Leon Erlanger is a freelance writer, consultant, and former PC Magazine Executive Editor who has spent the past eight ...
There’s been a lot of talk lately about the risks and benefits of personal mobile devices in the workplace, a trend called BYOD (bring your own device). The dangers of combining personal and corporate applications and information on a single connected device are well known. However, a less discussed byproduct of mobility and personal devices is the use of consumer cloud services, including Web-based email services and file sharing services. The use of these services without IT knowledge or control is just as risky, or perhaps more risky, than the personal devices they’re used with.
Enterprise users take advantage of cloud services because they’re convenient and help them stay productive on the road. For traveling users, it’s often easier to communicate, collaborate, and exchange files and information using a personal Gmail or Yahoo account than it is to have to connect to and use corporate email. Services such as DropBox are also great ways for users to collaborate on files and ensure they have access to them at all times on the road.
It’s important to understand, however, that such consumer-targeted services were not created with the security needs of the enterprise in mind and have been phishing and hacking targets in the past. Not only can confidential information sent via Gmail or Yahoo Mail bypass enterprise data leakage controls and get sent to the wrong person, it’s also impossible to know where the attachments and other information are stored by the provider and who has access to them. You may be surprised to hear that some of these services claim some rights to any content they store. Employees may also use these services to take sensitive files with them when they leave an organization. So either knowingly or inadvertently, users of these services risk violating company policy and exposing their company to data theft or compliance issues.
These issues have come to light several times in the past two years through attempts to hack Gmail accounts of Department of Defense contractors and Paula Broadwell’s possible use of General David Petraeus’s Gmail account to find email addresses of other female acquaintances. The dangers become more acute when users employ weak passwords, such as the names of their pets, or reuse the same password for several personal and business accounts, the cause of Governor Romney’s Gmail and DropBox accounts being hacked during the last presidential campaign. Their use also opens new doors for malware to enter the corporate network.
Managing and controlling the use of these services is important, but it’s important as well to provide secure alternatives that are as convenient to users as these services. Employees need clear, specific policies and acceptable use practices for such services and education about their hazards and the breaches that have occurred in other organizations as a result of their use.
Tools are available to manage and control the use of Web cloud services, including Web application gateway solutions sold by McAfee and others. Make sure they cover the cloud services you’re most concerned about. Data loss prevention (DLP) tools provided in some of the same gateway products and other products can also be used to prevent sensitive information from getting sent over the Internet. The same solutions can help to prevent malware introduction. Mobile Device Management (MDM) solutions can be configured to restrict Web service and application use from approved mobile devices. Some provide ways to isolate corporate from consumer applications and data. Data loss prevention solutions also exist for many types of mobile devices.
However, if file sharing and other services are making users more productive on the road, they’re guaranteed to try to find ways to get around safeguards. Organizations must start investigating some of the more secure alternatives that are popping up, including business versions of consumer services and enterprise-focused alternatives. You may feel comfortable approving the use of one or two of these solutions while blocking or managing the use of the rest.