Even when the use of services such as Box, Dropbox, SkyDrive, and other similar services is sanctioned by the IT department, businesses have nearly zero assurance of confidentiality when their employees store documents in the cloud. Not only are there few publically documented vendor controls, there is no way for a business to continuously audit the cloud vendor’s entire infrastructure and administrative procedures to ensure that documents remain private.
A troubling example was recently brought to light by WNC Infosec (Western North Carolina InfoSec Community), which found that the Dropbox file sharing service opens certain files after they are uploaded.
While it may be fine for individuals to trust cloud vendors with their everyday material, businesses must adhere to a higher security standard if they are to retain control over sensitive data and meet regulatory compliance requirements. What can be done?
Cloud security requirements
In order to enforce corporate security policies in the cloud, IT needs to know (1) who is accessing and sharing (2) what documents (3) in which cloud storage service, and (4) that the cloud provider cannot override policies established by the business or access the data itself.
Here are four steps for implementing a cloud security strategy:
a) Take a risk-based approach: It is not realistic to “secure everything”. Look at business processes and quantify the risk associated with each one, then match them up with an appropriate level of security and controls.
b) Clearly document the policy and communicate it to employees.
c) Make the security solution easy to use, so that employees will not try to circumvent it in order to get their jobs done. The days of forcing staff to accept whatever IT deems acceptable are long gone!
d) Implement content-based security to eliminate the risk of the cloud provider failing to implement proper security protocols and controls.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.