Employees who use corporate credentials to access unsanctioned cloud services could put companies at risk for non-compliance.
The Government of the Northwest Territories in Canada started a tablet initiative six months ago. One of the applications employees tested was Box, a cloud storage and file sharing service. Once the pilot ended, about 50 employees continued to use Box for personal use, though they had signed up for the service under their corporate email addresses.
Box approached the government about these 50 employees’ continued Box use under corporate accounts, a problem of cloud licensing compliance. Upon the government’s request, Box provided a list of the employees who were still using the service, said Dave Heffernan, CIO for the Government of the Northwest Territories.
“We’re fighting our own IT organization to get them to realize if they don’t offer these kinds of services, then people will already be using them without our knowledge,” Heffernan said.
The government found that a number of employees wanted to keep using the service for work, and it invested in a block of 50 corporate accounts. Employees who no longer wanted to use Box for work either cancelled their subscriptions or switched the corporate email listed on their Box account to a personal email account.
Box was patient with the agency as it sorted out the situation, but staying ahead of consumerization-related issues is nearly impossible, Heffernan said.
“Even if you support a few Dropbox-like services there’s still the good possibility of someone using an unsupported one. Keeping on top of that is difficult,” Heffernan said. “We pick a few tools and services and say, ‘here’s a recommended service,’ but of course that list changes all the time.”
Though businesses probably won’t fire employees who use corporate emails to sign up for services without IT’s knowledge, there isn’t much to prevent them from doing so, said Terri McClure, a storage analyst for Enterprise Strategy Group, an advisory firm based in Milford, Mass.
In fact, employees who spend their own money on a computer or mobile device are more likely to use unsanctioned tools and services to do their jobs, regardless of whether IT supports those services, according to a recent report from Forrester Research Inc.
There are potential data-leak problems and licensing compliance issues when employees sign up for unsanctioned cloud services with work email addresses, McClure said.
Cloud apps present data privacy concerns
Courts have yet to decide whether Fourth Amendment privacy rights apply to documents saved in the cloud, said David Navetta, an attorney who specializes in information security, data privacy and technology law at InfoLawGroup LLP, based in Denver, Colo.
Then there are the terms of service -- those long blocks of text few people actually read before signing up for a service -- for privacy and data. The terms typically favor software as a service (SaaS), cloud and mobile app vendors, he said. Providers may even change the rules without informing users first.
For example, last week an Adobe Inc. employee discovered that without users’ consent, Facebook altered contact emails on iPhones and Android smartphones that had Facebook contact sync enabled. Personal emails in the contact app were switched to an @facebook.com address, and communications were intercepted and redirected to a folder that users have not been able to find within Facebook.
Facebook released a statement that said the mishap was due to user confusion and a coding bug.
Mishap or not, this type of mobile device email hijack could turn into a major security and compliance breach for businesses, industry experts said.
Cloud, SaaS policies can help
Companies need to work with their legal departments to ensure that licensing agreement terms favor them, Navetta said.
“Sometimes vendors aggregate data in a roundabout way. There’s a potential risk around the aggregation and data that isn’t even considered sensitive,” Navetta said. “Would you want another company to know your company’s average salaries?”
More than ever, IT, employees and vendors have to work together when it comes to security, compliance and privacy.
“Otherwise the whole thing just falls down,” said Ben Tomhave, principal consultant at LockPath, Inc., a governance, risk and compliance vendor based in Overland Park, Kansas.
Various studies suggest that nearly two-thirds of organizations have no policies in place regarding SaaS, cloud storage, and even mobility use, said Chris Silva, an analyst at the Altimeter Group, a research firm based in San Mateo, Calif.
Lack of policy puts organizations and IT in a reactive position.
Meanwhile, organizations ask IT to do more with fewer resources, and the tasks of manning the help desk and patching/updating software will always take precedence over managing consumerization, Silva said.