I've discussed the increasing popularity of Apple's new iPad 2 and other tablet PCs, and their ability to blur the distinction between home and business applications. And I've looked at how these and other BYO (bring your own) devices are moving further beyond the reach of the corporate network's rules and regulations, opening organisations to potentially catastrophic security breaches.
Another new development in the IT firmament is adding to this impetus. This is the proliferation of cloud-based data storage facilities, the operators of which allow users to store documents, photos and videos on their sites, which can then be shared by anyone using a computer, iPad or smartphone.
One of the sites, Dropbox, has more than 25 million members who store more than 200 million files every day - more files than there are daily tweets on Twitter.
Evil inclinations
While those with altruistic intentions use the sites to store or share school or work-related projects, or even - as the Dropbox site confirms - co-ordinate disaster relief, those with malicious intent will use the sites to store sensitive company information, which can be accessed by them, or their accomplices, at any time for their less-than-admirable activities.
These sites make it easy: Users can have anything from 1GB of storage space free, to 100GB if they're prepared pay a small sum of money.
There are many ways in which users, and those with authorisation, access the sites. There are applications that reside on the desktop or on any mobile device, or they can be accessed via the Internet.
Easy as pie
Cloud-based storage is completely rewriting the security manuals for many companies.
Andy Robb is chief technology officer at Duxbury Networking.
In days gone by, an employee looking to take sensitive material off-site would smuggle out a memory stick or CD-ROM disk containing the data. This is no longer necessary.
“Wait a minute,” you say. “One of the value-added benefits these sites offer is security. Encrypted data is sent via SSL [single socket layer] technology and there is secure VPN [virtual private network] technology involved....”
Yes, this may be so, but the Achilles heel common to all these sites is that organisations have no visibility and no control over what data may be loaded onto them by rogue employees. Neither will the company have any knowledge of to whom access to this information is granted down the line.
Cloud-based storage is completely rewriting the security manuals for many companies and changing the way they view BYO devices linked to the network.
Perhaps surprisingly, these sites are also impacting on the available bandwidth in many organisations. With many storage sites dedicated to music and videos, it has been found that users are increasingly downloading songs and video clips onto the corporate network to be accessed by employees.
Is there are solution? VDI - virtual desktop integration - will go some way to addressing the problem. VDI technology separates a personal computer desktop environment from a physical machine using a client-server or server-based computing model. Importantly, the model dictates that the 'virtualised' desktop is stored on a remote central server, and not on the local storage repository of a remote client.
However, for companies with legacy systems and network infrastructures from only a few years ago, the introduction of solutions such as VDI may prove to be difficult in the short-term.
For them, it's best to fall back on the same security 'policies and procedures' that were introduced five or 10 years ago. It's true that many of these have fallen into disuse or have been neglected because they don't seem relevant any more.
But they are relevant, as the old adage says, to ensure the right people have the right access to the right information at the right time.
Discarded employee handbooks need to be dusted off, unopened for many years, and their wise prescriptions be reintroduced, maybe with a bit of tweaking here and there.
While this may seem cold comfort, it's proven that by going back to basics, corporates will be able to plug most of their security leaks and flush out the majority of illicit 'moles'. The principles still apply, despite changes in access methods and the location of data sources.
These principles include checks on the legitimacy of employees to access certain systems - sales people shouldn't have access to financial data, for example - and the disabling of the corporate WiFi infrastructure after hours and a myriad other significant policies that still have currency in today's world.
Share