For a few hours on June 20, anyone who wanted to log on to cloud-based storage provider Dropbox could do so without a password.
Dropbox blamed the incident on a bug. And chances are some businesses didn’t even know about the potential exposure of their data.
Too bad so many IT managers don’t appear to be on top of the issue. In fact, many IT managers apparently have no idea what cloud-computing services their employees are using. A survey from the Ponemon Institute released in May showed the extent of the problem. According to the research, 50 percent of IT professionals say their organizations are unaware of all the cloud services used in their enterprises.
That figure could be misleading. Anton Chuvakin, principal at Security Warrior Consulting, says it’s difficult to measure because the definition of “cloud computing” is so slippery. Do the IT pros consider Gmail to be cloud computing, for instance?
But in general, cloud use is exploding. Employees in your organization are increasingly going to turn to cloud tools that allow them to do their jobs expediently and economically, whether you’re on board or not.
Tim Bajarin, president of Creative Strategies, a consultancy in Campbell, Calif., says he’s not surprised at the Ponemon findings. “There are so many apps that let employees access them anytime, anywhere,” he says. “It’s hard for the IT people to keep up.” And it doesn’t help that new cloud services seem to come out every week.
Taking steps to monitor and direct corporate cloud computing use by employees isn’t really that difficult. The key is to take a proactive approach. Among the recommendations by experts:
Understand your mission. Consider whether you’re looking to prevent data leaks or stay on top of information governance. As Chuvakin points out, when you use cloud computing for sensitive information, security is paramount. “If I’m writing a white paper for a client that includes intellectual property and it’s in Google Docs, then it’s not a question of ‘Has anyone else seen it?’ as ‘Am I 100-percent certain no one else has?’” Many cloud providers do provide that assurance, says Chuvakin, so it pays to ask and shop around.
Know why your employees use the cloud. You can learn from how your end users use cloud services, say the experts. For instance, employees might be using Gmail because the search is so much better than the work email’s search. “You should really look into why people aren’t using your work software. There might be a good reason,” says Chuvakin.
Inventory corporate cloud use and providers. Take full inventory of which cloud-computing services your organization and your employees are using. Assess your cloud-computing providers and the risks involved in using them. Do this on an ongoing basis, as cloud computing evolves rapidly.
Set standards. Create guidelines for cloud-computing use by employees. Do you want to prohibit employees from putting company files in the cloud? How do you foresee employees using the cloud?
Be the provider. Create your own version of Dropbox or other cloud-based applications.
Keep sensitive data off-limits. Consider some data off-limits to the cloud and communicate this policy to employees. The Ponemon survey showed that 68 percent of IT pros thought cloud computing was too risky for storing financial information or intellectual property. Fifty-five percent said they wouldn’t store health records in the cloud.