Personal cloud storage continues to be one of the most pervasive security headaches for IT security professionals. Employees want to use not only their personal devices for work, but also the consumer-focused, personal cloud applications of their choice. Why? Consumer apps are generally more intuitive and fun than their enterprise counterparts. Unfortunately, what's fun for the employee tends to generate many sleepless nights for IT.
“Whack-a-mole” is not a security strategy
IT tends to respond to these employee preferences by establishing policies to prohibit the storing of company data in personal cloud services. Employees usually ignore IT's direction and continue using the apps of their choice. A survey by 451 Research shows 44 percent of employees have or are planning to use consumer apps for work, regardless of company policy. A related study by Ovum found that, of employees using file sync and share tools at work, only nine per cent are satisfied with the commercial offering given to them by their corporate IT department.
Employees aren't intentionally putting data at risk; they simply want to get the job done and are often turning to familiar consumer services to do this, bypassing IT approval on the way. Arguably, these tools are enhancing productivity, but the downside is that these services lie beyond the control of IT departments and traditional enterprise security practices.
CIOs must embrace these changes whether they like them or not. If employees aren't allowed to use the apps they want, they will simply go behind IT's back and do it anyway. Similar to a game of “whack-a-mole,” as soon as IT restricts one app, another one will inevitably pop up. Whack-a-mole may be a fun game at the arcade, but it is not a security strategy.
By building architecture that provides consistent security across business and consumer cloud services, employees can continue using the tools and workflows that make them most productive without the worry of a policy breach. This can be tackled in three stages:
Secure cloud access, secure cloud storage and a secure cloud ecosystem.
Stage 1: Secure cloud access
IT departments should provide employees with secure access to company documents from a protected content hub on the mobile device. This hub is generally an approved content management app on the smartphone or tablet. This app should be able to connect to necessary cloud repositories, whether personal (Dropbox) or professional (Box, Office 365).
Employees need to be able to easily view content, make edits and share content securely with their colleagues from this app.
Stage 2: Secure cloud storage
In IT's eyes, not all cloud storage is created equal. Unfortunately, many times the cloud storage app the employee likes the best is also the one that panics IT the most. IT must implement an architecture that supports file-level protections so that a document is protected even if it is placed in a personal cloud storage service that does not meet enterprise IT security standards.
By implementing protection at the file-level, IT can also track activities associated with the document and provide the necessary reporting and traceability required for audits.
Stage 3: Secure cloud ecosystem
The last piece to the security puzzle: choice of apps. Employees want to use the mobile apps of their choice, and so the best app for the job in the employee's mind also needs to be authorised by IT. Because preference varies by employee, this is a problem of many, not one. IT must be able to secure an ecosystem of apps.
Each of these apps must be able to plug into a shared security framework so that it can decrypt the secure file in the cloud and manipulate it without losing the file-level protections. A shared security framework across this cloud ecosystem is essential to ensure that IT operations will scale.
Focus on choice, not restriction
Employees should now be (finally!) happy. They have their choice of device, choice of app, and choice of storage. And, in this model, content security is completely invisible to them, as it should be, and does not interfere in any way with the user experience.
Traditional approaches to content security that involve the locking-down of mobile devices and dictating which applications employees are allowed to use aren't sufficient to protect data in today's mobile world. These approaches interfere with user experience, limit productivity in the workplace, and encourage employees to seek their own solutions.
By approaching mobile content security from the angle of choice rather than restriction, companies will be able to meet the growing demands of tech-savvy employees while protecting company data.
Now is the time to start designing your architecture to secure the personal cloud. Make 2015 the year that your organisation converts the personal cloud from IT's biggest nightmare into your employees' favourite mobile productivity engine.
Contributed by Ojas Rege, vice president of strategy, MobileIron