How 'bring your own cloud' could kill BYOD

How 'bring your own cloud' could kill BYOD

Summary: Personal cloud services are convenient, inexpensive, always available, and on the brink of destroying the entire BYOD movement.


How many personal cloud services can you name? If you can name more than five without performing an Internet search, then you clearly see the problem. But it's not in the sheer number of personal cloud options that presents a problem, it's their availability that does. Personal cloud services provide their users with an excellent avenue for storing files off-device for greater protection, automatic backup, and constant availability. However, these services are as great a detriment as they are an asset for BYOD dabblers. This new, "Bring Your Own Cloud" (BYOC) presents its unique set of problems for companies that want to adopt BYOD programs.

From the corporate viewpoint, personal cloud services provide another way for users to compromise security by storing important documents and data outside the company's walls. And that also means that those files are outside the control of corporate security.

In short, it's a very bad thing.

Personal cloud services are great for users but they drive corporate security folks crazy. Unfortunately, it isn't as simple as banning a particular port for some of these services. Many of the services are web based and cross-platform. Dropbox is perhaps the most famous such service that's available on every computing platform through apps and the web. It's almost impossible to stop someone from using Dropbox on corporate-owned devices or on personal ones.

Popular personal cloud services:

How many of these personal cloud services do you use?

  • Box

  • Dropbox

  • Google Drive

  • iCloud

  • SkyDrive

  • UbuntuOne.

Another problem that personal cloud services present is that they're free to use under a certain storage limit--usually between 2 and 5 gigabytes. Two gigabytes offers users a large cache of space to store hundreds of documents, photos, email messages, and raw data. Optimally, the space is for personal use but for the sake of convenience users may upload any document or file to which they have access. And that includes corporate-owned ones.

The problem with saving corporate files to public, personal cloud services isn't that companies are necessarily afraid of security breaches of those services, although that concern does crop up, it's that services such as UbuntuOne and Dropbox also make copies of uploaded files to other uncontrolled devices such as home computers.

When you upload a file to Dropbox, for example, the file is uploaded to Dropbox servers and then replicated onto your other Dropbox-connected computers. When I upload a photo onto my Dropbox account from my iPhone, that file is replicated to at least three other computers on my home network. If corporate files are uploaded to a Dropbox account from a BYOD phone, the files don't reside on the phone but they do get copied to the home computers. 

That fact should raise a few eyebrows.

Your phone might be very secure. Your personal cloud service account might be locked tight with a great password. But how secure are your home computers? How up to date is that free antivirus program you're running? Do you scan for spyware on your home systems?

And you thought that the company you work for is just trying to hold you back or limit your personal freedoms in some horrible way. That really isn't the case at all. The fact is that uploading company-owned files to your personal cloud accounts puts you and your company at risk. They're trying to limit that risk to both of you and rightly so.

The solution to the problem is as complex as the problem itself.

It's impossible to tell users who bring their own devices not to use personal cloud services. It's very difficult to prevent users from using those services inside the corporate network. The company can ban the Internet sites, ban the app from the corporate MDM or MAM suite, and can even write policies that ban the use of personal cloud services for uploading and storing corporate files. But, as any good corporate security professional knows: People are very creative in bypassing security.

Users are always the weakest security link in an organization. People either inadvertently or purposely bypass security as a matter of fact. Personal cloud services make that process easy.

My hope is that BYOC doesn't destroy the hopes of those who really want to setup and use BYOD programs. I think that BYOD is a good thing for the company and the user alike. There's no reason why the two can't peacefully and securely coexist, if handled properly. 

For a BYOD program to work, there has to be strict policy enforcement, compliant users, and a bit of trust. If any one of those are broken, your BYOD is in jeopardy of failure.

What do you think the solution is for BYOC and BYOD? Is there a solution? Talk back and let me know.

Topics: Cloud, Google, Microsoft, Bring Your Own Device


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Floppy, CD, DVD and now Clouds

    Nothing's changed. How did you write 500 words about this?
    • well,...

