Smartphones, tablets and phablets are just too easy to use, with most – if not all – offering to back up data to the cloud as either a default option or via a single click. One of the potential issues is the security of the supplier’s cloud cannot be guaranteed, and it must be remembered availability is just as much a part of security as confidentiality and integrity.
So, what can be done to stop potentially sensitive company data being exported to these supplier clouds?
One approach is to just ignore the problem exists, while another is the simple – and I suspect anticipated – answer of having guards at company premises to remove all personal smartphones, tablets, memory sticks and so on from all staff and visitors. Furthermore, making the IT department ensure any company PC or laptop is heavily locked down to remove the possibility of a cloud connection.
But neither of these approaches do a reasonable job in mitigating the risks of data exfiltration while allowing flexible use of new technologies and ways of doing business.
More on securing cloud backup
- Security Think Tank: Celebrity photo leaks highlight cloud security issues
- Security Think Tank: Use governance strategy to manage cloud backups
- Security Think Tank: Three ways to reduce risk of cloud data leaks
- Security Think Tank: Control smart devices and apps like the rest of ICT
- Security Think Tank: Three-pronged approach to cloud security
Potential practical solutions will depend on a company’s policies. For example, the answer may differ if an organisation insists on company-supplied IT only (including company-selected technologies and devices), or if it employs a buy-your-own device policy (where any device, or one of a limited selection, is supported).
Some of the things that can be done and would apply in most scenarios include the following:
- Staff education
- Management education
- Regular reinforcement of the education given
- Well-thought-out formal acceptable-use policies (AUP) that are published, made easily accessible and formally tied into staff contracts
- Effective staff disciplinary procedures for breaking the AUP’s that are enforced
- Well-written standards, templates and work practices for setting up devices and central services
- Where possible, network/system controls put in place to monitor and/or control what files can be downloaded, what they can be downloaded to and when.
As a minimum, audit logs need to be maintained to identify who did what and when to a file.
Peter Wenham is a committee member of the BCS, The Chartered Institute for IT security forum strategic panel and director of information assurance consultancy Trusted Management.