I recently implemented a policy that bans the use of consumer cloud storage services (Dropbox, etc.) since they obviously have many security issues. I'm getting a huge amount of pushback, and frankly, I can't entirely stop rogue cloud storage usage. So, now I'm reconsidering the policy. Should I "die on the hill" with it, or does it make sense to update the policy to be less restrictive despite the risk?
Ask the expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Cloud-based storage services represent some of the biggest potential risks of data leakage to any organization. These services often store data in the clear, rely on users to set appropriate permissions, cannot be audited and can be installed on non-corporate devices, just to name a few of these risks. The popularity and convenience of these services also make them one of the most contentious technologies for information security departments to regulate. That doesn't mean that a company should give up on its cloud storage policy, but it may mean that it is necessary to change the tactics.
The best strategy for dealing with these types of rogue services is to offer a secure alternative. File-sharing services are filling a niche because users need to collaborate regardless of their location. Information security cannot just be the department of "no." If you're going to block Dropbox and similar services, find a way to achieve the convenience of these file-sharing services while implementing the required controls and specifications.
There are two ways to go about this, depending on the company's security requirements and technical capabilities. A private cloud can be built using software hosted inside the company's network. This strategy will build the required security but may be too maintenance-intensive for internal staff. The other choice is to select a standard cloud storage service that meets the security requirements while also meeting the company's needs. There are many services available that offer encryption, access controls and proper monitoring. It is possible that they offer capabilities that are lacking in the current internal file-serving system.
It is time to embrace cloud-based file services, but do it with the appropriate security requirements. This will reduce the pushback from end users and increase the reputation of the security department as it works with the business instead of against it.
Dig deeper on Information Security Policies, Procedures and Guidelines
Related Q&A from Joseph Granneman, Security Management
Expert Joseph Granneman offers advice to enterprise security teams on using open source intelligence tools to learn about potential threats.continue reading
(ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.continue reading
Expert Joseph Granneman explains important business skills information security pros need -- and how to acquire them -- as the discipline matures.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.