      I was looking for creative reader comments. Still looking.
    • Floppy/CD/DVD don't share the exposure of cloud storage

      The cloud storage is always available and it is potentially available to anyone with an internet connection.
  • It's a very good point.

    At work I can't think how many time's I've had to tell people; if they catch "Dropbox on there they will fire you"... Blank face.

    "Hey, I set up Evernote yesterday, but this morning it is gone?" At which point you have to politely refer them to their employment contract whilst they have a go at you down the phone for deleting their programs (the machine does that itself) right up until they hear "gross misconduct"

    I do understand it, really I do. To the end user what is the difference between that time you got praised for taking the "whatever report" home on your laptop and crunching the numbers and getting a rollicking for doing the same thing by uploading it to gdrive and accessing it at home? To the company it can be huge. It depends of course on their sensitive information classification and rules.

    Where I work it is serious, and very black and white; in the first instance you copied it to your IT approved laptop (hopefully) and were very productive. In instance two, as far as they are concerned, you copied their intellectual or information property and handed it over to another company without permission. Seems different phrased that way doesn't it?

    There's been a few Evernote and drop box instances we've reported up; usually it's just a case of scaring them into not doing it again. I've only known one instance of someone loosing their job; they were using hotmail as online storage; attaching and emailing to themselves to access anywhere. They really didn't have any idea how serious it was unfortunately.
    • The policy is pointless

      And how is this different than simply emailing the document to home and/or logging into yahoo or gmail and uploading it there? Unless you block all attachments from leaving the corp. network, you've got a hole and if the employee can connect a usb drive, then the document just left your control. For that matter, as soon as the laptop leaves the building, you lost control. Drives can be removed. Yes, this requires more work and arguably malicious intent, but it's very doable.

      And what about phones? Does the phone connect to corporate email? If so, they can download an internal document to their phone, then upload it to their personal email and then download it to the home computer.
      The illusion of document security this isn't a new problem, and I've yet to see a place that trully protects it's docs like that, though I assume certain government agencies lock things down more than others (though apparently not the Pentagon)
      • It's about balance.

        I'm hardly the head of internal security; my bosses are happy as long as I keep all my servers updated and more importantly, up and running. However even I can tell you that I can achieve relative security lock down by just putting each client unit in a welded lead box with just a mouse keyboard and screen sticking out. Trouble is you aren't going to have a very productive team. It's why there are levels of access; who can access which servers, networks, drives. What ports different pc's can use, what sites are accessible which are not, which machines have external and internal access. However different roles in the company have different needs, not just in security but also in access. It's the hardest aspect of corporate e-security; being required to make the company security systems fool proof whilst at the same time having to work around the tasks people actually have to do. As the article says users will always find loop holes.

        My favourite would be a colleague catching someone photographing their screen with their smartphone; they had one of those text capture apps and had forgotten their USB key.

        The reason that users should worry more about the policy side of thing is that companies know you could always slip a sheet of paper out in your pocket and walk out the door.. Can't stop that without some pretty long strip search ques at 5:30. So they use good old fear; zero tolerance and potential prosecution.
        • "As the article says users will always find loop holes."

          And these users are the very ones who are the most dedicated and the most productive. Finding the balance between locking them out and getting the most from those who have the most to give is very difficult.

          You can't prevent intentional data theft by limiting BYO Cloud on employees BYO Device. As has been said here, there's always USB or the copy machine.
    • Sure, and who are the worst offenders?

      I'll bet it's the top executives.

      The only way to prevent this is

      a) to fire everyone who violates the policy, no matter how ignorant they are of technology and how vital they are to the company,

      b) to provide first rate equipment at work an kill any expectation that employees work beyond work hours, or

      c) to provide first rate equipment at home along with a corporate VPN.

      Provide employees with equipment inferior to their own personal equipment, expect them to work after hours, and the most dedicated will be the worst offenders.
  • Poor end-user security....

