A recent conversation with a security analyst made me think about the convergence of the increasing number of personal computing devices (including the iPad I’m writing this on) and the explosion of cloud services.
As a company or organisation trying to protect your data you have an interesting landscape to protect.
You have the full range of cloud services your business is signing up to, and a responsibility to make sure those providers protect your data as well as you would. You need to make sure those providers give you appropriate access to the data for investigations and compliance requests. And you hope you are not caught in some sort of collateral damage from other lodgers on the same servers, who have a different view of compliance and security.
And you have the mass proliferation of new personal mobile devices, which means your data is now replicating across these often insecure, unmanaged environments. Everyone’s getting mobile – smart-phones, iPads, home working – and, for the first time ever, buying their own devices to do it. And they want connectivity to your systems for often very valid business reasons. So how do you control devices that access your systems but you don’t own?
And what struck me today was how poor these devices are as computing platforms in themselves.
An iPad or smartphone is not a great creator of spreadsheets and PowerPoint’s, nor importantly is it a great information storage device or file manager. To make them sing you need to add apps and services. Apple and others have turned a deficiency into a money making opportunity – respect!
If I look at mine, I use an file store (dropbox), a note taking app (Evernote), a to do manager (toodledo) and more. And what do these applications encourage? A cloud service to make them work well across your estate of computing devices (laptops, desktops, tablets and smart phones). So what do I end up doing? Putting my data into cloud services that my IT department has never reviewed and has no knowledge of, with no real understanding of the security these services provide.
Security is more of an issue with these app cloud services than social networking sites as they focus on files not conversations. Yes, you will upload pictures to Facebook but you wouldn’t upload work spreadsheets you would want to share with your friends? But Dropbox and its other productivity app companions encourage file storage, as it makes their solution more indispensable and they can sell you premium options and greater storage capacity.
So what does my IT security now have to cope with? Contracted cloud services, personal devices and a vast uncontracted personal cloud. A file ITSec believe is company confidential could be everywhere, including well out of reach and unrecoverable, in a personal cloud they know nothing about.
Security is not getting easier and its running out of (your) control.