When Employees Use Consumer Cloud Storage: Preventing Problems

By Paul Rubens

Cloud storage is a solution to many capacity and cost challenges, but it can also lead to disaster. Customers of Nirvanix, a cloud storage company founded in 2007, recently discovered this how difficult this can be. On September 15, the company informed its customers that they had just fifteen days to retrieve all their data, and on October 1, Nirvanix filed for Chapter 11 bankruptcy.

But even if you choose the most financially stable provider, that doesn't make you immune to problems. That's because its storage resources could be compromised by hackers, or they could be unavailable for an unacceptable amount of time (regardless of any service level agreement they may offer.)

But these sorts of risks also apply to data stored on premise, and there's a good argument to be made that specialist storage providers have the resources to take better care of your data than your own company can.

Perhaps the biggest risk associated with cloud storage is that your colleagues decide to use consumer cloud services such as Dropbox or SugarSync as a convenient way to store data to access from home or on a mobile device, or to share with co-workers or people outside the organization.

"This is a very big problem for companies that have staff using tablets and phones for business - especially if they are storing sensitive information or data that is subject to regulatory requirements," says Terri McClure, a senior analyst at Enterprise Strategy Group.

That's because the data stored in consumer cloud services is outside the control of your IT department's compliance controls and security measures such as password policies. And to get an idea of the scale of the problem, an ESG survey found that 70% of the companies either knew or suspected that "rogue" consumer cloud storage accounts were being used by their staff.

Enterprises typically adopt one of three possible strategies to counter the threat from consumer cloud storage services, McClure says. These are:

1. Ignore it, because the IT department is busy and usage is outside its control.

2. Prohibit staff from using these services.

3. Embrace the concept by offering a corporate alternative that is as easy and convenient as a consumer solution.

The first of these "solutions" is not practical because it entails a very high risk that sensitive data is compromised - not to mention the fact that failure to comply with regulatory requirements can result in extremely severe penalties for those responsible.

The second solution - prohibition - is unlikely to work, even when accompanied by an education program to ensure that staff understands why the prohibition is in place, according to Matthew Walls, a research vice president at Gartner.  

"Most educational advice is virtually useless," he says. "That's not to say you shouldn't provide it, but if IT tells you not to take your data home, but your boss says "I need you to do this work tonight," you are likely to side with whoever signs your paychecks."

This highlights the nature of the problem. The use of consumer storage and file sharing services is a type of "insider threat," and like the vast majority of insider threats it is not caused by malicious behavior, but rather by well-meaning workers.

In this case they see consumer storage services as a way of being more productive. "Something that needs to be understood is that most people who use these services are just trying to do their job," explains Walls.

You can certainly take steps to discourage well-meaning staff from using these services, like blocking them using rules in your next generation firewall. But these are unlikely to be effective, according to ESG's Terri McClure. "If people want to share data or take it home they will. You can use a next generation firewall but people will just have meetings at Starbucks and use the WiFi there to get in to file sharing accounts," she says.

Offering Cloud Storage Alternatives

That only leaves the third solution then: offering a cloud or on-premise based alternative that has been designed for enterprise use but which mimics the convenience of consumer-grade offerings.  

The precise feature set that an enterprise service needs to offer depends on the industries your business is involved in, the type of data that your organization controls and the regulatory requirements you are subject to. But McClure suggests that the following features are likely to be important:

·  Some form of digital rights management (DRM) to control the sharing or printing of data and the ability to "expire" it.

·  Control over what data can be stored in the cloud, and whether it can be shared externally or only internally.

·  Integration with Active Directory or other systems to control who can access data (and to terminate that right when an employee leaves) and to impose security and password policies.

·  Encryption, with ability to store keys locally.

·  Centralized auditing to allow your administrators to see what data is being stored and shared, and what data employees are storing and sharing.

·  The ability to remotely lock or wipe mobile devices that have access to the service.

This last capability is more usually part of the functionality offered by mobile device management (MDM) systems, but McClure says that smaller organizations are unlikely to have implemented one. "For that reason, some vendors of enterprise storage and sharing application offer remote wipe built-in, like a sort of MDM-lite," she says.

This capability is often overlooked, she points out. "What's scary is that with a laptop or desktop, when you leave an organization you have to copy any data that you want to take with you. But with consumer file sharing accounts, the default is that all that corporate data comes with you when you leave.  It happens automatically - you don't have to do anything."

In areas such as Silicon Valley, where competitors are often neighbors, the potential for confidential data to be leaked when a child takes an iPad next door and leaves it there by mistake is considerable, she adds.

There are currently around fifty enterprise cloud storage and file sharing vendors to choose from, with varying levels of sophistication and ease of use.  Pricing for cloud services ranges from about $5 to $30 per user per month, depending on storage capacity and other features. A partial list of vendors in this crowded sector includes:

AirWatch (cloud or on-premise)

Alfresco (cloud and on-premise)

Accellion (private cloud)

Box (cloud)

Citrix ShareFile (cloud or on-premise)

EMC Syncplicity (cloud or on-premise)

Egnyte (cloud or on-premise) 

Hightail (formerly YouSendIt) (cloud) 

WatchDox (cloud)

This article was originally published on October 28, 2013