Security Think Tank: Control smart devices and apps like the rest of ICT

What can IT security teams do to ensure users are not unwittingly synchronising sensitive corporate data to insecure cloud backup services?

No device, system or protocol will ever be 100% secure 100% of the time. When we talk about managing and mitigating risk we assume that appetite and tolerance have been established and create our policies and procedures within those boundaries.

This applies to individuals too, though they probably do not realise they are doing it. Every time they get the warning message before installing an app they make a decision about whether the level of access to their device – and therefore their information – is appropriate or not. They are making a choice between the risk to their data and the convenience of the app they want to use. 

Some may not take this very seriously and merely click through, allowing apps whatever access they request. These people may also not apply a similarly critical eye to establishing their device’s security, making a hack of their personal data – say photos – much easier to achieve.

That is what we saw recently with the iCloud nude photo stories that seemed ubiquitous for a couple of weeks. It is for these reasons that we must control smart devices and the apps on them in the same way we have traditionally controlled the rest of our ICT infrastructure.

But what does this mean for business? What can IT security teams do to minimise some of the risk from insecure apps and insecure cloud backup?

There are a number of ways in which IT security teams can attempt to prevent users from unwittingly uploading sensitive corporate data to an insecure cloud back up service:

  1. Ensure users receive regular security education, highlighting the issues related to storing data in the cloud. If the training is at a more personal level, they are more likely to remember it (for instance, use an example of the user storing personal data in the cloud and the impact of any leak or breach);
  2. Drive forward a culture of individual accountability. Underpin this culture with a robust set of security policies that reinforces the message to users that any accidental or intentional release of information is their responsibility, and may result in some form of disciplinary procedure;
  3. Wherever possible, minimise the risk of human error by restricting the ability to move data into a cloud environment only to appropriate users. This should be driven by their actual need to have this ability;
  4. Introduce some form of "splash screen" notification that reminds users they may be about to upload sensitive information to an insecure cloud backup service.  In other words, a polite reminder that what they are about to do could go against company policy;
  5. Implement an in-depth protective monitoring policy, which would include a "word scan" program to block any email/document transfer out of the network if one of a selection of words is detected;
  6. Secure the services of a reputable and trusted secure cloud service provider. This provider should be one that will welcome careful stipulations in your service level agreement, such as employee vetting, the right to audit, review of data sanitisation practices etc;
  7. An extreme measure would be to prevent all users from directly uploading to a backup cloud service but to force channel through an IT department or IT provider, which would scrutinise any upload first and release to the cloud if the upload met a set of pre-defined authorisation conditions;
  8. Review of devices following any operating system or application changes that invariably affect or neutralise security settings;
  9. If you are concerned about the possible compromise of sensitive data, don’t backup to a cloud service provider;
  10. Ensure policies, measures and procedures are understood and apply to all staff, including senior management and the board. These are the ones frequently overlooked or have a blind eye turned to their behaviour – but they are just as fallible as anyone else.

A consistent approach is needed across an organisation and this will make your use of technology far more successful. The importance of contextualised education and refresher training is not to be underestimated.

In this, as in all areas of security, be iterative, be vigilant – and be prepared to react to emerging threats.

Mike Gillespie is director of cyber research and security at The Security Institute

Read more on Cloud security