Sophos Cloud Optix
There are not just risks to your business introduced by employees’ increasing desire to bring their own devices into the office – a phenomenon known as “Bring Your Own Device” or “BYOD”.
There’s also the associated issue of “BYOS”, or “Bring Your Own Software/Service”.
I spoke about this issue at the SC Congress in New York City last year.
One of the standout leaders in the BYOS cloud storage arena is Dropbox.
Dropbox provides a way for users to easily move data between the home-office and the office-office without the need for, say, a USB memory stick.
The good news is that this means the problem of users losing their USB memory sticks (and therefore the data held upon them) begins to disappear.
The only problem is that now users of Dropbox, et al are giving their data away, and third-party companies have to be trusted to secure it properly.
There’s no doubt that the adoption of cloud computing is on the rise. But historically we have seen that attacks tend to follow the more ubiquitous technologies. In short, if something is popular chances are that the cybercriminals will explore how they might be able to take advantage.
Cloud storage providers have full access to your data and control where it is stored. You don’t have much information about the infrastructure and the security mechanisms in place. And it might be that this storage isn’t in your own country, which could cause legal concerns.
In a nutshell, if your data is being stored in the cloud, more data can be put at risk if there is a single successful breach.
The countermeasure to this risk is to utilize encryption technologies. Encryption is a leap forward in the right direction for any organization trying to deal with users who are already housing sensitive and/or protected data on third party servers.
Although officially unsupported, Dropbox tells advanced users who wish to not rely on the firm’s own encryption that some have reported success with TrueCrypt to protect their data.
In my own personal experience, storing files across multiple computers with Dropbox and TrueCrypt to send to multiple third parties can be a challenge to setup. I agree with Dropbox that this is only a realistic option for advanced users.
Perhaps it’s just me, but I would prefer a solution which is easier to deploy, with capabilities such as centralized key management, reporting, Active Directory integration and an intuitive user experience.
Oh yeah, and it’s also important to protect the end-to-end data in motion and at rest from attackers, as well as, service providers willing to surrender anyone’s data under subpoena.
You might also want to consider and make note that these services are all in danger from the US government and their overly large ego. They seem to enjoy shutting down sites with no warning and no sympathy to users. So you not only have to keep it secure you cannot rely on it being there for you. So you cannot trust any of these services with critical data.
At least if the US Government shut the whole system down you know that something has happened and you can look for alternatives.
Much more worrying in my view is the possibility that the Government might snoop on your data as part of some sort of fishing expedition for terrorists/paedophiles/socialists/tea party supporters (delete as applicable). Your cloud provider will also be prohibited by law from telling you that they have shared your data with the Government.
Once the government has finished trawling your data the can then loose it on a USB key, keep it for the next 30 years for some sort of vaguely defined air traveller’s watch list, or sell it to a marketing company after doing a bad job of annonmysing the data.
In short, do not upload to the cloud any confidential data, because it is just as at risk as if you put it on a non-encypted USB key, and left it on the bus.
First – I dislike the term "cloud", when "network" is what is meant. If "cloud", why not "fog", I ask:-)
So long as networked/cloud services increase, so must their sophistication. It will become essential that such services can ensure that no information cross certain localized geo-political borders, both for security and legal purposes. Also, as the author writes, encryption will become essential, but probably offered in increasing sophistication on a cost basis.
There is research on these issues going on right now.
I'd urge any business to carry out a true risk assessment before entering into cloud services and not just concentrate on collaboration and costs savings as seems to be the current trend. Remember risk assessments should focus on impact as well as likelihood. The following must all be considered.
•Lack of transparency about the level of security and the means of deployment
•Differing employment laws in differing countries
•Criminals following the most lucrative markets
•Increased / unknown Administrative access to systems
•Lack of visibility of user access
•Lack of visibility of security incidents
•Risk of collateral damage from attacks on other tenants
•Differing disclosure laws conflicting with differing privacy laws in different countries
•Lock in and lack of flexibility once entered into contract
•Providers ability to change service without consultation or risk assessment
@Shin, You're certainly correct but in the case of DropBox for example, even if the DropBox owners shut off their service, all my synced (sunk?) copies would still exist… unless UncleSam remote piloted the deletion via some trickery, non?
@David, Do you know of a persoDropBox solution where I can run my own DropBox-like service for me and mine?.. I'm thinking of so,ething like the approach of CrashPlan which let's me completely bypass their service but provide it for my crashplan-using friends. I know I know I can use various folder-syncing softs or even the cmd-line rsync (I'm on OS X btw) but Have you found anything DropBox-like?
Have you tried owncloud.org ?
I recommend a two-step approach:
1. Encrypt data
2. Send the encrypted data both to the online data repository (cloud) and to your own data backup solution.
This ensures your data is protected, no matter where it is found, dropped, stolen, or lost, and that if the cloud storage becomes unavailable (whether a temporary downtime or complete shutdown; that data needs to be available 24/7, so even a temporary downtime can have a bad influence on your business), you can still retrieve needed data from backup, even though that might take a bit longer.
If you are missing either a data encryption solution or a backup solution, you are already in trouble. But you are not alone. A lot of people and businesses are jumping on the bandwagon without adequate solutions. Very few people want to bother with the trouble of encrypting/password-protecting/otherwise-protecting their data or backing it up. These are problems that have been around as long as there have been computers.
Sadly, it normally takes a critical data failure or data loss to get someone into the habit of encryption and backups. Eventually, it’ll getcha.
— Jonathon
There is a lot, still, to be said for the mattress swamp.
The use of the word Cloud, is foggy by design, like all the rest of the chic required pseudo thunk of the age.
Just read Prof. Hoare’s 1981 Turing Lecture (damn that needle, but the frog turned out ok). Déjà vu c’est la vie über alles wieder all over.
Remember that 98% – Gorilla/ Man – is only an average.
Some services offer client encryption, like Wuala.