A cloud is forming…a storm is coming

Personal Cloud services like Dropbox, OxygenCloud, GoogleDrive, ShareFile, Syncplicity, and others are gaining popularity both inside and outside of IT.  It’s pretty apparent that these solutions are coming on strong.

 The big push for these “Personal Cloud” solutions is mostly surrounded by the increase in the use of multiple devices in our daily productivity.  As we use SmartPhones, Tablets, Laptops, VDI, Kiosks, and our kids Kindles to get work done, the ability to access our data and do something with it is a key component.

 The “Personal Cloud” solutions are also coming on strong as a replacement to sharing files via Email or FTP.  As file sizes continue to grow, our email size restrictions have not kept up, and using these services to share data between users inside and outside of the enterprise has gotten much more popular.  It’s also a lot easier to right-click on a file and hit “Share” than to publish to an FTP, and then figure out how to ship the customer the link.

IT and Security departments are also figuring out how “easy” these services are to use and abuse.  The result is that many have started blocking access to these services to ensure that corporate data is not being “smuggled” out of the corporate domain.  Security isn’t wrong about this.  The level of risk in placing data into the cloud on service providers is real.  C’mon, if they can’t secure our credit cards, how secure can we feel about all of our data just sitting out there?

 These services, and the functionality that they provide, are taking off because it works…well.  As the amount and size of unstructured data continues to grow and grow, we need tools to better collaborate inside and outside of our organization.  In most organizations, it can be just as hard to share a large file with a co-worker as it is an external customer.

 What the enterprise needs is a solution that combines the flexibility and functionality of the “Personal Cloud” solutions with the right amount of corporate security and IT wrapped around it.  Let’s call this the “Enterprise Personal Cloud”.

 Several contendors have solutions that are at varying stages of development such as OxygenCloud, Citrix Sharefile, and VMware “Octopus” coming out that will satisfy many of the security and risk concerns that the Enterprise has with the publicly available services.  I would also expect major “Personal Cloud” vendors to also see the opportunity and adapt their services to better align with the enterprise requirements.

 I see nine major areas that “Enterprise Personal Cloud” (EPC) solutions need to have in order to be deemed safe and secure for corporate environments: 

  • Transparently Internet Accessible:  Whether you are on a corporate network or public network, or somewhere in-between, the EPC has to be transparently accessible.  That’s the nature of the solution…you have to be able to access wherever and whenever you WANT to.
  • On Premise Capabilities:  The data HAS to be able to live on corporate-owned and managed devices.  Yes, some of the content could live in the cloud, but that has to be at the discretion of the IT and Security teams.
  • Encrypted End To End:  At the transport layer, as well as at rest on the end user devices (see above) the data HAS to be encrypted.   No way around that.  In the age of Consumerization, we are going to see a proliferation of the data all over the place…if it’s well encrypted; it’s got a chance of being safe.  (Yes, I know that there are some security nuts out there who will rightly say that no encryption is totally safe, and they are right.  See my next comment)
  • Protected and Highly Available:  The data is the lifeblood of the end user.  This data must be protected via offsite backup, and should also be replicated to secondary sites to ensure continued availability in the event of an outage or disaster at the primary site.
  • Diverse Consumer Device Support:  One of the tenants of the Enterprise Personal Cloud is that it is based on allowing end-users to use personal/consumer oriented devices to access their data.  Solutions that support a more diverse set of devices and platforms will be more functional out in the field.  Restrictions to cover all possible combinations are sure to be necessary to maintain integrity and security…but poor device selection will not be very popular.
  • 3rd Party Sharing Capabilities:  A primary use case for the EPC solutions is going to be the ability to share data (bi-directionally) with internal and external users.  Rather than sending large files through email, the EPC solutions should allow for Links to be shared, securely opening up access to the shared files with those who have been allowed access.
  • Data Loss Prevention Integration:  Organizations that have sensitive data need to be able to track the usage and access of that data.  This need isn’t specific to the EPC solutions; however, the security and compliance aspects of this data are amplified when access to the remote data could be as simple as passing a hyperlink.  The EPC solutions should have some way to integrate with DLP Policy engines to ensure that private or sensitive data stays that way.
  • Online and Offline Access:  Data that lives in the EPC has to be accessible.  That’s the nature and draw of these solutions.  So, it would then be pretty much a waste if we had to be online and in a VPN session to access the data.  We have that now and it’s called “SharePoint”.  Not the same.
  • Policy Control over Devices and Data:  Not all data is suited to be distributed via the EPC solutions, and some data is WAY too sensitive for this.  Enterprises need the ability to apply policies (DLP, anyone?) to the data that is being placed into the EPC repositories for an added level of control.  IT also needs to be able to apply policies for security and control to the remote devices themselves, for Kill, Wipe, and Lock functionality.

Dealing with EPC Today and some unintended consequences

The solution today to securing EPC data and keeping our end users from storing data in places where we have no control over is to start playing Whac-a-Mole and block these services at the firewall.  Eventually, each organization will either reject the concept totally, or “legalize” one of the services that meet their specific needs and allow their users to access and share their data. 

Now, here’s where the system is going to suffer a bit of a fault.  Let’s say that you work for a company that blocks access to these services, as they haven’t been deemed safe or selected to be the service that you’re your company endorses.  Now, what happens when someone shares a file/link with you from outside of your own endorsed service?  Well, since your firewall is actively blocking access to all of the other services, you are out of luck.  Or are you?

So, you disconnect from your company network or VPN, fire up your 4g, and connect to that service outside of your firewall, download the file that you needed, and then reconnect back up to the network.

It’s THEN that it dawns on you.  Why do you HAVE to use the company endorsed/provided solution?  Why not just disconnect from the network, upload all of your data, completely working around the controls that your company put in place on the firewall, and then when you are done, reconnect back up to the company network?

So, what really just happened is that IT didn’t stop the “bad” behavior, they just put in a speed bump to curb behavior, and in the meantime, just made it harder to do my job.

Ooops. 

 (Names were not used, but these are real situations, and the details were removed to protect the guilty)

 Need for more thought on the security around Enterprise Personal Clouds

So, how do we FIX this?  The Personal Cloud is taking off in the enterprise like a plane without a pilot.  Autopilot is going to be ok for a while, but pretty soon, we are going to need someone to take the stick and land the plane safely, or there is an enterprise-sized tragedy waiting for us at the other end.

 We need to solve a few problems like….

  • How to be a consumer of EPC data from external sources without creating a security issue?
  • How to integrate DLP solutions to secure our sensitive and private data?
  • What level of Encryption will be satisfactory as we let corporate data start spilling all over the place?

Now, to go and pick which of my Personal Cloud solutions I have access to at the moment and save this blog posting.    🙂