With careful implementation of BYOD rules and procedures such as tracking through mobile device management, setting up security to block intruders from breaking into a firewall or virtual private network (VPN), and employee training, enterprises are meeting the challenges of BYOD, and the trend is progressing. Today, however, employees have moved on to a new organizational and IT challenge: bring your own cloud (BYOC).
Bring your own device (BYOD) may have been a hot topic over the past decade, but now CIOs are grappling with something else: bring your own cloud (BYOC). Employees, frustrated with in-house IT services that don’t measure up, are signing up for external SaaS services without the IT department’s consent.
Bring your own cloud (BYOC) is a concept/trend in which employees are allowed to use public or private third-party cloud services to perform certain job roles. BYOC often involves the piecing together of enterprise and consumer software - both in the cloud and on the premises - to get the job done.
The issues is that cloud services may not align with corporate security policies, and yet users can still store sensitive data in them and even use them to handle company data while not on the enterprise network. What should IT departments be doing about it?
CIOs seem more confident today about employees’ cloud usage than they did two years ago. The 2016 Global Data Cloud Security report, researched by the Ponemon Institute, found that 54 per cent of respondents are confident or very confident about employees’ cloud usage today. This means that a little under half of all respondents aren’t confident about what cloud services their workers are using.
It’s difficult for IT departments to guarantee security in a cloud environment at the best of times, but even more so when they are dealing with an unknown quantity. In a worrying proportion of cases where companies see users bringing their own cloud services (40 per cent), it’s simply because security evaluations aren’t a priority.
Even when companies do care, they’re largely unable to stop users bringing consumer-grade cloud services to their door. Seven out of ten IT professionals in this group said they couldn’t control their users. In 41 per cent of cases, no one is in charge of this process, and even when people are, there simply aren’t enough resources to evaluate what users are doing.
What can companies do about this?
A security policy is the obvious answer, restricting employees from using unapproved services. But the stick rarely works without a carrot.
Brendan O’Connor, security researcher and senior security advisor at Seattle-based Leviathan Security Group, argues that IT departments should adopt the Peelian principles of policing. Named for U.K. home secretary Sir Robert Peel back in 1829 as the first official police forces came into being, these principles outlined how police should behave. For example, enforcers shouldn’t maintain law and order through force but rather by working with the public and obtaining their consent.
The same goes for security pros, said O’Connor, arguing that security shouldn’t be an end in itself, but rather a support function. “So let’s cast ourselves in the support team role. The security person should say ‘yes, I will do the research to figure out how we can make that happen.’”
In an environment where consumers are conditioned to demand convenient online services, IT departments must cater to them. Doing that in-house may be difficult — after all, it isn’t every IT team that can afford a portfolio of in-house software to satisfy users’ every whim.
The alternative is to broker external cloud services for employees, which would give the IT department an opportunity to evaluate their security and approve them.
This reliance on external services is already making its way into some organizations.
This requires a measure of agility in IT departments, which must be nimble enough to hear users’ demands, procure a solution and evaluate it for security.
The Ponemon report suggests this may present its own challenges. If anything, the onus on evaluating the security of cloud providers is shifting to the end-user. Three out of ten companies rely on users to determine themselves whether or not a cloud service is secure. Corporate IT decides in just 23 per cent of cases, and information security pros in just 15 per cent, according to the report.
Moving to a more collaborative relationship between IT and users may be a daunting prospect for many CIOs used to a more authoritarian model of IT.
The alternative isn’t very appealing, though, as it involves buying tools to stamp out unauthorized use of consumer cloud services. Those games of IT whack-a-mole can be expensive, and frustrating for all concerned.
In theory, an organization may encourage freely available cloud services as an alternative to reduce capital and operational costs related to IT services, such as cloud storage, collaboration and basic productivity applications. In practice, employees are the ones driving the change as it's often simply more convenient to use existing personal accounts. The big downside is that an organization has little to no control over BYOC services, which are owned (or at least controlled) by employees and hosted by a third-party provider.
What's driving the change is the freemium model of delivery. What was licensed software is now often available as a low-cost or SaaS application. For example, Google’s email services provide a cloud storage drive as a native add-on that may be used to store, share and collaborate on documents. Another good example is employees using their own personal Dropbox account for work. This is especially common in larger organizations that don't have the budgets or staff to keep up with changes in IT. What was once an enterprise-level storage solution is now available for free or at a nominal cost. Tech-savvy employees might have been locked down from adding apps on the desktop previously can now do just about anything via a browser.
High Tech has IT Professionals on staff. For more information on how High Tech can assist you with your corporate security policy, please contact your High Tech Account Manager: