Administrators should set policies to define appropriate use of consumer cloud storage and related services.
More on consumer cloud storage
Why workers use consumer cloud-based storage
Setting consumer cloud storage use policies
These policies should add cloud service-specific details to existing security policies and should include authentication and authorization, monitoring and reporting, security awareness training, and incident response.
Authentication and authorization
Authentication policies should specify who should get access to enterprise content in the cloud. In the simplest (and least-secure) approach, an IT administrator could allow anyone with valid login information to access the consumer cloud storage service.
Active Directory integration can be required when more control over the user base is needed. Two-factor authentication can help mitigate the risk of hacked accounts or accidental disclosure of credentials, for instance, in a response to a phishing scam. Two-factor authentication systems that provide apps for mobile devices eliminate the need for special authentication devices and reduce the cost of implementation.
Authorization policies specify criteria for giving users access to content and providing the ability to administer content. Enterprise file-sharing services may allow admins to delegate administrative privileges to other users over sets of content. These services may also enable systems administrators to define their roles. In both cases, rules about how these capabilities are used and monitored should be included in the authorization policy.
Policies that address account provisioning for new users and terminating employees should be updated. In particular, policies should describe the steps needed to secure enterprise content that may be accessible to terminated employees.
Monitoring and reporting
Metadata about documents and actions on those documents can provide valuable information about how data is used and transferred from the cloud. Policies can describe who should monitor operations in the cloud service, such as the delegation of administrator privilege to a user or the downloading of files to mobile devices. Administrators may also want to use this metadata to trigger alerts on significant events, such as deleting or downloading a large volume of content in a single operation.
Security awareness training
Educating users about security awareness can seem like a Sisyphean task. In spite of the challenges, it is important to educate users about the risk of data loss when using cloud services.
We can help non-IT professionals understand that once in the cloud, documents can be shared or downloaded to multiple devices without being subject to network controls, such as data loss prevention scanning.
Workers need to know that cloud-based systems may not have the same access controls found in enterprise systems, so operations that might be blocked internally are not blocked in a cloud storage service. The goal, of course, is to educate users about risks, not to give them ideas about how to circumvent enterprise controls.
Cloud storage services facilitate working with personal devices. Security awareness training should inform users about policies regarding lost or stolen devices that contain sensitive corporate information. Employees should know that if a smartphone or tablet is lost or stolen, the consequences may include remote wiping of all data, personal and enterprise alike.
In spite of best efforts by cloud service providers and users, breaches can still happen. Have policies in place to respond to provider-level breaches, such as stolen passwords or compromised Secure Sockets Layer (SSL) certificates. Policies should also encompass user-level incidents, such as employee accounts getting hacked.
Consider preventive measures such as requiring that sensitive material be encrypted before it's uploaded to a cloud service. These policies should include steps to assess the volume and type of content that is compromised. Log files collected for monitoring purposes can help reconstruct the state of folders at the time of a breach and at least approximate the state of the compromised folders and accounts.
For organizations adopting consumer cloud storage or related services, you need to balance ease of use with security concerns. IT admins must consider several issues, including the drivers for consumer cloud storage adoption, options for storage providers, as well as the level of enterprise support and third-party add-ons that a service provides.
One of the most important aspects of managing corporate information that resides in external services is establishing and maintaining policies that address authentication and authorization, monitoring and reporting, security awareness training, and incident response.
This was first published in October 2013