    In my company, most end users are restricted from installing software on their PCs (i.e. No local admin access), so they cannot install the Dropbox sync software. I haven't tried to access Dropbox from work, but I use SkyDrive. I can access my files and edit them in the web apps, but i cannot upload anything. If I were to bring my Laptop to work to use it, I would need to access our secure BYOD WiFi, then still "remote" in with my RSA token through the Juniper software (just as i would from home). From there, we either access a generic desktop, or our work PCs. Anyway, there is no way to download or upload files to/from our personal machines to the corporate network when remoted in. If you can, that is just poor security design over end-user access.
    • Wow

      You guys are so special. You have things locked up tight huh? So people can't email files or insert any USB devices, CDR's etc huh?
      • I guess you didn't get the security memo

        - email can be EASILY block and filter
        - USB access can be disable at the OS and/or BIOS level
        - same for CD/DVD (if the company doesn't physically remove it)

        So what was your point??
        • So . . .

          . . . you pretty much just ban personal devices. A good plan, but it doesn't work if they can connect remotely with personal equipment. You may think you've closed every hole, but once it's on my personal computer, I do have access to it, just like I have access to the "protected" data on a DVD. If I can see it on my personal computer display, it's left your control.

          If you allow remote connections with personal equipment, loyal, informed employees are the only real security you can ever have.
      • Actually yes

        - Corp firewalls block 'web storage' sites from browsing
        - No local admin and sweeps to remove unapproved packages
        - USB ports configured R/O
        - Optical drives in laptops are DVD-ROM only
  • vii

    Cameron Cameronbodart
  • Make the personal cloud the company cloud

    If a company were to provide cloud service to its employees then it could control what other devices could be connected to the account. Storage is cheap, and by maintaining that storage within the company, it can also be secure. Dropbox can selectively sync only certain folders to certain devices. It shouldn't be difficult to duplicate a feature like that only with the choice made at the providers end.
    • Personal Cloud vs. Private Cloud

      MSFT as an example...prohibits (in policy only) from employee and contingent staff from using Skydrive. Instead they provide every staff member with a SkyDrive Pro account automatically and managed through AD. This way the staff have access to Office and OneNote on their phones, Surface tablets and laptops. Devs of course are not allowed laptops for coding so no issues there.
  • Blocking Cloud Providers

    Since a lot of our data falls into varios privacy laws (especially on the law enforcement side), we have plans to block all access to public storage providers at the firewall. The only one that will be allowed will be one we have contracted with that will guarantee CJIS and HIPAA compatability. Employees are using some public providers now but they will be in for a surprise very shortly. You can't break the law just for a bit of convenience.
    • I would actually fire the irresponsible people

      If they are so ignorantly irresponsible and lazy, they have no business working with me.

      And once they show that level of irresponsibility, they are more likely to continue to be irresponsible.
      • Security issues are ALWAYS bypassed with current cell phone designs.

        Sorry about that absolute statement but consider the following example.

        My corporate career was spent at a North American Automotive manufacturing company. Their Corporate Headquarters had a very well known policy of prohibiting cell phones with cameras. (In theory, this would prevent unauthorized photographs of pre-released vehicles from becoming public knowledge - among other obvious security concerns.)

        That Corporate Headquarters was home to 15,000 employees on a daily basis and "heaven knows" how many third party vendor reps.

        How many smartphones with camera sub systems were ever confiscated or detained at each of the buildings main entrance desk areas?

        Needless to say, BYOD security concerns have long existed before cloud storage systems became generally available.

        I suspect wackoae's zero tolerance employee termination policy for security breaches is the only counter to security concerns. It is NOT a pro-active policy unfortunately but it is the only viable one that I can see.
      • How do you fire management?

        You know the ones not knowing anything about anything at all but some moron has given them authority over those that actually work for a living.

        The ones making security policies that prevent people from being able to do their job properly, how is it you get those idiots fired?
        Reality Bites