Data classification key to personal cloud use in enterprise

Controlling types of data allowed to be shared on public personal cloud a step in ensuring sensitive data is kept secret, say market players.
Written by Liau Yun Qing, Contributor

To prepare the company for personal cloud services, IT departments need to classify data to ensure only non-sensitive information can be stored on external cloud storage or they would need to source public cloud storage services with enterprise-level protection, say security players.

According to Vic Mankotia, vice president of security for Asia-Pacific and Japan at CA Technologies, companies can use an automated data classification engine to classify data so that sensitive data cannot be stored to a third-party service.

He added that risk-based authentication should be use to access data from the public cloud storage environment so that the right information is stored and accessed by the right people.

"Unlike traditional security solutions which control information access with a simple 'Yes or No' privilege, there are now content-aware forms of identity and access management tools which can control how information is used," he said. Elaborating, he said with such a service, a user may be able to read data from the public cloud but may not be allowed to save it onto the company server or vice versa.

Similarly, Jon Andresen, Asia-Pacific region technology evangelist at Blue Coat Systems, noted that IT departments will need to focus on Web security by scanning all Web traffic, including encrypted and compressed files, that is coming and going to the public cloud services. He suggested that companies adopt a secure Web gateway service to complement its existing network security protection such as firewalls and intrusion prevention systems (IPS).

On top of that, he noted that users need to have malware, spyware and phishing protection and a cloud Web security service to can scan all types of traffic. Cloud Web security services can help in cases where the device, such as an Apple iPad, does not have antivirus scanning capabilities, he added.

Blocking public cloud storage not advisable
Personal cloud storage services such as Dropbox, Apple's MobileMe, Evernote, Microsoft Skydrive and the recently launched Google Drive allow users to sync their files on different devices by uploading files onto the online storage system.

"Employees are likely to take advantage of the convenience of public cloud storage in the enterprise if they can. This will enable them to be more productive with various devices and allow them to work at home," said Mankotia. Companies should not ban such services as it might force employees to find "ever-more creative ways to circumvent the system", he added.

Instead, he recommended that companies allow an enterprise-approved public cloud storage service to provide the same conveniences but in a safe way or find ways to limit the type of corporate information that can be saved onto publicly available services.

Richard Edwards, principal analyst at Ovum, also supported the adoption of business-grade cloud drive and collaboration services. In a statement, he noted that services, such as Box and Huddle, include management and administration capabilities that are essential from compliance and audit perspective for an enterprise.

Mankotia added that educating users is also an important step. "Once they understand the repercussions of losing sensitive data through public cloud services, employees are typically quite happy to use company-approved ways of sharing and accessing data," he said.

Editorial standards