When cloud gets personal: the consumerisation of the enterprise
Information Age examines the dangers of enterprises allowing the employee use of personal cloud services to get out of control
The pace of innovation – and, in parallel, rapidly evolving threat landscape – has made for a fraught few years for IT organisations around the world.
At the forefront of challenges has been the consumerisation of IT, with employees determined to use in the workplace the mobile devices and cloud services they are accustomed to using in their personal lives.
People are naturally eager make use of new technologies that help them in their daily lives, but not all of these apps are endorsed or even known about by IT.
This can be great from a productivity perspective, but not from a compliance or governance one. That is not to say some cloud services or mobile devices are insecure or can’t be trusted – in fact, the security for those services might be better than what the company has in place.
Instead, the risk is that data is missing from central, IT-managed data stores, and when it comes to an audit or legal action the company does not have the full picture.
This has resulted in reactive mobility strategies that seek to keep employees happy and empowered while maintaining a strong level of enterprise security. Among these are approaches like bring your own device (BYOD), choose your own device (CYOD) and corporate owned personally enabled (COPE).
But personal cloud is a whole different challenge. Employees continue to deliberately circumvent enterprise security processes by opting to use their own file-sharing applications to store potentially sensitive data in places invisible to IT departments.
‘In some cases, this data might be gone completely,’ says Dave Packer, VP of product marketing at Druva. ‘For example, if an ex-employee was using a personal cloud service and that data was never handed back to the company, then there would be no record for the company to find in the first place when the audit was carried out.’
This is a real concern for most companies, says Mark Re, senior VP and CTO at Seagate: ‘All of the enterprise data stored that way now resides innocently on a server many miles away that the company can't protect, often stored by a brand that has no contractual obligation to protect that data.
‘In 2016, despite the drawbacks for IT departments, it seems certain that growing customer awareness, attractive pricing and enhanced security is expected to boost the growth of the personal cloud services.’
James Butler, chief technology officer at Trustmarque, agrees. Thus, CIOs are presented with a huge management task: how do they know what data is being stored or shared, where it is, or for how long it’s been there?
In recent research from TNS Trustmarque, over three quarters (79%) of CIOs said they found it a challenge to balance the productivity needs of employees against potential security threats, when it comes to authorising the use of personal cloud and file-sharing applications.
‘Personal cloud services are not built to be enterprise-grade, therefore compromise security and compliance,’ Butler says. ‘The modern employee expects the IT they use in their job to replicate the same flexibility they enjoy from consumer technology.
‘The outcome of this desire is that many use personal cloud and file transfer services to remain productive, yet these services pose potential information security threats to organisations as data can be shared outside corporate firewalls.’
In a nutshell, the rise of personal cloud, as with the rise of BYOD, has forced IT teams to look at different ways of securing data. Options such as file-level security rather than storage-level security has been one response, so that data can remain secure no matter where employees store it.
In the past there’s been something of a lack of transparency when it comes to corporate IT knowing exactly where their data is stored and if it’s safe, so the advent of BYOD and personal cloud has at least ensured that companies seriously think about a corporate policy around cloud-consumption.
‘The challenge remains in enforcing security policies without affecting employees' productivity,’ says Re, ‘and at the same time educating staff as to the importance of protecting their data.’
Probably the biggest risk is the potential loss or exposure of sensitive data: intellectual property, personally identifiable information (PII) or personal health information (PHI) that employees have been given stewardship over.
Without a company putting in proper safeguards to prevent that data moving to personal cloud services, an organisation might find itself breaching the EU GDPR, which will include significant penalties for any violation.
With today’s highly mobile workforce, CIOs should think about taking a multi-prong approached.
One is to provide similar or equivalent services that end-users would seek out for productivity purposes, while another is to take a proactive approach to understanding the data end-users are both creating and handling, making compliance proactive for the whole business.
This means automating the process of recognising when any file is created that might have PII or other sensitive data inside. When these files are created, they can be automatically identified, copied and tracked so the business has a better sense of where potential data risks exist throughout the organisation and can take action to remediate accordingly.
‘This approach avoids the problem of relying on users storing data centrally as part of their personal management of their data – it’s all too easy to forget a step like this,’ says Packer. ‘At the same time, it also takes the rise of mobile computing and remote working into account.
However, this is not as simple as just copying and holding all information users create on their devices.
Some countries in Europe, such as Germany, have very strict regulations in place around data privacy and protection to consider.
‘It’s not a one-size-fits-all approach,’ says Packer. ‘To address this, companies should consider both the technology side of the equation as well as the contractual side, and ensure proper consent forms are in place with employees so that data can be tracked appropriately.’
If every application available to employees was 100% fit for purpose as it is, then personal cloud usage wouldn’t be an issue.
In a recent study, 48% of British office workers admitted to simply ignoring their organisation’s cloud policy to use apps they prefer. CIOs must understand that contemporary employees want to be empowered, rather than abiding by restrictive policies.
The same research found that 40% of British office workers admitted to knowingly using cloud apps that haven’t been sanctioned by IT – with one in five admitting to uploading sensitive company information to a file sharing or personal cloud storage application.
Indeed, the challenge for the CIO is maintaining an IT environment that supports changing working practices while remaining highly secure.
‘Businesses must mitigate risk,’ says Butler, ‘but at the same time foster that sense of employee independence – to support employees to work productively, wherever or however they want.
‘The rapid adoption of personal cloud services and the proliferation of applications for storing and sharing data mean cloud can very easily escape the control of IT.’
With the risk of irrevocable data loss and IP theft, there are those that think IT departments need to take a hard line against personal cloud apps.
Since the EU's recent Data Protection Directive and the UK's Data Protection regulation, businesses are now accountable for governing the transfer of personally identifiable information across Europe, so it’s with good reason that personal clouds are not warmly welcomed.
Another option, beyond banning them and attempting to convince staff not to use them at work, is the adoption of the hybrid cloud.
The combination of a public cloud provider with a private company cloud platform, communicating over an encrypted connection, keeps data exposure to a bare minimum.
This might allow organisations to keep their users happy, while at the same time minimising the risk, but it’s not a perfect solution and doesn’t neatly alleviate the security risk.
A final option for larger brands could be designing their own personal cloud apps and offering an enterprise-grade solution for staff, but it may be some time before the in-house expertise and skills develop enough for this to be a reasonable option within the majority of IT departments.
‘Such is the popularity of personal cloud apps,’ says Re, ‘that whatever they currently lack in security and business support, there’s little doubt it will not slow down their growth.’