Problem solve Get help with specific problems with your technologies, process and projects.

How to block Dropbox and implement a winning cloud data storage policy

Cloud-based storage introduces a number of risks, but banning these services outright is unlikely to generate the desired results.

I recently implemented a policy that bans the use of consumer cloud storage services (Dropbox, etc.) since they obviously have many security issues. I'm getting a huge amount of pushback, and frankly, I can't entirely stop rogue cloud storage usage. So, now I'm reconsidering the policy. Should I "die on the hill" with it, or does it make sense to update the policy to be less restrictive despite the risk?

Ask the expert

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

Cloud-based storage services represent some of the biggest potential risks of data leakage to any organization. These services often store data in the clear, rely on users to set appropriate permissions, cannot be audited and can be installed on non-corporate devices, just to name a few of these risks. The popularity and convenience of these services also make them one of the most contentious technologies for information security departments to regulate. That doesn't mean that a company should give up on its cloud storage policy, but it may mean that it is necessary to change the tactics.

The best strategy for dealing with these types of rogue services is to offer a secure alternative. File-sharing services are filling a niche because users need to collaborate regardless of their location. Information security cannot just be the department of "no." If you're going to block Dropbox and similar services, find a way to achieve the convenience of these file-sharing services while implementing the required controls and specifications.

There are two ways to go about this, depending on the company's security requirements and technical capabilities. A private cloud can be built using software hosted inside the company's network. This strategy will build the required security but may be too maintenance-intensive for internal staff. The other choice is to select a standard cloud storage service that meets the security requirements while also meeting the company's needs. There are many services available that offer encryption, access controls and proper monitoring. It is possible that they offer capabilities that are lacking in the current internal file-serving system.

It is time to embrace cloud-based file services, but do it with the appropriate security requirements. This will reduce the pushback from end users and increase the reputation of the security department as it works with the business instead of against it.

This was last published in April 2014

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.