Cloud computing represents one of the most significant paradigm shifts in information technology (IT) history. It may have evolved as an extension of sharing an application-hosting provider, which has been around for a half century and was common in highly regulated vertical industries, such as banks and healthcare institutions. But cloud computing is a very different computing resource, utilizing advances in IT architecture, system software, improved hardware speeds, and lower storage costs.
The impetus behind cloud computing is that it provides economies of scale by spreading costs across many client organizations and pooling computing resources while matching client computing needs to consumption in a flexible, (nearly) real-time way. Cloud computing can be treated as a utility that is vastly scalable and can be readily modulated, just as the temperature control on your furnace regulates your energy consumption. This approach has great potential, promising on-demand computing power, off-site backups, strong security, and “innovations we cannot yet imagine.”1
When executives hear of the potential cost savings and elimination of capital outlays associated with cloud computing, their ears perk up. Cloud deployments can give users some autonomy and independence from their IT department, and IT departments are enthused to have instant resources at their disposal and to shed some of the responsibilities for infrastructure so they can focus on business applications. Most of all, they are excited by the agility offered by the on-demand provisioning of computing and the ability to align IT with business strategies more nimbly and readily.
But for all the hoopla and excitement, there are also grave concerns about security risks and loss of direct IT control, which call for strict information governance (IG) policies and processes. Managers and IT leaders who are customers of cloud computing services are ultimately responsible for IT performance. A number of critical IG challenges associated with cloud computing must be addressed. These include privacy and security issues, records management (RM) issues, and compliance issues, such as the ability to respond to legal discovery orders. In addition, there are metadata management and custody challenges to consider. An investigation and analysis of how the cloud services provider(s) will deliver RM capability is crucial to supporting IG functions, such as archiving and e-discovery, and meeting IG policy requirements.
Organizations need to understand the security risks of cloud computing, and they must have IG policies and controls in place for leveraging cloud technology to manage electronic information before moving forward with a cloud computing strategy.
The definition of cloud computing is, rather, well, cloudy, if you will. The flurry of developments in cloud computing makes it difficult for managers and policy makers to define it clearly and succinctly, and to evaluate available options. Many misconceptions and vagaries surround cloud computing. Some misconceptions and questions include:
Cloud computing is a shared resource that provides dynamic access to computing services that may range from raw computing power, to basic infrastructure, to fully operational and supported applications.
It is a set of newer information technologies that provides for on-demand, modulated, shared use of computing services remotely. This is accomplished by telecommunications via the Internet or a virtual private network (which may provide more security). It eliminates the need to purchase server hardware and deploy IT infrastructure to support computing resources and gives users access to applications, data, and storage within their own business unit environments or networks.3 Perhaps the best feature of all is that services can be turned on or off, increased or decreased, depending on user needs.
There are a range of interpretations and definitions of cloud computing, some of which are not completely accurate. Some merely define it as renting storage space or applications on a host organization's servers; others center definitions around Web-based applications like social media and hosted application services.
Someone has to be the official referee, especially in the public sector. The National Institute of Standards and Technology (NIST) is the official federal arbiter of definitions, standards, and guidelines for cloud computing. NIST defines cloud computing as:
a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.4
NIST has offered its official definition, but “the problem is that (as with Web 2.0) everyone seems to have a different definition.”5 The phrase “the cloud” has entered the mainstream—it is promoted on prime-time TV—but its meaning and description are in flux: that is, if you ask 10 different people to define it, you will likely get 10 different answers. According to Eric Knorr and Galen Gruman in InfoWorld, it's really just “a metaphor for the Internet,” but when you throw in “computing” alongside it, “the meaning gets bigger and fuzzier.” Cloud computing provides “a way to increase capacity [e.g. computing power, network connections, storage] or add capabilities dynamically on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription-based or pay-per-use service that, in (near) real time over the Internet, extends IT's existing capabilities.”6
Given the changing nature of IT, especially for newer developments, NIST has stated that the definition of cloud computing “is evolving.” People looking for the latest official definition should consult the most current definition available from NIST's Web site at www.nist.gov (and other resources).
