I recently implemented a policy that bans the use of consumer cloud storage services (Dropbox, etc.) since they obviously have many security issues. I'm getting a huge amount of pushback, and frankly, I can't entirely stop rogue cloud storage usage. So, now I'm reconsidering the policy. Should I "die on the hill" with it, or does it make sense to update the policy to be less restrictive despite the risk?
Ask the expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Cloud-based storage services represent some of the biggest potential risks of data leakage to any organization. These services often store data in the clear, rely on users to set appropriate permissions, cannot be audited and can be installed on non-corporate devices, just to name a few of these risks. The popularity and convenience of these services also make them one of the most contentious technologies for information security departments to regulate. That doesn't mean that a company should give up on its cloud storage policy, but it may mean that it is necessary to change the tactics.
The best strategy for dealing with these types of rogue services is to offer a secure alternative. File-sharing services are filling a niche because users need to collaborate regardless of their location. Information security cannot just be the department of "no." If you're going to block Dropbox and similar services, find a way to achieve the convenience of these file-sharing services while implementing the required controls and specifications.
There are two ways to go about this, depending on the company's security requirements and technical capabilities. A private cloud can be built using software hosted inside the company's network. This strategy will build the required security but may be too maintenance-intensive for internal staff. The other choice is to select a standard cloud storage service that meets the security requirements while also meeting the company's needs. There are many services available that offer encryption, access controls and proper monitoring. It is possible that they offer capabilities that are lacking in the current internal file-serving system.
It is time to embrace cloud-based file services, but do it with the appropriate security requirements. This will reduce the pushback from end users and increase the reputation of the security department as it works with the business instead of against it.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.