Managing BYOC Risks: Enhancing Corporate Security in the Cloud Era

July 30, 2024
Managing BYOC Risks: Enhancing Corporate Security in the Cloud Era

A few generations back, when the Internet was still an unknown commodity and inter-office mail came around in manila envelopes graffitied with the crossed-out signatures of every recipient that envelope had ever met, network security was largely an in-house affair with data tapes and mainframes playing a central role. One of the noteworthy challenges for the IT wizards of that era was that no matter how sophisticated they made the system, employees would save time by writing their password on a piece of paper and taping it to the underside of the keyboard. It was discreet, convenient, and hassle-free.

In this age, while Technology Officers and IT departments of companies and organizations everywhere struggle with new technological developments such as cloud storage and virtualization, their employees continue to find easy, convenient ways to get their work done. In many cases, they take matters into their own hands, enjoying the relative ease and accessibility of tools such as the free cloud sites Dropbox, Google Docs, and Apple’s iCloud to move and store documents and files. And who can blame them? These apps are free, easy to use, and in the case of iCloud, pretty much come bursting out of the screen, demanding to be used.

The Rise of BYOC and the Security Dilemma

This is all great for the home user or the small-business owner, for whom such reliable and ubiquitous services add another dimension of versatility and convenience. But it has much darker implications for larger organizations, for which security and compliance have always been major issues of concern. Chief Technology Officers (CTOs) and Chief Security Officers (CSOs) have their hands full trying to keep this particular Pandora’s Box under control.

This situation is a major source of concern for people such as Nimmy Reichenberg, Vice President, Marketing and Business Development for AlgoSec, a network security policy management company headquartered in Boston. He says Chief Security Officers should no longer be worried about the proliferation of Bring Your Own Device (BYOD) into the workforce; rather, they should be concerned with the inevitable data breaches that will occur as a result of employees bringing their own cloud computing software into the office, known as Bring Your Own Cloud (BYOC).

Current Security Posture and Cloud-Based Concerns

A recent survey commissioned by AlgoSec revealed that less than 20 percent of respondents said that the majority of their organization’s security controls are in the cloud. It was found that the larger the organization, the less likely it was to have cloud-based security. This, Reichenberg states, is likely because larger organizations are more sensitive when it comes to protecting their data and also have dedicated staff to manage security technology. This makes them less likely to have security controls in the cloud, whereas for smaller companies, the lower management overhead and pay-as-you-go or grow model are more attractive.

In other words, security continues to stay on-premises. And this has major implications for companies and for cloud service suppliers who wish to sell to them. Of course, the end user or employee eager to save time and effort by storing a draft confidential document on Dropbox, where they can pick it up later at the home office, will protest that all of these free BYOC services have clear and strong security policies. Reichenberg agrees, but adds that “we must differentiate between consumer-grade and enterprise-grade security. Many of the consumer-oriented cloud services may claim to be secure, but most do not include enterprise-based security controls required to adequately protect corporate data and meet compliance mandates.”

Risks and Compliance Challenges

Employees are oblivious to security by nature, and it is up to corporate IT and information security to define and enforce a policy that balances employee productivity and security. The risks exist across many dimensions. Malware, which can implant itself through the simple click of a mouse on a disguised phishing link, can put sensitive corporate information stored on BYOC at risk. Some recent well-publicized breaches at services such as Twitter and Evernote show that no one is immune from hackers’ prying fingers.

But in addition to malware, Reichenberg states that companies can face compliance challenges when it comes to information stored on services. Issues such as data retention and e-discovery become problematic. For example, he asks, “how do I ensure employees who leave the company no longer have access to internal company information if it is stored on BYOC?” This paints a picture of a horse-race, with IT, free cloud providers, end users, and bad guys all sprinting towards the finish line where data, or access to data, waits for the fleetest of foot.

Recommendations for Secure Implementation

Reichenberg recommends that those who govern their organization’s security take immediate steps to manage BYOC risks effectively. First, they should define and communicate a policy of what is acceptable when it comes to BYOC. This involves setting clear guidelines on what types of cloud services can be used and under what circumstances, ensuring that employees are well-informed about the potential risks and the importance of adhering to these guidelines.

Second, it is crucial to enforce this policy using tools such as Next Generation Firewalls. These more advanced firewalls are capable of monitoring and controlling outgoing and incoming network traffic based on predetermined security rules, and they can help ensure that only authorized cloud services are used. Third, organizations should evaluate enterprise-grade alternatives to some of the popular consumer-grade cloud services. This involves seeking out cloud service providers that offer robust security features designed specifically to meet the needs of large organizations.

Balancing Productivity with Security

A few generations ago, before the Internet became a household name and inter-office communication relied on manila envelopes covered in the scrawled names of every recipient, network security was a largely internal matter involving data tapes and mainframes. One key challenge for IT professionals of that time was that no matter how advanced the system, employees would often resort to saving time by jotting down their passwords on a piece of paper and sticking it under their keyboard. This method was discreet, convenient, and trouble-free.

Today, while Technology Officers and IT departments grapple with modern advancements like cloud storage and virtualization, employees still look for straightforward, efficient ways to complete their tasks. Many take matters into their own hands, leveraging the simplicity and accessibility of free cloud-based services like Dropbox, Google Docs, and Apple’s iCloud to transfer and store their documents and files. Given their ease of use and, in iCloud’s case, the almost intrusive prompts to utilize them, it’s hard to fault employees for seeking out these solutions.

Subscribe to our weekly news digest!

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for subscribing.
We'll be sending you our best soon.
Something went wrong, please try again later