NIST also identifies five essential characteristics of cloud computing:
Cloud computing growth is expected to continue to climb dramatically. A recent Gartner study shows that the United States is the leader in adopting cloud computing, and the market is expanding rapidly.8 The cloud computing market is expected to grow 21% annually from 2012 to 2016, exceeding $16 billion in 2014 and growing to over $22 billion in 2016.9
The use of service-oriented architecture—which separates infrastructure, applications, and data into layers—permeates enterprise applications, and the idea of loosely coupled services running on an agile, scalable infrastructure may eventually “make every enterprise a node in the cloud.” That is the direction the trend is headed. “It's a long-running trend with a far-out horizon. But among big metatrends, cloud computing is the hardest one to argue with in the long term”10 (emphasis added).
A common misconception is that an organization “moves to the cloud.” In reality, the organization may decide to transition some specific business applications to the cloud. Those specific business applications are selected because a cloud architecture may offer crucial functions that the internally hosted solution does not or because the internal solution is burdensome to maintain. Some examples of business applications that frequently are moved to the cloud include advertising, collaboration, e-mail, office productivity applications, sales support solutions, customer response systems, file storage, and system backups.
Another common misconception is that if your organization does not decide to migrate to a cloud solution, you are protected from all the dangers of cloud computing. The hard facts are that, for the vast majority of organizations, users are already putting information in the cloud. They are simply using cloud solutions to compensate for limitations of the current environment. They may be using Box to get at information when working remotely or Dropbox to share information with an outside business partner. Or they are using OneDrive to get to documents from their iPad. They may not even realize they just posted company information to a cloud environment, so they do not realize they violated any policy against doing that. To complicate matters, they probably also left a copy of the information within your organization's firewall. Internal users might not realize they are not using the current version, and your records manager does not know another copy is floating around out there. This is completely ungoverned information in the cloud. The best defense against it is to deliver solutions for those business needs so that users do not have to find their own.
Depending on user needs and other considerations, cloud computing services typically are deployed using one of four models, as defined by NIST:
The risks and security vulnerabilities of cloud computing have been reviewed in this chapter—so much so that perhaps some readers wonder whether cloud computing is truly worth it. The answer is a qualified yes—it can be, based on your organization's business needs and computing resource capabilities. Besides the obvious benefit of getting your company out of the IT infrastructure business and back to focusing on its real business goals, there are many benefits to be gained from cloud computing solutions.
Some of the specific benefits offered by cloud computing solution are listed next:
The business benefits of cloud computing may largely outweigh the security threats for the vast majority of enterprises, so long as they are anticipated and the preventive actions described are taken.
Cloud computing comes with serious security risks—some of which have not yet been uncovered. In planning your cloud deployment, these risks must be borne in mind and dealt with through controls and countermeasures. Controls must be tested and audited, and the actual enforcement must be carried out by management. Key cloud computing security threats are discussed next, along with specific examples and remedial measures that can be taken (fixes). The majority of this information and quotations are from the Cloud Security Alliance.12
When information is deleted or altered without a backup, it may be lost forever. Information also can be lost by unlinking it from its indices, deleting its identifying metadata, or losing its encoding key, which may render it unrecoverable. Another way data/document loss can occur is by storing it on unreliable media. And as with any architecture—not just cloud computing—unauthorized parties must be prevented from hacking into the system and gaining access to sensitive data. In general, providers of cloud services have more resources at their disposal than their individual clients typically have.
Examples
The Fixes
Many times damage to information is malicious, while other times damage is unintentional. Lack of training and awareness, for example, can cause an information user to accidentally compromise sensitive data. Organizations must have proactive IG policies that combat either type of breach. The loss of data, documents, and records is always a threat and can occur whether cloud computing is utilized or not.
But the threat of data compromise inherently increases when using cloud computing, due to “the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.”
