BYOD And The Issues Surrounding Cloud Storage
As BYOD increases and employees increasingly use personal laptops, smartphones and mobile devices for work purposes, concerns over data security and data privacy remain the most significant barriers to cloud adoption, according to the latest research from the Cloud Industry Forum (CIF). Corporate IT managers and CIOs are rightfully correct in their trepidation as they open their networks to and data leakage plus lose control over data once it leaves the corporate confines. While employees benefit from the ability to work from anywhere by using the cloud services that provide BYOD support, they also risk the loss of privacy when they inadvertently open access to personal files. This potential loss of privacy is worrisome.
CIF’s June 2012 research found that 66 percent of respondents said the most significant concern about the adoption of cloud services within the business was data security; this is up from 62 percent in 2011. The issue of data privacy also saw a leap up from 55 percent in 2011 to 66 percent in 2012.
The problem however is not BYOD, but the cloud storage. Using file storage providers such as Dropbox or Google Drive offers convenience and simplicity that may not be available with corporate applications. These services fall into category of Shadow-IT—the case in which users decide that they need a service, one which the IT department will not, or cannot provide to them in a timely manner. In other words, the hardware or software adopted “lives in the shadows” as opposed to being sanctioned and supported by the CIO and corporate IT departments. In the past Shadow IT included smartphones, portable USB drives and tablet computers on the hardware side and applications such as Gmail, instant messaging services and Skype. Shadow-IT now encompasses cloud storage as well. Where data is stored and how securely within these applications, however, cannot always be verified. What is known is that once out of the enterprise IT environment, it becomes impossible for CIOs to know where company data is, or who has access to it. In fact when one signs up for these cloud storage services, one is also giving the service permission to use one’s data (users are advised to check the terms and conditions fine print).
The challenge for cloud providers will be convincing customers that the risks of the cloud do not outweigh the benefits – and those risks include the exposure of data through security incidents. The March 2013 Distributed Denial of Service (DDoS) cyber-attacks on Spamhaus flooded Spamhaus servers blocking traffic and making the servers unreachable. For users storing files in services that use Spamhaus networks, their files were slow to access or in some cases, inaccessible. Other potential threats to documents stored in clouds include caching of information on mobile devices, and stored passwords. Companies may also risk issues with compliance with HIPAA (Health Insurance Portability and Accountability Act of 1996), HCFA (Health Care Financing Administration), FISMA (Federal Information Security Management Act) and SOX (Sarbanes-Oxley Act of 2002).
When IT departments choose cloud services to enable BYOD support, they are quite right to consider security and compliance as well as issues such as price and convenience. The CIF research also found that security concerns had risen in 2012 most noticeably in the private sector, increasing from 59 percent to 67 percent. Conversely, in the public sector concern had narrowly dropped from 69 percent to 66 percent. Both the private and public sector have experienced data attacks and the European Union (EU) have called on both corporations and governments to be more transparent when they suffer data breaches.
In sum, it behooves both cloud storage providers and corporate IT decision makers to focus on security. The clouds have a responsibility to users to protect the data stored from attack and to protect the privacy of documents stored. Moreover, IT departments must acknowledge the growing use of clouds that are brought in by users and realize that the department is never going to be able to compete with the simplicity and ease of use of clouds Consequently, IT must change its own worldview and figure out how to implement needed protection and guidelines to assure the security of data once it leaves the corporate network for the cloud. Such paradigm shifts will not be an easy process for many organizations. The trick will be to have both sticks and carrots—firm and enforceable data control policies and a never-ending search for the best cloud storage to meet changing demands.
By Simon Bain,
Simon Bain is the company founder, CTO and chief architect of Simplexo Ltd’s software solutions.