Last week I talked about the importance of being able to get your data out of the cloud. After all, that’s an aspect of availability.
Some people will say “Well, that means on public cloud providers like Amazon, Google, Microsoft and so on, and we don’t do that.” Maybe they avoid cloud providers for compliance or legal reasons. But that doesn’t mean that your data isn’t outside the firewall.
BYOD or “Bring Your Own Device” continues to become more popular. Everyone loves it. Employees get to use their personal devices, with which they’re familiar. Management can avoid buying and supporting computing hardware.
No, I don’t think those enthused employees are thinking carefully. Their monthly phone bill is now effectively a charitable donation to their company or government agency. If they worked on the factory floor, would they be OK with the boss expecting them to buy and maintain their own manufacturing equipment? And now they are never away from work. Supposedly urgent work messages are interjected into their private lives through every evening, weekend, and whatever short holidays they are grudgingly allowed.
It doesn’t make sense to me, but many people will behave that way.
Meanwhile, the boss will be happy for these benefits to the bottom line. At least for a while, but…
What happens when a employee leaves and takes their own device with them?
By tradition, the first form of panic to ensue will focus on confidentiality. Contact lists and the organization’s key business practices will likely come to mind first for bosses with sales and managerial backgrounds. But for those who came out of an engineering background, what about design details? Of course government, health care and financial sectors have their own specific worries about sensitive information itself.
It gets worse. Don’t forget about availability.
Even if you aren’t overly concerned about the secrecy of the information used by your staff, you simply need to have access to it. What if the only copy was on that device that your company or agency doesn’t own?
People worry about the cloud because they turn over some control to the provider. But at least you have a contract with that provider. What enforceable obligation does a terminated employee have to let you seize and analyze their possessions?
This is a case where public cloud services can make security better instead of worse. If you store the data on personal devices, you first lose control and then lose the data. But if you store your data on cloud providers and then access it through personal devices, you retain access to the information.
In Learning Tree’s Cloud Security Essentials course we show you how to work safely with large scale cloud servers. As for policing your employees’ use of mobile devices, that’s up to you.