So, here's the thing. There is no comprehensive Standard (read: hugely politically debated adopted scoffed at embraced published THING) for The Cloud for information governance (read: slightly insane mixture of art and law and business technique and documentation and compliance and policy and pragmatic execution).
There isn't. I've looked.
Why??? Well, mostly because we can't seem to stop debating who has the bigger better faster definition for Cloud or the most internet based services that can be crammed into the latest buzz generating tech new kid on the block. Once we settle on the what & the scope of the what, we can start to focus on the how.
While we wait for some of the Cloudness to come to earth, I believe that we \*can\* leverage frameworks in the various data governance categories to begin to define the scope of protection in the appropriate context-- if you've read my data musings for more than 10 seconds you know I'm a gal all about context and the decisions we make based thereon.
Security is one of those critical categories. While a Cloud Standard does not yet exist, we must recognize that a statement, "I am secure"-- as if being secure were a static state or indeed possible in an empirical sense-- is simply not enough.
I can say, "I am happy" because it is a statement I have chosen to make given a context I uniquely experience. 3d parties can make this state a challenge or temporarily impracticable, but the happy party is largely in control of this state.
"Security" in the enterprise context is a bit different. An enterprise can be temporarily incident free or incident attempt free, but the fact remains that active or inadvertent mischief is wildly out of the guards' zone of ultimate control. Attackers have all the time in the world to find just one way in whilst the governance teams must think of every possible entre and plan and resource accordingly. It's a noble calling but never a steady state and rarely one for which the enterprise servant is given thanks.
Sigh. Was I just talking about happiness a few lines ago...?
SO, you have choices. (Ah, making choices & feeling some control is indeed a psychological factor in basic happiness and self efficacy studies, so I think we're getting somewhere on this rant. I \*did\* studymy Psych books between beers at OSU after all, Mom & Dad!!)
One choice is to look at the myriad of security standards and Standards and pay to play standards, pick one best suited to purpose and context and audience and apply it to Cloud offerings as best fit as possible. Once done, a good old fashioned gap analysis, risk assessment and mitigation plan can be set in motion. It may not be text book because the text book isn't written yet, but it sure feels like progress. It also feels a lot like deja vu.
Remember grabbing the Fair Processing Principles and applying them to personal data before all the specific regs and data breach laws were promulgated? Worked then & a similar practice may wprk now to at least get this Cloud party into a more stable state and ready for bigger and more diverse work loads.
More on this on another night.
Cute kid story for Miss Sweet Cheeks that's utterly unrelated to Clouds, security but intimately related to happiness.
SC had her check up at the doctor this week. The good doc was asking my husband developmental questions (relating to the girl, not him) & then went over her measurements.
Doctor: "Well, she's 84% for ..."
Sweet Cheeks (interrupting): "I am NOT 84, I'm THREE!"
Doc: "Nothing wrong with her development. You can take her home."
Ah, the good old notions of immediate access to personal data and correction from an authenticated (though often unreliable) source. Makes a Momma proud.
Sweet dreams Info Nation!