Examples
The Fixes
Since the advent of the National Security Agency controversy and the slew of examples in the corporate world, the threat of the malicious insider is well known. “This threat is amplified for consumers of cloud services by the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure” (emphasis added). It is important to understand your cloud provider's security procedures for its employees: How are they screened? Are background checks performed? How is physical access to the building and data center granted and monitored? What are its remedial procedures for noncompliance?
When these security, privacy, and support issues are not fully investigated, it creates an opportunity for identity thieves, industrial spies, and even “nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection.”
Examples
The Fixes
Although cloud computing providers, as a rule, invest heavily in security, they also can be the target of attacks, and those attacks can affect many client enterprises. Providers of cloud infrastructure service (e.g. network management, computing power, databases, storage) offer their customers the illusion of unlimited infrastructure expansion in the form of computing, network resources, and storage capacity. Often this is coupled with a very easy sign-up process, free trials (even for anonymous users), and simple activation with a credit card. This is a boon to hackers who can assume multiple identities. Using these anonymous accounts to their advantage, hackers and spammers can engage in criminal operations while remaining elusive.
Examples
The Fixes
By their very nature, cloud computing solutions involve the movement of information. Information moves from a workstation in your network to the cloud, from the cloud to a mobile device user, from an external partner to the cloud and then to one of your workstations, and so on. Further, information may be moved automatically from an application in the cloud to an application you host internally and vice versa. The movement of information complicates the process of securing it, as it now must be protected at the point of origin, the point of receipt, on the device that transmits it, on the device that receives it, and at all times when it is in transit.
An application programming interface (API) is a way of standardizing the connection between two software applications. APIs are essentially standard hooks that an application uses to connect to another software application—in this case, a system in the cloud. System actions like provisioning, management, orchestration, and monitoring can be performed using these API interfaces.
It comes down to this: a chain is only as strong as its weakest link, so APIs must be thoroughly tested to ensure that all connections abide by established policy. Doing this will thwart hackers seeking work-arounds for ill intent as well as valid users who have made a mistake. It is possible for third parties to piggyback value-added services on APIs, resulting in a layered interface that is more vulnerable to security breaches.
Examples
The Fixes
Basic cloud infrastructure is designed to leverage scale through the sharing of components. Despite this, many component manufacturers have not designed their products to function in a multitenant system. Newer architectures will evolve to address this issue.
In the meantime, virtual computing is often used, allowing for multiple instances of an operating system (OS) (and applications) to be walled off from others that are running on the same computer. Essentially, each instance of the OS runs independently, as if it were the only one on the computer. A “virtualization hypervisor mediates access between guest operating systems and the physical compute resources” (like central processing unit processing power). Yet flaws have been found in these hypervisors “that have enabled guest operating systems to gain inappropriate levels of control or influence on the underlying platform”—and therefore indirectly impact the other guest OSs running on the machine. To combat this, “security enforcement and monitoring” of all shared computing resources must be employed. Solid partitions between the guest OSs—known as compartmentalization—should be employed to ensure that one client's activities do not interfere with others running on the same cloud provider. Customers should never have access to any other tenant's “actual or residual data, network traffic” or other proprietary data.
Examples
The Fixes
Hacking into accounts to assume the identity of an authorized user has been happening almost since personal e-mail existed. It can be as simple as stealing passwords with a keystroke logger. Attack methods such as social engineering (e.g. phishing), fraud by identity theft, and exploitation of software vulnerabilities are still effective at compromising systems. Most people recycle a few passwords and reuse them for multiple accounts, so once one is breached, criminals can gain access to additional accounts. If login credentials are compromised, a hacker can monitor nearly everything your organization is doing: a less passive hacker might alter or destroy sensitive documents, create false information, or replace your links with fraudulent ones that direct users to sites harboring malware or phishing scams. Once they have control, it can look like your organization is the origin of the malicious downloads or information capture. From here, the attackers can assume the good name and reputation of an organization to further their attacks.
Examples
The Fixes
Knowing your neighbors—those who are sharing the same infrastructure with you—is also important, and, as we all know, good fences make good neighbors. If the cloud services provider will not or cannot be forthcoming about who else is sharing its infrastructure services with your organization and this becomes a significant issue, you may want to insert contract language that forbids any direct competitor from sharing your servers. These types of terms are always difficult to verify and enforce, so moving to a private cloud architecture may be the best option.
