Security is, more often than not, a case of getting the basics right. This is certainly true of the cloud where the hyperbole surrounding insecurity far outweighs the actual risk in my opinion. Not that the cloud is an inherently secure place to store data, just that it poses similar risks to other data storage methodologies which need to be assessed and dealt with accordingly. So when I hear statistics being bandied about such as '68 per cent of employees use personal cloud storage services at work' as was thrown in my direction this last week, I cannot help but heave a little sigh.
This is not a cloud issue, despite it being wrapped up as one when I saw it; it's a basic security principles one. Consumer grade services are called that, and sold as that for good reason - primarily because they are not intended to be used within a business context. Sure, plenty of people DO use them for commercial purposes but that is besides the point; it doesn't make them enterprise grade in terms of security. This kind of service misuse, for want of a better word, is what you might call a rogue cloud or shadow cloud. Shadow because it is hidden from the business, and rogue because it isn't meant to be there.
Actually, in the real world, neither descriptor is actually accurate more often than not. I've been to many an enterprise where the existing information security policy does not cover the use of such cloud-based services and therefore the user is not in contravention of it. Equally, zero-visibility should not be a term that is recognized within the secure enterprise; at some point there has to be visibility as to where commercial data is coming from or heading to. Indeed, it should be a matter of common sense for an organisation to remove the cloak of invisibility that surrounds such rogue services and this is done using a combination of policy and policing.
Determine which devices and platforms are supported (from your data security viewpoint) and make it policy that non-supported devices and services are not allowed to access/store corporate data. Another bit of basic common sense is that while you might not be able to secure all the end points, you should be able to secure all the data and the magic wand to be waved has the word 'encryption' stamped upon it. I guess what I'm saying here is that data is data at the end of the day, and a data-centric approach to securing it works best. Equally, insecure practice is insecure practice so work to abolish that throughout your business.
Give some real thought about how best to merge governance and compliance with shadow IT usage and end up with a secure strategic framework. In other words, wrap your policy around the available technology and take a real-time approach to threat detection in order to remediate the endpoint risk.
