Smartphones, tablets and phablets are just too easy to use, with most  – if not all – offering to back up data to the cloud as either a default option or via a single click. One of the potential issues is the security of the supplier’s cloud cannot be guaranteed, and it must be remembered availability is just as much a part of security as confidentiality and integrity.
So, what can be done to stop potentially sensitive company data being exported to these supplier clouds? 

One approach is to just ignore the problem exists, while another is the simple – and I suspect anticipated – answer of having guards at company premises to remove all personal smartphones, tablets, memory sticks and so on from all staff and visitors. Furthermore, making the IT department ensure any company PC or laptop is heavily locked down to remove the possibility of a cloud connection.
But neither of these approaches do a reasonable job in mitigating the risks of data exfiltration while allowing flexible use of new technologies and ways of doing business.

Potential practical solutions will depend on a company’s policies. For example, the answer may differ if an organisation insists on company-supplied IT only (including company-selected technologies and devices), or if it employs a buy-your-own device policy (where any device, or one of a limited selection, is supported). 
Some of the things that can be done and would apply in most scenarios include the following:
Staff education
Management education
Regular reinforcement of the education given
Well-thought-out formal acceptable-use policies (AUP) that are published, made easily accessible and formally tied into staff contracts
Effective staff disciplinary procedures for breaking the AUP’s that are enforced
Well-written standards, templates and work practices for setting up devices and central services
Where possible, network/system controls put in place to monitor and/or control what files can be downloaded, what they can be downloaded to and when.
As a minimum, audit logs need to be maintained to identify who did what and when to a file.
Peter Wenham is a committee member of the BCS, The Chartered Institute for IT security forum strategic panel and director of information assurance consultancy Trusted Management.

Email Alerts
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Read More

Related content from ComputerWeekly.com

RELATED CONTENT FROM THE TECHTARGET NETWORK

This was first published in October 2014

Leave a Reply