BYOD exposes the perils of cloud storage

The dangers of using consumer cloud storage systems became clearer earlier this month, when a hacker claimed that he accessed presidential candidate Mitt Romney's Dropbox storage and email accounts using an easily cracked password.

The apparent hack of Romney's accounts came on the heels of IBM's rollout of a bring-your-own-device (BYOD) policy that bans the use of Dropbox due to concerns that hackers could easily access sensitive information stored there.

Such examples make it clear that it's risky to keep corporate data on consumer-oriented cloud storage systems, say IT executives and analysts.

"IBM has the world's biggest BYOD program, and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services," said Dion Hinchcliffe, an executive vice president at IT consulting firm Dachis Group.

Though companies are increasingly tightening their BYOD policies, most have yet to address the use of consumer apps and services such as cloud storage on mobile devices.

"Cloud data centers are becoming high-value targets" of data thieves, said Hinchcliffe, raising the possibility that "someone inside the company with the keys to the castle" could be bribed to share data with hackers. "There's a lot of temptation," he added.

Dave Malcom, chief information security officer at Hyatt Hotels, said he's keenly aware that employees are using consumer-grade cloud storage services with mobile devices on the job, and he's taking steps to address the situation.

For instance, the hotel chain is surveying employee workstations to determine whether cloud storage apps like Dropbox have been downloaded and, if so, what data is stored on them.

If a cloud storage app has been downloaded, "there's probably a corresponding machine they're placing documents on that we don't own," Malcom said. "We're starting to get in front of it [and] we're trying to provide a corporately blessed service."

Among other things, Hyatt's BYOD policy requires employees to register mobile devices, and it prohibits the storage of confidential data outside the corporate firewall. The company also makes no bones about the fact that it remotely wipes all data from lost or stolen devices.

Nonetheless, "we're not naive enough to believe that a policy alone is the answer, and that we don't need technology" to help people follow the rules, said Malcom. "We want our employees to do the right things, but we know there may be times that they don't have the tools."

Malcom said that he hopes to start pushing employees toward using a corporate SharePoint system for content-sharing, though he acknowledges that it's not user-friendly on an iPad.

"If we can find someone like a Box.net that we can enter into an enterprise agreement with and help reduce some liability, we'd like to offer [that] to our user community," he said.

He noted that Hyatt is also trying to strengthen its passwords to avoid Romney's fate: "Ultimately, I'd like to get to biometrics or RFID proximity cards where you just have a four-digit PIN along with your card or your fingerprint in order to get on to our systems."

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies