Gil Zimmermann

If you aren't a complete technological Luddite, the odds are high that you have stored or worked with corporate information in some sort of cloud environment. Whether you're using Facebook for marketing purposes or migrating the entire organization's productivity suite to Google Apps, most - if not all - enterprises are operating in the cloud to some degree whether they know it or not. Given the cost savings and collaboration benefits of cloud productivity offerings, it's easy to see why companies are making the switch. The one downside to this widespread migration is that organizations are entrusting cloud platforms to house sensitive information without a full understanding of the data security implications.

There are critical measures companies can take to enjoy the same level of security and control as their on-premise data, while taking advantage of the cost savings and collaboration features of the cloud. One caveat for readers: the best practices and terminology outlined below apply specifically to Google Apps and Google Docs. However, the actions that will be discussed can be broadly applied to all other cloud-based productivity apps.

Control Access Privileges
One of the biggest fears in moving to the cloud is that the IT team no longer controls access to sensitive data. By default, some cloud productivity apps put access control in the hands of the end users rather than IT.

Whether you use a third-party application or write your own code, you'll want to enforce access controls by the following criteria:

• Adding or removing collaborators
• Changing ownership
• Changing collaborator access rights on any documents in the domain (even if you're not a collaborator)

Set Up Auditing for Governance and Compliance
Organizations not in compliance with current legislation, including HIPAA, FISMA, FERPA and Sarbanes-Oxley, can experience severe repercussions including fines by regulators, criminal liability and loss of employment. Considering that small and medium-sized companies are the largest cloud adopters, this is an area where companies that store sensitive data or need to prove proper access rights controls for regulatory compliance are particularly vulnerable.

Delegate Governance
A struggle many IT administrators make when migrating to the cloud is their perception of losing control over enterprise data. Many cloud platforms take this fear to another level by not only taking data off-premise, but by positioning the users as the first and only line of defense. Time has shown that piling additional IT chores on all employees, such as managing sharing permissions, is not an effective data security strategy. However, managing access to cloud data shouldn't be an all-or-nothing decision; that is, the full burden shouldn't belong to IT.

Enterprises should not delegate access management responsibilities strictly by organizational roles. Instead, stakeholders with intimate knowledge of the data should be considered because they have a full understanding of who should and should not have access to critical information. Roles such as department, region, organizational unit or any other logical group within the company should be considered. This way, access rights are appropriately set so employees can reach all the information they need to complete their jobs while IT doesn't have to worry about data leaks.

Transfer Document Ownership
While there's plenty of "Who owns the data?" debate when it comes to the cloud, there is another, less publicized data ownership issue: What happens to an employee's data when they leave the company?

In Google Apps, if you delete an employee's account, you automatically delete all the documents they owned, which could be downright catastrophic for some businesses. In order to change ownership of those documents, the IT staff must log in as that user and edit the owner for each file individually. This is a painstakingly tedious task for organizations but one that is worth its weight in gold when compared to the alternative of irretrievably losing business-critical information.

Monitoring and Alerts
If the preceding steps have been taken, your cloud data is pretty well locked down. But data security is a never-ending process and the cloud is no exception. The question now is how to manage new documents that are created and shared. You'll need to either implement a manual process whereby end users generate reports on the documents they have created or implement policy-based alerts and monitoring capabilities when permissions and exposure change for files.

Regardless of the cloud productivity platform, these data protection practices are the foundation to securing data housed within them. The cloud requires IT and employees to become partners to ensure data is kept safe so frequent communications are paramount to maintaining data security.