Getting to Yes: How to Embrace Consumer Clouds Without Losing Control
Business is increasingly taking place outside the boundaries of corporate data centers with data being moved to public clouds at an accelerating rate. Collaboration with outside partners, consultants and clients in industries such as pharma, research, legal and finance is becoming the norm. It even has a name: "open collaboration."
As a result, employees who have embraced the cloud for their personal files, pictures and videos are turning to low-end "consumer grade" file-sharing services such as Dropbox for business activities. Thirty-eight percent of U.S. office workers admitted to storing work documents in personal clouds, often bypassing corporate IT policies, in a survey of 2,000 office workers conducted by Ipsos MORI.
New Privacy Challenges
The use of consumer clouds results in lack of visibility, policy enforcement and auditability for regulatory compliance reporting. Such offerings often have low levels of security and auditing, making them unsuitable for exchanging sensitive or regulated data. They also expose organizational data to leakage.
Furthermore, data may be compromised without IT's knowledge, since they may not even be aware that documents are being stored and shared in the cloud. For example: IT typically reclaims corporate devices when an employee leaves, but when documents are stored in an employee's personal cloud, corporate documents are outside the company's control and represent a security and compliance liability.
When data is moved to the cloud, although the enterprise still owns the data, custody moves to the cloud provider. It is difficult, if not impossible, to maintain visibility and control over data in the cloud and prove chain of custody.
Enterprises Recognize the Problem
Most IT shops are aware of this risk. "Seventy percent of organizations know or suspect this type of rogue employee activity takes place within their companies, and they're sprinting to catch up and regain control over company data," notes a research report from Enterprise Strategy Group.
In order to enforce corporate security policies in the cloud, IT needs to know 1) who is sharing, 2) which documents and 3) which cloud storage service. Having this visibility along with the capability to revoke access to these documents is a baseline for achieving policy enforcement in the cloud.
There are several reasons data can be sensitive enough to require some level of security. Some data falls under a compliance regulation imposed from outside the company. Examples include credit card data, personal health information, and sensitive federal government data. In some cases the detailed security requirements are specified by the outside organization. When they are not, an auditor will use an interpretation of the intent of the regulation to specify controls.
Even when regulatory compliance bodies have a certification process and the description of what is being certified is freely available, not all compliance is verifiable. So the quality of the security provided is uncertain until "judgment day," when regulators show up for an audit.
Current Approaches Not Working
Historically, corporate IT has lacked effective tools to balance security and compliance needs with the use of cloud-sharing services by employees. Enforcing strong security and control has typically resulted in solutions that are cumbersome for employees, and complex and burdensome for IT to implement and manage.
Meanwhile, alternative approaches, such as extranet sharing, usually impose obstacles for extranet partners since they often are required to install software or implement procedures that they can't -- or are not willing to -- implement. As a result, simple email is often used to exchange documents externally, requiring IT to implement email content management or data leak prevention solutions to try to limit security exposure.
What's needed is the ability for IT to regain visibility and control over data stored in public clouds so the organization can trust that it will remain private. This would allow employees to safely sync and share documents with extranet partners, while IT could go back to getting a good night's sleep.
Enter the Trustworthy Cloud
Trust in the physical world is enabled through relationships and contracts and enforced through supervision and punitive action. Building on the concept of trust, trustworthiness is a new model of enabling security through carefully designed and implemented technology, policies and reputation networks. Applied to the cloud, it means that even though organizations no longer have physical custody of their files once they're uploaded to the cloud, they have the means to secure sensitive documents so that they can be shared on multiple devices and with extranet partners.
Trustworthiness uses cryptographic algorithms to enforce policies, revoke access rights, and monitor access activities. It is defined and controlled exclusively by the data owner without any intervention from the cloud service provider. When secure access is associated with the content itself, the responsibility for security no longer resides with the cloud provider.
In a Trustworthy Cloud, authorized users have visibility into users, groups and documents limited by their role, but in a manner that doesn't weaken the cryptography or open the system to additional attacks. This model prevents any misuse of cloud data from going undetected by exposing an audit trail. In simplest terms, the solution enforces policies set up by the owners of the data without the solution or cloud providers ever accessing the data itself.
Implementing a Trustworthy Cloud model enables "zero knowledge" document sharing for collaborating across organizational boundaries using any cloud storage provider. For IT, it provides the ability to accommodate the growing use of BYOD (bring your own device) and BYOC (bring your own cloud) for business document sharing, while maintaining the visibility and control required for GRC (Governance, Risk Management, and Compliance). Best of all, a Trustworthy Cloud does not force users to adopt new tools or impose changes to an organization's existing security and audit infrastructures.