As I mentioned in my last post, Pauldotcom recently sponsored a great podcast on the value of security awareness training, with some very smart folks both for and against awareness training. The podcast helped me think of new issues. One of the key points brought up was there is no need to teach people about technology, for example why would you need any security awareness training about the Cloud? The technology should just work, let the security geeks worry about the HOW part. While correct up to a point, ultimately I disagree. I think as security professionals we get so caught up in the technical details we can forget about the big picture. Here are some of the key things I would cover about the Cloud.
- What Is The Cloud: Okay, you and I may breath Cloud, with our music synced with iTunes Match and using SpiderOak, Google Drive, or Dropbox on a daily basis. However you probably have alot of people in your organization who have no idea what the Cloud is, even though they are using it. You may want to start by teaching them what the Cloud is and the risks involved.
- Is Cloud Allowed?: Is the use of the Cloud allowed in your organization? If no, then make sure people know it. If yes, then which Cloud solutions can they use and what are the limitations? Are they allowed to install their own Cloud solutioin? For example, if you have BYOD you may want to be sure people are not backing up your organizational data to their personal iCloud account.
- Rules for Sharing: What data can be shared, and with whom? Can they use the Cloud to share with people outside the organization? If so, what types of data can and cannot be shared?
- Access: What devices can they or can't they access the Cloud from? Is two-factor authentication required? What other access requirements do you have?
I agree people should not have to understand how technology or how our security controls work. If we do our job right security should be transparent. However when it comes to people technology cannot solve all our problems, issues you and I take for granted most people have no idea about. Usually these issues are less about technology and more about policy, processes and procedures - however these do absolutely no good if your people do not know or understand them.