Offerings such as iCloud and Amazon Web Services (AWS) often offer a service that's easier to use compared with corporate systems, which is why individuals use them. As employees attempt to do their jobs better or quicker, or using devices other than corporate-issued ones, they often turn to this "shadow IT" and the easier way to work that it offers.
As all security professionals know, it is difficult to change this kind of behaviour. However, there are ways in which organisations can try to limit the use of these services and mitigate any incident.
1. Make things easy
There are two approaches here. The first is to label – or classify – information so users know if they can place it in the cloud or not. The second is to look at how IT provision can be changed to make security less burdensome.
As tablets and smartphones become the primary work computing device, offering easy access to the cloud, users will be less tolerant of VPN, multiple logins etc. Smaller organisations typically rely on services such as iCloud. For these businesses, it would make sense to implement additional security measures provided such as two-factor authentication.
2. Review policies to match reality
More on securing cloud backup
Policies should be revised to accommodate the use of BYOD, the connectivity required and the change in information risk. Incident response plans should be up to date and cover the loss of data from such services from all angles, including technology, legal and media.
A longer term solution is for businesses to properly educate their employees about all aspects of securely using the cloud. For example, they need to be taught about different data classifications – a database of customers’ personal data should not be stored in the cloud, for example. With Cyber Security Awareness Month kicking off this October, now is a perfect time to teach your employees the dos and don’ts of cloud security.
Adrian Davis is managing director EMEA for (ISC)2