How would you feel if a competitor picked up your product specs? An investor got a copy of your quarterly financials before earnings? An employee’s personnel file ended up with the press? Not great? Yet employees within your organization may be unknowingly gambling with the security of corporate data every time they use unsanctioned public cloud file sharing and storage services.
From my perspective, the public cloud is not the problem but rather the unsupervised use of the public cloud by employees that make the public cloud problematic for storing and sharing files.
Your mother doesn’t work here
Every IT team knows that busy employees don’t always clean up after themselves. As employees juggle a lot of concurrent projects they certainly don’t always go back and clean up the data they have created and stored in various storage solutions. This isn’t a new behavior trait. Corporate storage systems are littered with the good intentions of your busy multi-tasking employees who often plan to get around to properly storing and securing information, but seldom actually do so. The cost of careless storage of information on internally managed corporate servers is simply excess storage costs but careless storage of information outside the corporate firewall can result in skyrocketing costs from compliance fines and loss of competitive information.
Shifting security issues
What kind of data security issues are we talking about? The most common issues arise when employees are simply not aware that files they are sharing contain sensitive data. Take for instance super-wide spreadsheets, they frequently are the culprit since it’s easy to miss those social security numbers if they’re in column 50.
Another common issue is not paying attention to how people’s roles change over time. For example if an employee is sharing information with someone who leaves the company and IT isn’t in the loop who is there to ensure that the employee who left is blocked from accessing confidential information. Even if a data leak is discovered, it can be difficult to resolve if the data is hosted in a personal account of a public cloud solution. The organization can’t demand that the vendor remove the document, because the vendor has a relationship with the ex-employee, not with the business. Issues of data sovereignty, such as these, didn’t exist before when corporate information was only stored behind the firewall on IT managed servers.
Unknown data access
When I talk to large companies they frequently have legal concerns around whose lawyers control the data stored in a public cloud – the company’s lawyers or the vendor’s? We are learning real time that it is the vendors.
Take the recent NSA PRISM situation as an example. Users were not aware that their service providers were cooperating with the NSA to gather personal information from the public cloud – putting the spotlight on how little control organizations have over government access to their hosted data. While use of IT managed storage doesn’t mean that the government can’t demand access to data, it does mean that your organization would know what data they were gathering, rather than reading about it in the newspapers later.
Take control of data security
In the end it comes down to control. How much control do you need over your data, who has access and where is information being stored?
In my experience working with our customers, it’s apparent that corporations and government agencies are only just beginning to get to grips with the controls they need to put in place regarding cloud based file sharing and storage. There have been quite a few occasions when we have worked with a corporation on deployment of a cloud file sharing solution where the organization has down a complete 180 on their decision of whether to go with a public cloud hosted solution or a private cloud hosted solution. What is emerging is that, regardless of whether the cloud file sharing is deployed on a public or private cloud, of primary importance for corporate information is that IT has oversight and visibility into employee storage and sharing of information.
While private cloud solutions offer the ultimate assurance that data stays under IT control for some organizations public cloud solution vendors may be able to provide sufficient assurances for protection of information for others.
One CIO friend told me that, for her, using a public cloud means losing peace of mind. Without a guarantee that she has exclusive access rights to the data, she is left wondering where exactly her company’s information is being housed and who can see it. For other organizations the tolerance for risk may be different. In the end, every company has to ask itself, how much are they willing to gamble with the security of their information, and then place their bet.