How do you stop leaks to the personal cloud?

Convenience and security rarely play well together.

The last week saw IBM putting a stop to utilization of personal cloud services like DropBox and SkyDrive. http://www.theregister.co.uk/2012/05/25/ibm_bans_dropbox_siri/

IBM identified the service as a risk to security, and they are right. BYOD brings many challenges and a big one for organizations is stopping users from storing company documents public cloud drives. Cloud drives create a huge funnel through which organizational documents can be siphoned to a location outside the organization. It's never immediately clear where the endpoints of cloud drives are and just who has access when a document is copied to a cloud drive folder.

People don't use cloud drives because they want to share confidential documents, but because they are convenient. Unfortunately convenience is the bane of security. With cloud drives you never know if someone has set their permissions correctly (everything stored in their cloud drive could be shared with the world because of a permissions stuff up). If a laptop or mobile phone that is connected to a cloud drive is stolen or misplaced, then whoever finds it might have access to the contents of the cloud drive. How many cloud drive services allow you to remotely disconnect a node in the event that you lose the device hosting the node?

If you allow BYOD, how do you block cloud drives? In the olden days you could put a block at the organizational firewall or proxy. Today many BYOD devices have built-in broadband chips and the organization has no network layer control over what people can and cannot access. You can create an organizational policy banning the use of these services, but unless you inspect each and every person's BYOD computer, you won't really know. The advantage of network layer blocks is that they tend to be more effective than policy blocks.

One technology that's available in Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 is Active Directory Rights Management Services. When correctly deployed, AD RMS blocks people from opening documents that they aren't authorized to open, whether they are attempting to do it on the local organizational network, or at home with a file that they are opening from a folder mapped to a cloud drive. Even though AD RMS has been around for a while, it still lacks the sort of simple interface that encourages wider deployment.

If your organization is considering a BYOD policy, you have to come up with some policy around the utilization of cloud drives. You could take the IBM approach and ban them outright, or try to find some sort of middle ground.

Follow me on twitter: @orinthomas

Discuss this Blog Entry 3

on May 30, 2012
Where did you get that IBM was blocking "SkyDrive"? From what I have read, don't you mean Apple's Siri?
on May 30, 2012
@Germanos "... You cannot prevent data leaks." Probably true so the next best thing is to try and prevent the data that leaks out from being read. "... When correctly deployed, AD RMS blocks people from opening documents that they aren't authorized to open, whether they are attempting to do it on the local organizational network, or at home with a file that they are opening from a folder mapped to a cloud drive. ..."
on May 28, 2012
You don't. There will always be a potential for data leaks. before the Cloud became common, people copied files to diskettes or USB drives. They also e-mailed docs to themselves or put a personal e-mail address in the BCC field. You cannot prevent data leaks.

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.

Contributors

Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×