Unlike BYOD, which has been around for a while, Bring Your Own Cloud (BYOC) has been a new phenomenon occurring in Enterprises over the last few years – whether Cloud storage use is approved or not. Some of the popular Cloud services that come to mind are Salesforce, Google Drive, Amazon Zocasa, Marketo, Dropbox, Box, and Office 365 where employees enjoy the productivity, ease-of-use, and convenience of these Cloud storage solutions and applications, with or without corporate sanction.
We know that, because of their flexibility and convenience, Cloud storage and applications are here to stay. With Cloud storage costs dramatically dropping to commodity pricing and consumers enjoying the benefits, many employees and companies are looking favorably on BYOC as a viable solution for Cloud storage. Unfortunately, most of these Cloud services were not built for Enterprise use especially when it comes to sensitive and proprietary data, and do not have the proper enterprise security requirements in place to adequately protect these forms of sensitive data. The potential risks of endangering the intellectual capital of the organization are often not at the forefront of the employees’ mind – just ease-of-use.
Imagine someone’s healthcare record stored in the Cloud and what would happen if this type of confidential data were compromised. A healthcare system operating in 29 States recently reported that 4.5 million records of electronic protected health information (ePHI) were stolen. This data breach is documented as the largest on record by the US Department of Health and Human Services. Does this mean that enterprises and governments with intellectual property and sensitive business information are not the only ones at risk for cyber attacks? The answer is a clearly heard “no”.
With the recent news that a hacker gang, CyberVor, stole 1.2 billion usernames & passwords described as the “largest data breach to date”, this leaves us all exposed to hackers when we use Cloud applications and how are we advised if and when our confidential data are indeed compromised? It seems like we’re experiencing “Heartbleed” all over again and end users need to change their passwords once more.
Identity, data security, and visibility are top of mind for most CISO’s. Identity management allows organizations to know who is accessing the information, on what types of devices, and where they’re located. With Enterprise data, we need to ensure the information is protected whether in Cloud storage applications or on mobile devices. The security visibility of what data transactions are happening in an Internet network, Cloud hosted, or endpoints, allows organizations to assess the risk and threats. What happens when the Cloud provider has no disaster recovery and security plan for your data? Is additional encryption available from the provider to be trusted as non-hackable?
Many regulated industries such as healthcare, financial services or the public sector are still fairly restrictive in IT policies with regard to Exchange email, VPN access, and Laptop/PC security settings. The reality is that employees are now using smart devices such as iPhones, iPad’s, and Android Tablets and Smartphones in the workplace and they need the right tools to securely access their information.
However, for most Enterprises, using the Cloud presents a big challenge when it comes time to conduct an IT audit. Auditors will look for regulatory compliance, and audit trail of data leaving the company’s premises. Once the data leaves the premises of the company into the Cloud provider’s, there are no guarantees on where the data is stored, whether it is secure or has been compromised, or backed up.
Cloud and mobile are here to stay and organizations are embracing the productivity benefits. However, there are significant issues that prevent the adoption at the Enterprise level:
- Data privacy laws that stipulate information cannot leave a country’s jurisdiction
- Government laws that allow surveillance of Internet companies’ data
- Personal Cloud accounts protected by only Usernames & Passwords
- The question of who owns the data when it is stored in the Cloud
There is definitely an increasing appetite for mobile, Cloud digital identity solutions that offer stronger authentication, and, identity management and client-managed (physically decoupled) keys for encrypting information in the Cloud. This is true especially for European companies with operations and data centers worldwide, who need to concern themselves with sensitive data protection in the Cloud.
In order to mitigate the risks associated with Cloud storage and employees using their own personal Cloud storage and applications into the office, here are some key Security Considerations for any Enterprise to address:
- Does the security of your Cloud provider meet your Enterprise security standards including but not limited to authentication, encryption, audit, disaster recovery, and regulatory concerns?
- What is the contingency plan if this Cloud provider is compromised like NRC Canada was recently?
- Does your organization know what information is stored with the Cloud provider?
In the end, taking the proper precautions and following strict risk assessment protocols can make all the difference in the world.
This concludes a 2 part blog series on Internet Security (Part 1: “Internet Security Aftermath“). For a comprehensive article on “Identity and Authentication”, stay tuned for the next blog on “Bring Your Own Authentication “(BYOA).