How 'bring your own cloud' could kill BYOD
How many personal cloud services can you name? If you can name more than five without performing an Internet search, then you clearly see the problem. But it's not in the sheer number of personal cloud options that presents a problem, it's their availability that does. Personal cloud services provide their users with an excellent avenue for storing files off-device for greater protection, automatic backup, and constant availability. However, these services are as great a detriment as they are an asset for BYOD dabblers. This new, "Bring Your Own Cloud" (BYOC) presents its unique set of problems for companies that want to adopt BYOD programs.
From the corporate viewpoint, personal cloud services provide another way for users to compromise security by storing important documents and data outside the company's walls. And that also means that those files are outside the control of corporate security.
In short, it's a very bad thing.
Personal cloud services are great for users but they drive corporate security folks crazy. Unfortunately, it isn't as simple as banning a particular port for some of these services. Many of the services are web based and cross-platform. Dropbox is perhaps the most famous such service that's available on every computing platform through apps and the web. It's almost impossible to stop someone from using Dropbox on corporate-owned devices or on personal ones.
Popular personal cloud services:
How many of these personal cloud services do you use?
Box
Dropbox
Google Drive
iCloud
SkyDrive
UbuntuOne.
Another problem that personal cloud services present is that they're free to use under a certain storage limit--usually between 2 and 5 gigabytes. Two gigabytes offers users a large cache of space to store hundreds of documents, photos, email messages, and raw data. Optimally, the space is for personal use but for the sake of convenience users may upload any document or file to which they have access. And that includes corporate-owned ones.
The problem with saving corporate files to public, personal cloud services isn't that companies are necessarily afraid of security breaches of those services, although that concern does crop up, it's that services such as UbuntuOne and Dropbox also make copies of uploaded files to other uncontrolled devices such as home computers.
When you upload a file to Dropbox, for example, the file is uploaded to Dropbox servers and then replicated onto your other Dropbox-connected computers. When I upload a photo onto my Dropbox account from my iPhone, that file is replicated to at least three other computers on my home network. If corporate files are uploaded to a Dropbox account from a BYOD phone, the files don't reside on the phone but they do get copied to the home computers.
That fact should raise a few eyebrows.
Your phone might be very secure. Your personal cloud service account might be locked tight with a great password. But how secure are your home computers? How up to date is that free antivirus program you're running? Do you scan for spyware on your home systems?
And you thought that the company you work for is just trying to hold you back or limit your personal freedoms in some horrible way. That really isn't the case at all. The fact is that uploading company-owned files to your personal cloud accounts puts you and your company at risk. They're trying to limit that risk to both of you and rightly so.
The solution to the problem is as complex as the problem itself.
It's impossible to tell users who bring their own devices not to use personal cloud services. It's very difficult to prevent users from using those services inside the corporate network. The company can ban the Internet sites, ban the app from the corporate MDM or MAM suite, and can even write policies that ban the use of personal cloud services for uploading and storing corporate files. But, as any good corporate security professional knows: People are very creative in bypassing security.
Users are always the weakest security link in an organization. People either inadvertently or purposely bypass security as a matter of fact. Personal cloud services make that process easy.
My hope is that BYOC doesn't destroy the hopes of those who really want to setup and use BYOD programs. I think that BYOD is a good thing for the company and the user alike. There's no reason why the two can't peacefully and securely coexist, if handled properly.
For a BYOD program to work, there has to be strict policy enforcement, compliant users, and a bit of trust. If any one of those are broken, your BYOD is in jeopardy of failure.
What do you think the solution is for BYOC and BYOD? Is there a solution? Talk back and let me know.