Time for a reality check: users in your organisation are already storing your corporate data on servers you don’t know about. Many will be using Dropbox, Box or OneDrive to more easily share files with each other. Some will be getting around security restrictions by sending files to their personal cloud email accounts. And if you’re not already using Google Docs, you can bet that at least one team in your business has signed up without telling you.
Organisations spend a lot of time and money trying to put controls in place to stop this behaviour. However, we believe they are focusing on the wrong thing. In 2015 you can’t block the internet, but you can try to understand the digital desire paths and take action to keep your data secure.
The following are a four key recommendations to consider when reviewing your information security strategy.
Spend Less Time Fighting Shadow IT and More Time Understanding It
To control our data, we need to move away from a culture of controlling users and being the department of “no”. Shadow IT is not going away: it’s your users telling you that they have business needs not being met.
- Implement a good Data Loss Prevention (DLP) solution to enable monitoring of HTTP/HTTPS traffic going in and out of your network
- Proactively monitor the network and capture data on unofficial services being used (e.g. Dropbox)
- Conduct user research with users using shadow systems to understand why they are being used, and really listen: telling them that the corporate solution should be good enough won’t cut it
- Add the service, or a close alternative, to your official controlled application list and apply security and data controls
- Test with users to make sure they are happy to drop the shadow application they had been using
- Repeat: this is not a one-off exercise but something you will need to do constantly
Get the Basics Right
Cloud security experts assert that the biggest risk is misuse of legitimate admin credentials to compromise the confidentiality of your data. Getting this and a few other basics right will reduce the risk of a security breach. Basics include:
- Least-privilege access rights across all services
- Role-based access controls with secure audit logging
- Clear segregation of duties across tiers (e.g. server, OS, database, application)
- Implementing named accounts only
- Two-factor authentication mandated across all cloud services (this is crucial to prevent spear phishing attacks)
- Enforced TLS encryption for all data in transit to and from cloud services
- Controls over cloud service identity federation
Create a Policy of Sensible Security
Information security is often shrouded in technical language, complex threat logic and a position at the top of the hierarchy: security almost always trumps user needs. A typical consequence of this lack of transparency is an overemphasis on risk elimination which results in expensive, over engineered security controls, degrading the functionality and usability of IT systems. This in turn leads to an expansion of shadow IT over which you have no control. To implement a Sensible Security policy, you should:
- Write in clear, plain English: everyone should be able to understand it
- Always have a clear line of sight between threat and mitigation
- Treat user needs and security needs as equal, and not always in conflict
- Articulate the risks of your systems expressed as how they will impact the business
- Describe (again, in plain English) how these risks will be mitigated
- Clearly state what residual risks remain that are agreed to be manageable and within the risk appetite of your organization
Educate Your Users
Many of your users will already understand the basics of data security from their private digital lives. People are learning to switch on two factor authentication on services like Gmail and Twitter and understand that they can’t access internet banking without their mobile or dongle.
However, in a work environment heavy security controls and restrictions put the burden of responsibility on the organisation, not the individual.
- Establish engaging, multichannel training sessions for your staff to teach them the basics of handling data
- Target control of your data “crown jewels” first: users who have access to DPA or PCI compliant data sources need to be taught how to keep it safe
- Avoid one-size-fits-all training approaches: some users have learning styles suited to mandated e-learning courses but many do not. This risks giving you a false impression of the level of education across the organisation
- Don’t patronise your users: they probably get it, but need to understand why these things matter
- And finally, listen as well as teach: ask your users why they might need to use personal cloud services to store your sensitive data