In late September, U.K. firm WinMagic released a survey which made some pretty important points about use of public cloud services at work. The bottom line: Five percent of employees use the cloud against their organizations’ wishes, 10 percent who use the cloud weekly are not confident that their service is secure, and more than half (65 percent) either work at companies with no security policy or do – but don’t know what they are.
This isn’t good.
In an age of near total mobility, the almost universal use of personal devices for work, and almost ubiquitous public storage services, it is unrealistic to think that storage would be the same locked up and tight category that it was just a few years ago. These responses, taken all together, suggest that folks are not particularly concerned about where data is stored.
This attitude must change, and the place to start is clear.
The first step in protecting data in public clouds is to enfranchise employees. They must be aware of the rules and be willing to play by them. Many will be fine with that if the rationale for security is explained clearly. Many workers are ill-informed and some are lazy. Few, however, would purposefully endanger their employers – and their jobs in the bargain – by blatantly doing something that the company says is off limits.
Enfranchisement only will go so far, however. It’s interesting to note that the three points above hit subtly different themes. The first is about employees not following the rules; the second is about employees not having confidence in the infrastructure they are using (which may lead them to not follow the rules); the third is about not being aware of the rules. Organization must work to change all three. Different strategies may be necessary, of course.
The reality is that IT and security personal have been playing a game of catchup since the dawn of the wireless LAN segment, which signaled the beginning of the end of their total control of data and its security. It is a battle that they are preordained to lose. There is no way that a company can keep employees from using the consumer cloud provider of their choice, just as there is no way to keep them from using their iPhone or Android device for work. It is the same challenge as the overall BYOD world: Control of devices, and what is done with those devices, ultimately is in the hands of the employee.
Of course, companies can beg, cajole, and coax employees to follow a set of rules that they establish. Some will. Others will decline. Most won’t be aware of the issue and will or won’t use off limit public cloud providers by chance. This isn’t – as people said in another time and age – any way to run an airline.
There is one way in which everyone wins: Take control out of the hands of employees. By encrypting vital data, both at rest and in transit, the responsibility for the safety of the data is removed, to a large degree, from employees. That will make them happy, at least to the extent that they are aware of what is going on. It also will please security staffs charged with protecting data and, in many cases, fulfilling legal privacy requirements.
The bottom line is that public cloud storage is here to stay. So, of course, is the need for security. The best ways to deal with it are to do two contradictory things at once: Get employees on your side – and use encryption to make their actions less vital.
Carl Weinschenk is a long-time IT and telecommunications writer. His work most often posts at IT Business Edge and Broadband Technology Report. He also runs a music website, The Daily Music Break. More information can be found at Weinschenk Editorial Services. He is on Facebook and Twitter.