When you hear the word ‘cloud’ does it make you reach for aspirin? The word is often uttered in the same tone, whether reserved for a once-in-a-lifetime innovation or a global catastrophe. While, for some people, we can really say a catastrophe has been linked to the cloud, with nude celebrity photos being exposed, for the most part, the cloud also offers great opportunities.
The risks of sharing data on the cloud are significant, but we can find the optimal balance between embracing the benefits of the cloud while mitigating the risks to the enterprise. For some, the risks extend further to personal / professional life, as it turned out for some very-well known Hollywood stars.
Guest article by Roman Foeckl, CEO & Founder, CoSoSys
This particular case of the targeted attack on Apple iCloud credentials, which is not so surprising (we are all used to celebrities’ eccentricities), teaches all of us a lesson. When there is no policy whatsoever that restricts the upload of personal or confidential photos, or other types of documents to the cloud, people should go with the general rule of considering what information they upload. With minimum to no control over cloud storage solutions, they should only upload data that would not put them (or their organization) in embarrassing or dangerous situations.
Experts suspect that that the attack could have been possible through various scenarios (e-mail phishing, reuse of passwords, etc.). Irrespective to the method, the essential teachings are that a certain level of control has to be put in place when working with or simply using the cloud for personal / business purposes. We are all aware of the risks posed by sharing information on Dropbox, Google Drive, iCloud, etc. so we need a plan that will deal with these cloud storage solutions and other related emerging entities.
How to Connect the Dots on the Cloud
Remember, even the most diligent employee can follow the rules but still be responsible for creating a data loss crisis. The truly scary aspect of the cloud is that you’re putting your faith and trust into a third party. It’s a lot like trusting your most valuable possessions to the safe in your hotel room. While the chances of a theft or loss may be remote, you’re foolish to think it could not happen. Fortunately, there are some steps you can take to connect the dots between the cloud and a robust Data Loss Prevention (DLP) plan.
First, ensure that any information uploaded to the cloud is the type which, if it were to leave your organization, would not be catastrophic; essentially, practice data control. The type of information that can and should be uploaded to an external site is the same as the data you allow to be loaded onto a flash drive or a similar high risk tool. It is very important that your strong, existing information security and data loss prevention program be modified – as necessary – to include the cloud, and that it evolve along with transformations to the cloud. Filtering what information can be uploaded to the cloud with the help of a Data Loss Prevention (DLP) solution is a strong functionality that for businesses is crucial.
What about the celebs’ infamous cameras, and the sync to iCloud options of mobile devices? It’s as if Infosec experts’ preaching about minimum security measures to avoid situations like these have been held in vain. “Use two-factor authentication, do not use the same password to multiple accounts, use MDM solutions, etc.”, are just a few from the top of my head that most probably have not been respected in this case. Therefore, when it comes to a business environment, to avoid awkward situations like the one that is currently making the headlines (or fines and loss of customers), if we are talking about confidential data of another nature, Mobile Device Management (MDM) and Mobile Application Management (MAM), together with solid internal rules are essential.
Step three is to have a strong education / training component in place to deal with questions and concerns voiced by all levels of your organization regarding data and the cloud. Make sure this training is thorough and mandatory. The nature of the cloud, and the odd marriage of passion and fear it evokes, requires that you treat the cloud with a special touch. Therefore, a special component of your information security and DLP training should focus on the cloud and educating staff about the special risks it presents. As with any technological innovation, the allure of its ease of use can blind users to the risks and to following rules to mitigate them.
To quickly recap:
- Make sure any information uploaded to the cloud is not mission-or organizationally-critical.
- Have the proper tools in place. Do not cut corners.
- Include mobile devices in the infosec strategy.
- Educate anyone who may share data on the cloud about risks and procedures. Make this education thorough and mandatory.
It’s no secret that the cloud offers a tremendous resource for collaboration, but it also presents new avenues for risk. With the right strategy, strong execution and an educated staff that clearly understands the rules and risks, you can implement a plan to successfully manage data loss prevention on the cloud. IT and information security professionals have stepped up and managed security challenges like this before. While the risks from the cloud may seem formidable, a sound action plan makes it controllable because we do have tools to connect the dots between DLP and the cloud.
For more about avoiding data loss, read the Aberdeen report Insider Threat: Three Activities to Worry About, Five Ways They’re Allowed to Happen – and What Enterprises Can Do About It
Roman Foeckl is the Founder and CEO of CoSoSys. Since launching the company in 2004, Roman’s vision has been to offer an easy to use Data Loss Prevention Solution that covers all popular platforms, from Mac OS to Windows and Linux, so large and small businesses can protect their data against accidental loss or intentional data theft.