin (mclaugkl) (Mar 11)
    - Re: Trying to manage the move to the cloud Lorenz, Eva (Mar 11)
    - Re: Trying to manage the move to the cloud Neil Sindicich (Mar 29)
- Re: Trying to manage the move to the cloud Shamblin, Quinn (Mar 11)
- Re: Trying to manage the move to the cloud Bob Bayn (Mar 11)
  - Re: Trying to manage the move to the cloud Jeffrey I. Schiller (Mar 11)
    - Re: Trying to manage the move to the cloud Nathan Zierfuss (Mar 11)
    - Re: Trying to manage the move to the cloud Leon DuPree (Mar 29)