Security is, more often than not, a case of getting the basics right. This is certainly true of the cloud where the hyperbole surrounding insecurity far outweighs the actual risk in my opinion. Not that the cloud is an inherently secure place to store data, just that it poses similar risks to other data storage methodologies which need to be assessed and dealt with accordingly. So when I hear statistics being bandied about such as '68 per cent of employees use personal cloud storage services at work' as was thrown in my direction this last week, I cannot help but heave a little sigh.

This is not a cloud issue, despite it being wrapped up as one when I saw it; it's a basic security principles one. Consumer grade services are called that, and sold as that for good reason - primarily because they are not intended to be used within a business context. Sure, plenty of people DO use them for commercial purposes but that is besides the point; it doesn't make them enterprise grade in terms of security. This kind of service misuse, for want of a better word, is what you might call a rogue cloud or shadow cloud. Shadow because it is hidden from the business, and rogue because it isn't meant to be there.

Actually, in the real world, neither descriptor is actually accurate more often than not. I've been to many an enterprise where the existing information security policy does not cover the use of such cloud-based services and therefore the user is not in contravention of it. Equally, zero-visibility should not be a term that is recognized within the secure enterprise; at some point there has to be visibility as to where commercial data is coming from or heading to. Indeed, it should be a matter of common sense for an organisation to remove the cloak of invisibility that surrounds such rogue services and this is done using a combination of policy and policing.

Determine which devices and platforms are supported (from your data security viewpoint) and make it policy that non-supported devices and services are not allowed to access/store corporate data. Another bit of basic common sense is that while you might not be able to secure all the end points, you should be able to secure all the data and the magic wand to be waved has the word 'encryption' stamped upon it. I guess what I'm saying here is that data is data at the end of the day, and a data-centric approach to securing it works best. Equally, insecure practice is insecure practice so work to abolish that throughout your business.

Give some real thought about how best to merge governance and compliance with shadow IT usage and end up with a secure strategic framework. In other words, wrap your policy around the available technology and take a real-time approach to threat detection in order to remediate the endpoint risk.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2 Years
Discussion Span
Last Post by XP78USER

I agree 100% with HappyGeek. Just think as the cloud as being an external data center. You still have to put in place the security methods you do for internal ones with external access. At Nokia we had thousands of servers in the Amazon cloud, and virtually no security issues, but then our network security people were very dilligent in how they configured the systems, network connections, and all that cruft. They did in the cloud what they did in our own physical data centers. As a result, I never heard about any breaches of security, and I managed our performance, test, and analytical accounts in AWS - I would have been informed.


And the Internet has become a torrenting heaven why not get up and go buy some actual software my whole system is full of genuine software.


Erm, what has torrenting got to do with cloud security in the context of this story? Seems a bit of a random comment that...

Edited by happygeek


srry happygeek its just I have one annoying cold that is not going away and is not making me focus properly anyway back to topic

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.