Want to know what keeps me, my company's go-to security guy, awake at night? Many things, I can assure you, but lately the No. 1 threat to a good night's sleep has been the proliferation of Software as a Service at my company (SaaS).
At issue: One of the company's business units has started to give its employees access to storage via the Internet.
Action plan: Put the kibosh on that and make sure no one else can use cloud storage until vendors address the security risks.
What makes it nightmarish for me is what makes it so attractive to just about everyone else: It's so easy for anyone with a credit card to spin up a new architecture with a few clicks of a mouse. And it can be done with little to no visibility, as long as there is no need to integrate it with other IT systems.
Case in point: A business unit recently sprang for storage in the cloud for its employees. I might not have found out about it at all, but I ran into someone in the cafeteria who told me he was concerned that sensitive data might be exposed because of this arrangement. (This isn't the first time I've learned something startling in the cafeteria. Brown-bagging it could adversely affect my career.)
In the old days, if you wanted to add servers, extra storage infrastructure or other data center resources, you had to purchase a server, unpack a box, roll the new unit into the data center, attach rail kits, insert new drives, and add power and Ethernet. It was the sort of thing that got noticed, so it was fairly easy to make sure that everything was done according to guidelines.
I actually like the idea of storing data in the cloud. It sure saves money, and it offers quite a bit of flexibility in terms of the availability of data. But that easy availability becomes a liability if there's any chance that sensitive data could be involved.
Once data has been moved to a cloud storage service, it can be accessed from almost any PC or mobile device. Again, that convenience is a major selling point, but if the data is something that the company cannot afford to have jeopardized, then the ease of access is a legal, security and HR nightmare.
Not wanting more sleepless nights, I immediately alerted my firewall guy, who pulled up a report on the accessing of personal cloud storage sites from corporate locations that are monitored. As it turns out, cloud storage sites were being accessed quite often. That was alarming, but when we took a closer look, we saw that most of the cloud storage activity involved personal photos, music and videos. Fine; cloud storage is ideal for that sort of thing, and it keeps all that personal data from hogging space on our servers via employees' network-share H: drives. But some sensitive data, including strategic product road maps, had been transferred.
Pulling the plug
That was all I needed to see to convince me that I had to pull the plug on the cloud storage initiative until we can figure out a way to properly protect data.
Some vendors have made progress in this area, but so far, none meet my requirements, which include limiting access to restricted company resources. I don't want employees downloading data to an Internet kiosk in, say, Cancun. I checked in with Legal and then decided to block access to the entire category of personal storage sites by reconfiguring the content-filtering functionality of our new firewalls. (We had to make a few exceptions that would allow us to continue sharing data with partners, but those exceptions were few and far between.)
I'll be keeping my eye on the fast-changing cloud storage industry, and when I find a vendor that satisfactorily addresses the security risks, I will reconsider our stance. But for now, we're keeping our storage capacity in-house, where we can keep an eye on our data.
This opinion piece is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.