Risk and Opportunity in Cloud Services

Finding an optimal balance between the risks and opportunities of cloud services and storage can be challenging. Risk associated with information security, privacy and sovereignty must be considered as well as the opportunities for access to engaged learning, cost savings and agile development.

The Tasmanian Information Security Policy Manual outlines a framework based on a risk management approach that requires government agencies to implement policies and procedures that are proportionate to the level of risk.

A Guide to Implementing Cloud Services: Better Practice Guide shows how appropriate risk mitigation strategies can protect data according to its level of security classification.

Advice such as Cloud Computing Myths address some misconceptions which can lead to a loss of opportunity if information management is unnecessarily restrictive.

The challenge then, is to use cloud services that are optimal for the security classification of the data in question while maximising the opportunities afforded by cloud services.

 

Locking all education data into computing services and storage that are best suited to 'x-in-confidence' information is expensive, restrictive and reduces the possibilities for innovation in the provision of IT services for learning.

 

On the other hand storing 'x-in-confidence' data in social media services can be high risk.

 

The following mapping is a little simplistic but it shows how there could be room to choose 'best practice' third party cloud storage as well as social and mobile media where the terms of service are sufficient to meet needs.

 

 

By selecting the appropriate storage for each level of information security required we can make the most of the opportunities that cloud computing services bring while carefully managing the risks.

 

This risk management also includes best practice password management.

 





Social Media and Cloud Services in the Classroom

 



The above snaps are from a great presentation by Tassie educator @anthonycoe on social media in the classroom focussing on engaged learning and effective communication using Socrative, Twitter, Facebook, Google and other SM.

It prompted me to think again about the classroom use of cloud storage through social and mobile services. 5 years ago most education departments, through their own IT Services, managed the risks associated with security, privacy and reliability of online data transfer and storage.

Today teachers and students can choose from a wide range of social and mobile services to enhance learning. What factors should be considered when looking at the cloud storage that these services use? How do we balance the educational opportunities with the appropriate information management controls?

The use of cloud computing is widespread and while most people don't know where their financial, insurance, health, legal or retail data is stored many would trust that the organisations with which they choose to do business follow best practice cloud computing standards and procedures.

Some initial research into cloud services commonly used in schools shows that they are probably suitable from privacy and security points of view for the kind of data commonly being transferred and stored.

 

These cloud computing services employ a number 'best practice' information management procedures and adhere to the European Safe Harbour privacy protection standards:



• Multi-factor authentication (at least two factor) sign on
• Encrypted storage
• Secure transmission
• Remote wipe (from mobile devices if lost)

What guidelines would help teachers and students make appropriate cloud computing choices for both learning and life?

The transfer and storage of higher risk data that is 'x-in-confidence' (legal, private medical, commercial, research...) needs deeper consideration.

At the end of the day the greatest risk to data privacy and security is probably password management - but that's another post.