Peer to Peer Magazine

PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 18 BEST PRACTICES authentication mechanisms while providing centralized management and auditing. This will improve the overall user experience and make management easier, and it should give you the ability to prevent unauthorized access to to data. Integrating with multifactor authentication mechanisms is also a good way to add a layer of security. Like general authentication credentials, multifactor authentication should be centrally managed. Review the Terms: Review the provider's terms and conditions to be sure you maintain ownership of your data and that no one but you and those you allow will have access to your data. Encryption keys for data at rest should be unique to your organization and inaccessible to unauthorized persons. In addition, it is important to understand where your data reside and the resulting laws to which you may be subject. Add More Precautions: Look at data loss prevention (DLP) solutions to monitor and prevent accidental leaks of sensitive information. Although not limited to the cloud, there are many network and host- based DLP solutions that can prevent users from uploading and subsequently sending files through channels such as social media, hosted email services and cloud storage. DLP solutions intercept traffic and compare it against a rule set. Educate Users: Education and awareness will be tremendously helpful in ensuring compliance with company policies. Make sure your user base understands what is expected of them. SAFE IN THE CLOUD Using these steps will go a long way to helping keep the cloud and its inherent risks under control. Set Policy: The first step to cloud management is ensuring your organization has a clear policy regarding cloud computing as part of your overall set of information security policies. The cloud computing policy should: • Insist that terms and conditions be reviewed appropriately • Comply with the firm's acceptable use policy • Adhere to any laws and regulations The policy should also include a list of preapproved cloud services. Blocking all cloud services won't work: Clients often share files using cloud storage platforms, and marketing teams utilize social media, for instance. While there is merit to only giving specific groups access to cloud services, this adds management complexity. And blocking social media could affect morale. Assess Risk: When you know what services you will allow, conduct a thorough risk assessment. This should include: • An evaluation of security • How authentication works • Where and how credentials are stored • How the data are stored and transmitted (encryption at rest and in transit) • What features are available and how they work (litigation hold, discovery, data retention, data deletion, etc.) Also conduct a security and risk assessment or audit of the supplier. This could be a simple questionnaire to determine whether the organization has implemented adequate safeguards to protect your data. Integrate and Centralize: Rather than using standalone services such as those designed for personal use, choose options that can integrate with your organization's current About the Author Georg Thomas is an Experienced Manager at Grant Thornton LLP's Business Advisory Services practice. He has over 15 years of information security and technology experience, serving clients in all industries. He is a Certified Information Security Manager (CISM), Certified Ethical Hacker (CEH) and 2014 and 2015 Microsoft Most Valuable Professional (MVP) award recipient who provides strategic and technical information security consulting. Georg is skilled in all areas of information security, from security management to hands-on implementation. Contact Georg at georg.thomas@us.gt.com. Keep Your Data in the Cloud Safe The cloud is everywhere, anywhere and nowhere, and it's getting harder to prevent people from using unsecure commercial cloud services. It's time to get on board! Here are some tips on how to keep your data in the cloud safe.

• Cover