Securing Sensitive Information in the Cloud Comes Down to Access Management
Cloud-based platforms saw a major boost in adoption as a result of the COVID-19 pandemic, with many organizations moving collaboration entirely to the cloud via platforms like Microsoft Teams. Adopting new cloud platforms and methods of collaboration means it's time for organizations to create a plan for securing sensitive information.
The most successful way to do so is to understand and mitigate who can access sensitive information and how business processes are increasing exposure to risk. Yes, preventing cyberattacks from mysterious malicious actors in black hoodies is important, but studies have repeatedly shown that most of your risk exposure comes from inside your organization.
Most organizations have sensitive information in the cloud today, that's inevitable. But well-meaning collaborators will inadvertently overexpose sensitive information if proactive measures aren’t in place to guide them — it’s only a matter of time.
Once you know who has access to what, instating proper strategies and access management tools to mitigate the risk caused by access to this sensitive content. It’s also extremely important to follow through with risk mitigation and ensure there is an ongoing plan to secure sensitive information.
Reducing Exposure to Sensitive Collaboration Information
Sensitive information can be regulated content as well as information that only a small group of employees in the organization should have access to. How people collaborate is extremely important when working on documents that contain internal proprietary information, regulated information like personal identifying information (PII) or financial details, or even information related to government secrets like ITAR.
Some organizations lack the policies or training to encourage employees to only share information as necessary. Others are unaware of how easy it is with software platforms like Microsoft Teams for users to inadvertently, with only a few clicks, overexpose such content to shadow users, even to the extent of organization-wide viewing or editing rights.
Exposure is intensified in platforms where users can easily surface documents with a simple search. Platforms like Microsoft Teams and others will even proactively surface accessible documents their peers are working on or give suggestions for information users should know.
The days of “security by obscurity” — relying on hiding content in difficult locations and trusting users will not rummage through folders to find things they shouldn’t see — are long gone. Proactive protection is the only option now to minimize the risks that come with overexposure to sensitive information.
Related Article: How to Get Employees on Board With Security Changes
It’s Impossible to Completely Eliminate Risk
Office 365 and other platforms provide some great options to secure content and sensitive information and it’s good to review how the different features can work together to reduce risk caused by exposure. Yet even with the best security features in place, it is impossible to completely prevent users from accidentally or intentionally exposing data.
Therefore organizations still need a plan in place. What steps will you take in the event of a breach? Whose responsibility it is to review content for sensitivity and exposure? What preventative steps will you take? While 100% prevention is not possible, it may be possible to lessen the pain caused by a breach.
It could also result in a lower fine or an avoidance of fines altogether because the organization has done all it feasibly could do to avoid breach. Or it could mean that potential breaches are detected and mitigated before any damage is done.
In any case, setting up and maintaining solutions as well as reviewing content and procedures can be a huge burden on IT, legal and security teams, who must work together to accomplish the goal of reducing data exposure.
People Need the Tools and Training to Do the Right Thing
Security features are inherently only part of the story. Users must understand their shared responsibility for reducing organizational risk and how their day-to-day roles can help minimize exposure of sensitive data.
They need to know how the tasks they accomplish every day can ensure sensitive content remains in the right hands, and the organization needs to provide training that gives them the context to do exactly that. Rewarding managers and teams who follow the rules will help others understand the stake they have in the organization’s security efforts.
In addition, if users do not feel like a process is easy enough for them, they will often create their own process that is. Training is key. Additionally, security and governance solutions should be able to proactively enforce security and organize information in a way that makes it easy to do the right thing.
To that end, as IT teams and security teams are looking for ways to enhance security, they should be looking for solutions that can significantly reduce the workloads of IT admins and security teams, as well as users and managers throughout their organization. Solutions that tout the simplification of workloads through click reduction and reporting often fail to take into account the training that users will need to receive and that reviews and enforcement of security will still have to be manual processes.
With rapid rates of cloud application adoption, technology changes, content creation, productivity and more and more security concerns arising as time goes on, IT and security teams are increasingly burdened with the tasks of organizing and securing it all. Organizations need to respond to these increasing needs and support them with the tools they need so everyone can get the job done.
About the Author
Hunter Willis is a product marketing manager at AvePoint and the president of the Richmond SharePoint User Group, MSCA O365. He has been in web development, SEO and social media marketing for over a decade, and entered the SharePoint space in 2016.