Perils of Cloud Storage Exposed by BYOD
It's risky to keep corporate data on consumer-oriented cloud storage systems, say IT executives and analysts.
The dangers of using consumer cloud storage systems became clearer earlier this month, when a hacker claimed that he accessed presidential candidate Mitt Romney's Dropbox storage and email accounts using an easily cracked password.
The apparent hack of Romney's accounts came on the heels of IBM's rollout of a bring-your-own-device (BYOD) policy that bans the use of Dropbox due to concerns that hackers could easily access sensitive information stored there.
"IBM has the world's biggest BYOD program, and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services," said Dion Hinchcliffe, an executive vice president at IT consulting firm Dachis Group.
Though companies are increasingly tightening their BYOD policies, most have yet to address the use of consumer apps and services such as cloud storage on mobile devices.
"Cloud data centers are becoming high-value targets" of data thieves, said Hinchcliffe, raising the possibility that "someone inside the company with the keys to the castle" could be bribed to share data with hackers. "There's a lot of temptation," he added.
Dave Malcom, chief information security officer at Hyatt Hotels, said he's keenly aware that employees are using consumer-grade cloud storage services with mobile devices on the job, and he's taking steps to address the situation.
For instance, the hotel chain is surveying employee workstations to determine whether cloud storage apps like Dropbox have been downloaded and, if so, what data is stored on them.
If a cloud storage app has been downloaded, "there's probably a corresponding machine they're placing documents on that we don't own," Malcom said. "We're starting to get in front of it [and] we're trying to provide a corporately blessed service."
Among other things, Hyatt's BYOD policy requires employees to register mobile devices, and it prohibits the storage of confidential data outside the corporate firewall. The company also makes no bones about the fact that it remotely wipes all data from lost or stolen devices.
Nonetheless, "we're not naive enough to believe that a policy alone is the answer, and that we don't need technology" to help people follow the rules, said Malcom. "We want our employees to do the right things, but we know there may be times that they don't have the tools."
Malcom said that he hopes to start pushing employees toward using a corporate SharePoint system for content-sharing, though he acknowledges that it's not user-friendly on an iPad.
"If we can find someone like a Box.net that we can enter into an enterprise agreement with and help reduce some liability, we'd like to offer [that] to our user community," he said.
He noted that Hyatt is also trying to strengthen its passwords to avoid Romney's fate: "Ultimately, I'd like to get to biometrics or RFID proximity cards where you just have a four-digit PIN along with your card or your fingerprint in order to get on to our systems."
While the buzz around big data analysis is at a peak, there is less discussion about how to get the necessary data into the systems in the first place, which can involve the cumbersome task of setting up and maintaining a number of data processing pipelines.
Next-generation endpoint protection vendor SentinelOne has received the same certification that many traditional antivirus platforms seek, meaning it can be considered suitable for meeting certain requirements of industry and governmental regulations.
Smartphone sales increased substantially in the second quarter of 2015, but the rate of growth continued to slow, fueling concerns that the market has started to become saturated, according to a study released today by Juniper Research.
Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users.