BYOD exposes the perils of cloud storage
Computerworld - The dangers of using consumer cloud storage systems became clearer earlier this month, when a hacker claimed that he accessed presidential candidate Mitt Romney's Dropbox storage and email accounts using an easily cracked password.
The apparent hack of Romney's accounts came on the heels of IBM's rollout of a bring-your-own-device (BYOD) policy that bans the use of Dropbox due to concerns that hackers could easily access sensitive information stored there.
Such examples make it clear that it's risky to keep corporate data on consumer-oriented cloud storage systems, say IT executives and analysts.
"IBM has the world's biggest BYOD program, and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services," said Dion Hinchcliffe, an executive vice president at IT consulting firm Dachis Group.
Though companies are increasingly tightening their BYOD policies, most have yet to address the use of consumer apps and services such as cloud storage on mobile devices.
"Cloud data centers are becoming high-value targets" of data thieves, said Hinchcliffe, raising the possibility that "someone inside the company with the keys to the castle" could be bribed to share data with hackers. "There's a lot of temptation," he added.
Dave Malcom, chief information security officer at Hyatt Hotels, said he's keenly aware that employees are using consumer-grade cloud storage services with mobile devices on the job, and he's taking steps to address the situation.
For instance, the hotel chain is surveying employee workstations to determine whether cloud storage apps like Dropbox have been downloaded and, if so, what data is stored on them.
If a cloud storage app has been downloaded, "there's probably a corresponding machine they're placing documents on that we don't own," Malcom said. "We're starting to get in front of it [and] we're trying to provide a corporately blessed service."
Among other things, Hyatt's BYOD policy requires employees to register mobile devices, and it prohibits the storage of confidential data outside the corporate firewall. The company also makes no bones about the fact that it remotely wipes all data from lost or stolen devices.
Nonetheless, "we're not naive enough to believe that a policy alone is the answer, and that we don't need technology" to help people follow the rules, said Malcom. "We want our employees to do the right things, but we know there may be times that they don't have the tools."
Malcom said that he hopes to start pushing employees toward using a corporate SharePoint system for content-sharing, though he acknowledges that it's not user-friendly on an iPad.
"If we can find someone like a Box.net that we can enter into an enterprise agreement with and help reduce some liability, we'd like to offer [that] to our user community," he said.
He noted that Hyatt is also trying to strengthen its passwords to avoid Romney's fate: "Ultimately, I'd like to get to biometrics or RFID proximity cards where you just have a four-digit PIN along with your card or your fingerprint in order to get on to our systems."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about Bring Your Own Device (BYOD) in Computerworld's Bring Your Own Device (BYOD) Topic Center.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Securing the enterprise workspace: protect your organization while supporting mobility and BYOD This white paper explains how Dell Mobility Solutions for security can help protect your organization's data, simplify administration and support forward-thinking mobility initiatives.
- Enabling devices and device management for your mobility/BYOD program In this white paper, learn how to select the right mobile devices for your organization and manage them with efficiency, flexibility and security...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Bring Your Own Device (BYOD) White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!