The Inconvenient Truth about Cloud Security

With the pervasive presence of cloud computing, virtually every aspect of every enterprise’s business uses the cloud in some way. The cloud computing options available to enterprises fall into three categories:

  • Public Cloud — A shared computing environment hosted entirely by a cloud service provider that manages and maintains the infrastructure, allowing for quick scalability and lower costs to users, offering compute and storage on demand, with customers paying only for the capacity they use. Popular with resource-limited start-ups and shadow IT projects.
  • Private Cloud — An environment in which the server infrastructure is dedicated to a single enterprise. This dedicated environment can be hosted by a cloud service provider, or owned and managed on-premises by an enterprise behind their own firewall. The latter allows for the utmost security and control, but also requires the most in-house maintenance.
  • Hybrid Cloud — Allows an enterprise to configure and manage multiple cloud environments—public or private, hosted or on-premises—as a single resource pool using a combination infrastructure where some data and applications (e.g., time tracking) are on a public cloud, but sensitive data and business-critical applications (e.g., payroll) are on a private cloud.

One of the greatest fears business leaders have about cloud computing is seeing their enterprise’s sensitive data being exposed on a public cloud. Which is why it was no surprise that recent IDG research revealed that the majority of organizations are using a private cloud for the majority of their data and applications. While these organizations were not planning on storing sensitive data or running business-critical applications outside of a private cloud, they cited hybrid clouds as their most planned-to-use environment going forward as they deliberately design their step-by-step journey to the cloud.

However, even the most cautious and security-conscious enterprises are probably using the public cloud more than they realize.

One reason is because employees and mobile devices are attached at the hip—and those mobile devices and the public cloud are attached at the wireless hip. In other words, most of the apps on a mobile device, such as the smartphones we have all become so reliant on, are connected to services running on a public cloud. These services enable data access independent of device or location, allowing employees to conveniently access the same data on their smartphone, work computer, or personal laptop.

On occasion sensitive data is temporarily copied onto a mobile device. The most common example is downloading an email attachment. This is when the best friend of the mobile device can become the worst enemy of cloud security. Most mobile apps, due to the intentionally limited storage capacity of mobile devices, default to automatically backing up data to a public cloud.

This can create unforeseen issues because even when conscientious employees remember to delete the local copy of sensitive data on their mobile device, they often forget about the automatic cloud backup. The recent and highly publicized hack of a public cloud that exposed the private photo collections of female celebrities was a good example of this since many of those photos were deleted long ago from the smartphones used to take them, but still existed on a public cloud backup long forgotten, or perhaps never even known about since it was created by default settings.

On other occasions, the easiest example being shadow IT projects, the public cloud is intentionally chosen for convenience since, generally speaking, the more secure an environment is, the less convenient it is to use. Just as water naturally seeks the lowest level, people naturally gravitate to the most convenient, and least secure, option. The inconvenient truth about cloud security is that we often choose convenience over security. This means we often choose, by default or with intention, the public cloud.

While the public cloud is often unavoidable, your enterprise can take steps to make its use as secure as possible, including:

  • Public Knowledge — Make sure you know all of your employees’ uses of the public cloud, including shadow IT projects and mobile apps to identify unknown, and perhaps unintentional, copies of enterprise data on public clouds.
  • Public Execution — No, not of the employees violating enterprise security policies, but the execution of regularly scheduled, and preferably automated, processes to delete enterprise data on public clouds after a certain time period.
  • Default Security — Have employees check the default settings on their mobile devices and mobile apps and disable any automatic backups to public clouds to prevent accidentally exposing sensitive enterprise data.
  • Double-Down Log-ins — In addition to requiring strong, and frequently changed, passwords, require employees to use the two-factor authentication for log-ins that the most popular public-cloud-based services already offer.

This post is brought to you by the Enterprise CIO Forum and HP’s Make It Matter.