Bring Your Own Cloud

In 2013, the cloud security alliance released “The Notorious Nine” threats for cloud. A few months later, I have the feeling that the most important threat is missing: “Bring Your Own Cloud (BYOC)”.

BYOC is when an employee uses a cloud based service without the blessing of his company for business purpose. The employee clearly puts the company at risk. The employee may bypass all the security policies of the company, as well as the fences the company put to protect its IP or infrastructure.

BYOC is so easy to do and unfortunately it is awfully convenient.

  • You just need to enroll on a free SaaS service to launch it immediately. It is sometimes faster than asking the same service from the IT team. How many of your employees have opened an account at DropBox, Box, GitHub, or whatever other cloud sharing service. How many of your sensitive information are already widely in the cloud? The employee will most probably not check whether the system is secure. The default settings are not necessarily the ones that you would use. Of course, the employee will not have read the SLA.
  • You just need to use the company credit card to open an account at IaaS or PaaS providers. This is clearly faster than asking the IT team to install a bunch of servers in the DMZ. But how secure will they be?

The fast and free/cheap enrollment of cloud services make it extremely attractive for employees. And they do not make it maliciously. They will always have strong rationales for their action.

But, it can become easily a nightmare for the company when the things are going wrong. Especially, if the employee used his/her personal mail to register rather than the company’s email. In that case, the company will have hard time to handle these accounts.

What can we do? Cloud is inevitable, thus we must anticipate the movement. A few actions:

  • Provide a company blessed solution in the cloud for the type of services will need. This solution can be fine tuned to have the security requirements you expect. The account will be in the name of the company, thus manageable. Premium services offer often better security services such as authentication using your Active Directory, logging, metering…
  • Update your security policy to make it mandatory to use only the company blessed solution
  • Educate your employees so that they are aware of the risks of BYOC
  • Listen to their needs and offer an attractive list of company blessed services
  • Make it convenient to enroll the company blessed services.


Do you share this concern? What would you recommend?

Designing security warnings

Microsoft released some interesting rules for deciding when and what to display to users in case of a security warning.  Microsoft proposed two nice acronyms.


A security warning should be Necessary, Explainable, Actionable and Tested (NEAT).  In other words, the designer should only present a security warning to the user if the user is needed to make a decision and that it could be precisely explained to the user.

Explaining a security warning is a difficult task.  Thus, Microsoft proposed another acronym.  The explanation should clearly explain the Source of the issue, the Process that the user may follow to solve, describe the Risk, Unique to user (with his/her context), offer some Choices and give Evidence (SPRUCE).

A nice initiative.

Financial crisis

This morning in my my car I listened to Christian de Boissieu, a French economist. He explained that this crisis was different from previous ones do to a problem of lack of trust. Trust? as in our preferred topic?

The current crisis is due to banking organisms that took too high risks. Nobody was either seriously evaluation the acceptability of the risks, or worse they did not care. In other words the aversion to risks was extremely low. And of course, as we all know. The higher the risk, the higher the probability that the corresponding threat will be true. Here we are.

De Boissieu highlighted that the world had already many severe crisis. Just remember the deflating Internet bubble. Nevertheless, it never shook so much the world. Massive attempt to inject money by Central Banks have no serious impact. According to him, the banks do not anymore trust each others. This means that they do not anymore lend money each other. This lack of trust is such that they do not even dare to borrow money from central Banks. Their aversion to risk from extremely low jumped to extremely high. Thus, this lack of trust freezes money, and there is not enough available liquidity. Thus, companies have trouble to reimburse. Vicious circle.

It is strange that institutions such as banks which are among the ones that master the best security through the notion of risk management and trust fall in that deadly pitfall. Once behind us, security specialists should study this crisis to learn about mistakes. They were all about risk management (the crux of security)