February 20, 2012 No Comments-
Personal cloud services are popping up like spring weeds. Services like DropBox, Box.net, iCloud, Amazon Cloud Drive and soon Windows 8 (via SkyDrive) entice users with promises of free storage and accessibility from everywhere on every device, and utilization of these services is continuing to expand. According to Forrester, personal cloud storage will be $12 billion market by 2016. Wait, aren’t most of these services free?
There is no such thing as a free lunch or free storage.
What most users don’t understand is that when they use “free” services, they are the product, not the customers. The vast majority of companies that offer free storage generate revenue by selling data about the users. Beyond the potential privacy concerns, the content users upload is sitting somewhere in cloud completely unencrypted.
While users may love these services, they are a data privacy and security nightmare. These services can store massive amounts of data and are not difficult targets for an attacker to compromise. Your organization might encrypt all storage devices, but if your sales team is synchronizing contracts to the Box.net or iCloud so they can access them on their tablet at tonight’s dinner meeting or the infrastructure team is sharing your network topology with the off shore team via DropBox– guess how effective your security is? If a data breach happens, it’s not the user responsible for the breach won’t be headline news, your company will.
Solving the issues caused by personal cloud isn’t easy. User owned devices like smart phones, tables and portable storage are streaming into the network at an unprecedented pace. Unless you control these devices– including controlling the applications they install – it will be impossible to completely stop the flow of corporate information up, up and away to the cloud. However, there are steps you can take to reduce the risk. Start by defining and communicating a security policy related to clouds. Users should understand the enterprise position and possible consequences of using personal cloud services to store corporate content. It would be nice if you could stop here and count on 100% compliance, but security is not a fairy tale. Users will intentionally and unintentionally violate the policy.
After you have defined a policy, consider implementing an end point management solution that allows you to secure, configure and manage traditional end points and newer end points like mobile devices. Only allow device that can be controlled by the management solution to connect to the network if possible. Finally, block access to personal cloud services using a tool like Norman Network Protection (NNP). Network protection can block specific protocols and URLs in addition to providing protection against malware before it reaches users and end points. If users must have access to a cloud solution, select a corporate provider that adheres to your security requirements.
Made up of various contributors' opinions and insights - the power of the collective.
Security Exposed Bloggers
Norman Blog Archive