A week ago, I wrote about National Health Service's escalating security issues and the problems it encountered so far in terms of computer and data protection. My point was that part of their problem – which actually raises the same more or less (potential) questions for all organizations, private or public alike – consists of a weak information security policy.
As I found out this morning, UK NHS could approach in-the-cloud security as a response to the undergoing difficulties it has in defending sensitive data. The initiative may have its share of benefits, as it could solve at least part of the problem – i.e. the concern of data going back and forth online through Web or e-mail, encryption etc.
However, what in-the-cloud can't actually handle in this (and probably other) particular case(s) are two other factors, which, in my opinion, are important as well: humans and hardware. Except for the targeted attacks, inside negligence is probably the other major cause for data leaking. If we put into this equation an employee with an USB stick, iPod or any other mobile storage device that can connect to a single terminal in the network or a laptop that somehow gets lost, I guess that in-the-cloud is not going to help much.
Which leads us back to the issue of policies/strategies and of (multi-)layered security approach I've been discussing in my previously mentioned post. Adding an extra layer of defense is always a good idea and it proves, among other things, that there is a specific degree of awareness inside that organization. But crafting and deploying a security strategy should go further than that. Actually, what I'm trying to say (and I'll keep repeating on and on, like a broken record) is that: users hold the key-role in security and some security is always better than no security at all, but no matter how much security you have, you'll never have enough!
Safe surfing everybody!
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.