Is Employee Use of Cloud Storage Your Number One Data Loss Vector Today?
Lets all agree that we have entered into a time where our employees are finding it easier to use free Internet based personal Cloud Storage like Box.com or Dropbox.com so that they can use these files in a more mobile world.
This is not a good Business Risk Scenario at all, but unless you take drastic steps to block the ability to access these sites from within the Company Network, your employees will take the path of least resistance. It is pretty much a gaurantee that you are currently hemorrhaging potentially sensitive business data and have little or no visibility into this activity.
First things first, lets clarify the difference between "Enterprise Cloud Storage" and "Personal Cloud Storage" .
Enterprise Cloud Storage is simply an extension of the Corporate Shared Storage Infrastructure outsourced to a Cloud Provider. It is managed and maintained in a fashion similar to an onsite storage pool. It can be protected through standard encryption practices. Provisioning user access and allocating capacity are left in the hands of your IT staff. Logging and reporting for capacity and compliance management are part of the service.
Personal Cloud Storage however, is "fairly" new market that has evolved over the past couple of years. These Storage providers have made it extremely easy for any end user to sign up and receive an allocation of personal storage anywhere from 5GB to 100GB for free! To sweeten the pot, they provide both mobile and desktop applications to easily synchronize files/folders/pictures/music/videos between your various dissimilar devices. Most providers of this type of storage also facilitate sending links via email directly to anyone you wish to share your data with. Any logging or reporting is on a personal level to the requestor of the account. Access to this storage is available anywhere in the world and the end user controls the password.
So? What can we do?
The first thing is make sure that you have added this scenario to your Information Security Policy. And educate your employees. "You must not use Personal Cloud Storage for transfering or storing Corporate Information"
Next, implement measures at your perimeter to block access to this type of site. Typically this would be accomplished in a Content filtering solution such as WebSense or BlueCoat which classify the millions of Internet sites on a regular basis and apply Corporate access rules based on these categories. This works while the end point device is connected through the coprorate network.
Better yet, would be to manage a policy on the endpoint device that restricts access to these sites. At the moment, this is a bit more onerous as you would need to identify and manage a list of known sites and apply these restrictions either through Windows Group Policy on your browser or local Firewall Policy. Managing in this way, depending on the size of your company, would increase your company headcount by several bodies.
Or.... Fight fire with fire!
Use Cloud Services in the form of Cloud based Content filtering to restrict and control your employees access to these sites REGARDLESS of where they are coming from. A policy enforced on the company managed endpoint devices will restict Internet access of that device except through the Cloud based Gateway.
There are several players in this space:
if we look at my last Blog, by restricting all end user access through an Authentication Portal, we can provision true Enterprise Cloud storage to the end user, and manage the encryption levels and potential deprovisioning of that storage if and when the time is required.
Next up.... Data Loss Prevention....