Cloud file sync and share services like Box and DropBox are increasingly used by employees for documents later accessed via various devices at home offices or on the road. As the use of cloud file sharing services has increased, IT managers must place more emphasis on the security implications of sensitive data being transported and hosted in unsanctioned cloud services while balancing the convenience with the risk to corporate data.
Addressing employee cloud security perceptions
Whilst cloud services have clear productivity benefits, there are also data security implications for the business. Examples range from the high profile cases where hackers harvest compromised credentials to steal information from cloud accounts to more nuanced issues such as how the cloud service handles the data if queried by law enforcement.
> See also: 6 predictions for cloud security
Unfortunately for the embattled IT manager, these security issues are not on the minds of the users who are storing potentially sensitive and confidential files in the cloud. Given the propensity for employees to use these services, and their belief that data kept on these systems is safe, companies must ensure they have a policy in place that minimises the risk to the organisation.
Some of the options available, covered in more detail below, include completely blocking cloud file sharing services, sanctioning one file sharing service that provides enterprise security features, and establishing a seamless, company-managed method to encrypt files before they are saved in the cloud and shared.
Option one: block them all
In the past, such as when employees began using USBs on a mass scale, the IT team’s reaction was to ban all access that cannot be controlled or monitored for fear that a data breach could not be prevented.
A blanket ban would be the least productive and least popular with employees but company data would be significantly safer. However, cloud file sharing services can create a more productive environment where employees are able to work and easily access while out of the office. The IT team must therefore take into consideration that a blanket ban could potentially leave the business at a competitive disadvantage.
In addition, locking users out of cloud file sharing services altogether can be challenging, if not impossible. Keeping track of all the endpoints and data is made increasingly difficult with more and more companies adopting BYOD (Bring Your Own Device) policies that allow employees to access company data on their personal devices. This route also requires the IT leader to direct resources towards policing users rather than empowering them, which will have a bigger impact on IT budgets.
Option two: pick one file sharing service to rule them all
The second and a more viable alternative is to sanction one approved file sharing service for the entire organisation. This approach allows users access to the full benefits of the cloud service but critically, could mean that the cloud service ‘owns’ the security of the data stored in the cloud. In this environment, the strength of an organisation’s is only as good as the protections offered by the cloud provider, an uneasy reality for any IT manager.
Companies opting for this approach will do so under the assumption that employees will exclusively use that service but of course, there is a risk that some employees will have a different service they are more familiar with. These employees must be persuaded to transition to the company sanctioned provider. The consequence of some employees not buying into the single vendor approach could be a patchwork of permitted and blocked offerings, which could lead to confusion across the business that adversely impacts employees.
A key limitation of this approach is that although some cloud storage providers do encrypt data they store, many also manage the encryption keys, meaning the data can be exposed to threats the IT team can’t control. In addition, as the data is not encrypted at source, it will also be vulnerable while being copied to and from the cloud, adding to the headaches for the IT team.
Option three: seamless encryption for safer sharing
The third option for IT leaders is to establish a way to encrypt the data before it goes into the cloud. With user data encrypted at source, employees are free to use any cloud file sharing site they prefer. For this approach to be a success and to remove serious security concerns related to cloud file sharing, the solution must be seamless for the end user and easily managed by IT administrators.
This approach means that the IT team owns and manages the encryption keys. While it is true that the only failsafe protection for files is to encrypt them, the encryption is only effective if the keys are managed correctly. By keeping full rights over encryption keys and by implementing pre-boot authentication for users, enterprises no longer need file sharing passwords and the user’s encryption experience is completely transparent.
In the end, IT always adapts
The concept of employee-enabled data file mobility is not new. With each new method for moving data files — CDs, USB drives, and cloud file storage — enterprises have dealt with the security consequences. Cloud file storage solutions are however, arguably far more dangerous than previous approaches, because the attack surface is available to anyone with an internet connection.
IT departments should evaluate the risk inherent in cloud storage the same way they evaluated risks of the previous methods for transporting files. At the same time, they should keep in mind that end users are likely to assume data stored in the cloud is protected and balance this with the employee productivity benefits of these services.
In order to keep company data as safe as possible, IT managers should deploy encryption and key management solutions that secure files stored in the cloud in a managed way. If this is approach is seamless and simple for employees to use, everyone wins as employees enjoy the benefits, whilst the IT team can rest easier in the knowledge that data is protected, with a strong endpoint encryption method.
Sourced from Darin Welfare, Vice President, Sales & General Manager, EMEA & India, WinMagic