Examples
The Fixes
A primary selling point of cloud computing is that enterprises are freed up to focus on their core business rather than being focused on providing IT services. Modulating computer hardware and software resources without making capital expenditures is another key advantage. Both of these business benefits allow companies to invest more heavily in line-of-business activities and focus on their core products, services, and operations. However, the security risks must be weighed against the financial and operational advantages. Further complicating things is the fact that cloud deployments often are enthusiastically driven by advocates who focus inordinately on potential benefits and do not factor in risk and security issues. Additional examples of IG concerns are listed next:
An analysis of an organization's exposure to risk must include checking on software versions and revision levels, overall security design, and general IG practices. This includes updating software, tools, and policy, as needed.
Finally, for each of these challenges, “IG policies and controls to secure information assets” and “IG policies and controls to protect the most sensitive documents and data” are a key part of the solution.
In March 2019, the Center for Internet Security (CIS) released the Mobile Companion Guide to help organizations map the CIS controls and their implementation in mobile environments.15 In the companion guide, the focus is on a consistent approach to applying the security recommendations in both Google Android and Apple iOS environments. Factors such as who owns the data and who owns the device affect how the device should be secured. The Mobile Companion Guide explores bring-your-own device (BYOD), corporate-owned, personallyenabled (COPE), fully managed, and unmanaged devices.
The Guide also looks at systems that administer and monitor devices, such as enterprise mobility management (EMM), mobile device management (MDM), mobile application vetting (MAV), and mobile threat defense (MTD). The CIS Mobile Companion Guide includes this checklist to track implementation of the 20 controls on mobile devices.
All organizations operate mobile devices and need to adopt a security mindset and harden the devices to protect against the unique challenges of on-the-go mobile computing environments. The CIS Mobility Guide provides an excellent overview of how to address this challenge. The complete guide can be downloaded from https://www.cisecurity.org/blog/new-release-cis-controls-mobile-companion-guide/.
The National Archives and Records Administration has established guidelines for creating standards and policies for managing an organization's e-documents records that are created, used, or stored in cloud computing environments.
A set of guidelines aimed at helping you leverage cloud computing in a way that meets your business objectives without compromising your IG profile is presented next:
Utilizing cloud computing resources provides an economic way to scale IT resources which allows more focus on core business operations. It can render significant business benefits but its risks must be carefully weighed, and specific threats must be countered, in the context of a long-range cloud deployment plan.
Information Governance on SharePoint and Office 365 requires awareness of the capabilities offered by the platform itself and a basic understanding of the layers underlying the platform. In this section, we'll first cover the capabilities of SharePoint on-premises deployments, then the Office 365 infrastructure, and finally information governance in Office 365.
SharePoint as a product family has been available since late 2000. In that time many things have changed, including the underlying development technologies and platforms. During the changes the product developed a set of rich capabilities to support information governance. From a basic information management perspective SharePoint supports file versions, approvals, metadata, workflows, and a host of other expected capabilities. Since 2010, SharePoint has supported not just records but also basic eDiscovery capabilities including holds. SharePoint 2016 introduced data loss prevention support as well.
SharePoint's most basic unit of control is a content type. The content type wraps up a set of properties and behaviors including what metadata columns are allowed and which ones are required, retention policies, available workflows, retention policies, and more. Content types are not defined at a farm (installation) level. Nor are they defined at a web application level (fully qualified name). Instead, content types are defined at a site collection level or a site level. A site collection is—as the name suggests—a collection of sites. The fact that content types are defined at such a low level reduces the consistency across different areas of the business.
SharePoint does offer a content type hub which can publish content types to every site collection—minimizing the potential impact of having multiple definitions for the same type of content; however, the out-of-the-box functionality leaves opportunities for third parties to come in to offer a complete solution that can audit when individual site collection owners have modified the corporate published types.
