In 2013, the cloud security alliance released “The Notorious Nine” threats for cloud. A few months later, I have the feeling that the most important threat is missing: “Bring Your Own Cloud (BYOC)”.
BYOC is when an employee uses a cloud based service without the blessing of his company for business purpose. The employee clearly puts the company at risk. The employee may bypass all the security policies of the company, as well as the fences the company put to protect its IP or infrastructure.
BYOC is so easy to do and unfortunately it is awfully convenient.
- You just need to enroll on a free SaaS service to launch it immediately. It is sometimes faster than asking the same service from the IT team. How many of your employees have opened an account at DropBox, Box, GitHub, or whatever other cloud sharing service. How many of your sensitive information are already widely in the cloud? The employee will most probably not check whether the system is secure. The default settings are not necessarily the ones that you would use. Of course, the employee will not have read the SLA.
- You just need to use the company credit card to open an account at IaaS or PaaS providers. This is clearly faster than asking the IT team to install a bunch of servers in the DMZ. But how secure will they be?
The fast and free/cheap enrollment of cloud services make it extremely attractive for employees. And they do not make it maliciously. They will always have strong rationales for their action.
But, it can become easily a nightmare for the company when the things are going wrong. Especially, if the employee used his/her personal mail to register rather than the company’s email. In that case, the company will have hard time to handle these accounts.
What can we do? Cloud is inevitable, thus we must anticipate the movement. A few actions:
- Provide a company blessed solution in the cloud for the type of services will need. This solution can be fine tuned to have the security requirements you expect. The account will be in the name of the company, thus manageable. Premium services offer often better security services such as authentication using your Active Directory, logging, metering…
- Update your security policy to make it mandatory to use only the company blessed solution
- Educate your employees so that they are aware of the risks of BYOC
- Listen to their needs and offer an attractive list of company blessed services
- Make it convenient to enroll the company blessed services.
Do you share this concern? What would you recommend?