Security Think Tank: Seven strategies for limiting cloud data leakage

What can IT teams do to ensure users are not synchronising sensitive corporate data to insecure cloud services?

Smartphones, tablets and phablets are just too easy to use, with most  – if not all – offering to back up data to the cloud as either a default option or via a single click. One of the potential issues is the security of the supplier’s cloud cannot be guaranteed, and it must be remembered availability is just as much a part of security as confidentiality and integrity.

So, what can be done to stop potentially sensitive company data being exported to these supplier clouds? 

One approach is to just ignore the problem exists, while another is the simple – and I suspect anticipated – answer of having guards at company premises to remove all personal smartphones, tablets, memory sticks and so on from all staff and visitors. Furthermore, making the IT department ensure any company PC or laptop is heavily locked down to remove the possibility of a cloud connection.

But neither of these approaches do a reasonable job in mitigating the risks of data exfiltration while allowing flexible use of new technologies and ways of doing business.

Potential practical solutions will depend on a company’s policies. For example, the answer may differ if an organisation insists on company-supplied IT only (including company-selected technologies and devices), or if it employs a buy-your-own device policy (where any device, or one of a limited selection, is supported). 

Some of the things that can be done and would apply in most scenarios include the following:

  • Staff education
  • Management education
  • Regular reinforcement of the education given
  • Well-thought-out formal acceptable-use policies (AUP) that are published, made easily accessible and formally tied into staff contracts
  • Effective staff disciplinary procedures for breaking the AUP’s that are enforced
  • Well-written standards, templates and work practices for setting up devices and central services
  • Where possible, network/system controls put in place to monitor and/or control what files can be downloaded, what they can be downloaded to and when.

As a minimum, audit logs need to be maintained to identify who did what and when to a file.

Peter Wenham is a committee member of the BCS, The Chartered Institute for IT security forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Cloud security