Storage in SharePoint exists in either a list or a library which itself is located in a site. A list is simply a collection of rows which can have attachments and support versioning. A library is a collection of files and folders. Both lists and libraries use the same content type approach and therefore each item can have its own workflows, retention policies, can be declared as a record, and so on. While most of the considerations for information governance occur at a content type level, versioning is implemented in either the list or library.
Some options for information governance can be applied to a list or library. Most of the time the functions are under-the-covers being implemented as information governance controls on the default content type rather than on the list or library itself.
Lists and libraries support two different mechanisms for records management. The first method declares a record by sending it to a records center. Each implementation can have one or more records centers. Once the record is sent to a records center it can be removed from the originating location, replaced with a link to the location in the records center, or left intact. Records can be declared manually or through the use of workflows.
The second records management implementation is referred to as in-place records management and the declaration of a record marks the information so that even users with permission to the item can't take prohibited actions, such as deleting the record. In-place records management resolves some of the concerns with findability of records. However, in-place records management does expose a large retention problem.
SharePoint, out-of-the-box, provides no mechanism for site or site collection lifecycle management. The result is that when an entire site should be destroyed because it's reached its expiration the process must be done manually or via an automated mechanism not built into SharePoint. This is particularly problematic when the records inside the site have different retention schedules where some should be deleted at one interval and others at another interval. Managing this process is left to third parties or organizations to solve themselves.
In addition to records management, SharePoint supports in-place holds. The holds can be triggered through the eDiscovery mechanisms or done manually. Starting with SharePoint 2013, a document on-hold can be modified, though the version that was placed on hold may not be destroyed. Management of holds is performed through an eDiscovery center. eDiscovery in SharePoint is SharePoint only-scoped and therefore represents one more repository to be managed when responding to a request.
It's important to understand that Office 365 is built on top of the Microsoft Azure services and is delivered from Microsoft Azure datacenters. Microsoft maintains numerous certifications for overall compliance and specific compliance with various industry regulations. This means that the physical and data security of the Microsoft data centers which service Office 365 have been thoroughly evaluated.
Additionally, Office 365 is built on top of the Azure Active Directory service, which allows for corporations to synchronize their internally managed active directories to an Azure hosted replica. This replica can be used only as a directory or, with password synchronization, for authentication. Passwords synchronized to Azure Active Directory go through an additional SHA128 hashing process to ensure their safety.
Microsoft offers a variety of authentication security options—some of which are not included in all Office 365 licenses—that allow for multifactor authentication as well as other limitations and controls including rules based on where the login attempt is coming from. For organizations that do not want to accept Microsoft's safeguards for authentication or have additional requirements, authentication can be performed through a federated authentication provider including third parties or organization hosted Active Directory Federation Services (ADFS) which is an included part of your Windows server license. ADFS servers allow for even more fine-grained control of who can login at what times from what locations and what they must do to prove their identity.
IG in Office 365 starts with all of the features in SharePoint for SharePoint and OneDrive content and all of the features and capabilities conveyed by nature of the base infrastructure as well as additional capabilities that are unique to Office 365. Features like customer key allows organizations to bring their own encryption keys so that Microsoft isn't able to provide decrypted information even if they're required by a court or government to turn over customer information. Though organizations would presumably be required to provide their keys to lawful authorities, having the request go directly to the organization allows them to exercise their legal rights to appeal the request.
More broadly, Office 365 has a security and compliance center which provides a platform view of many information governance concerns. Data governance and data loss prevention are both across-service features that apply to Exchange and SharePoint. This provides a single approach that functions across the service regardless of whether the data is stored or transmitted. These features are, at the time of this writing, integrating Azure information protection labels and experiences in Outlook and SharePoint including mobile clients.
While these information governance capabilities do not use the historical SharePoint approaches for data loss prevention nor records management, the fact that they can be applied across the entire offering make them a compelling solution for addressing the multiple repository problem that plagues all large organizations. While the scope extends only to the Microsoft offerings, this can represent a substantial portion of an organization's information governance needs.
3.15.143.181