What you will learn in this tip: Online or cloud backup services are seen as a quick and easy way to back up personal files. But more and more employees
Online computer backup services such as Carbonite, EMC Corp. Mozy and Dropbox are all the rage these days. These services are appealing because they solve the problems of having onsite backups or not having the resources to manage backups altogether.
You may be thinking that these online computer backup services don't affect your business. But you may not know that users are running these programs on their work computers to back up their "systems," including personal and business data. And until you know for sure that these programs aren't being used in your environment, there are numerous security and compliance risks as shown in "Figure 1: Security and compliance risks related to online computer backup" below.
Figure 1: Security and compliance risks related to online computer backup usage
The online data backup services themselves aren't the problem. It's the simple fact that they're being used on your network without anyone's consent. IT is often out of the loop. Ditto for internal audit. I've even spoken with backup administrators who've said they had no idea their users were performing backups on their behalf. Perhaps worst of all, management is often oblivious to the business risks that include confidential customer data mishandling, intellectual property exposure, and quite possibly contract and compliance violations.
Online computer backup services: Important questions to ask
Here are a few questions to ponder regarding the personal usage of online computer backup services in your environment:
- Does your business have an acceptable usage policy that covers the installation and use of such software/services?
- Are your employees qualified to review the privacy policies and other terms and conditions regarding the handling of your business information that's undoubtedly shipped off-site?
- Is your legal team plugged into information security and privacy enough to know that business information covered under contract or compliance regulations is being handled this way?
- How does data labeling, data retention and data destruction play into all of this?
- Should you provide an alternative? Do you back up locally stored files, especially for mobile or remote workers?
I bring these issues up to point out the risks associated with users sharing sensitive business information with these third-party data backup and file sharing services. You have to consider the situation of a data breach and subsequent investigation. Good lawyers and expert witnesses will know to ask questions around how information is managed in your organization and the specific steps you've taken to keep it reasonably secure.
Gain control of online backup security
You cannot secure what you don't acknowledge. As the person in charge of managing data backups and ensuring the whereabouts and integrity of this data, you're going to have to get plugged into these cloud backup and file sharing services. Even if it's a security-centric problem, it still affects how you manage backups. Here are four things you can do right now to gain control of online backup security:
- Work with your network administrator to monitor traffic patterns going to these vendor sites.
- Work with your desktop administrator to perform a software audit to see which of these applications are running on each of your computer systems and your mobile devices (Dropbox, for instance, runs on iPhone, iPad, Blackberry and Andriod).
- Work with management and legal -- ideally a formal security committee that includes these people -- and determine how you're going to handle this.
- Based on your risks, put the appropriate policies in place and use the necessary technologies to keep things in check.
The solution may seem obvious to just block these applications at the network perimeter or on the desktop. However, if you've ever gone down the path of blocking such applications you know how painfully difficult it is. Even if you provide backup services at the workstation level (something rarely done because of the storage requirements and the inherent difficulties of doing so with a mobile workforce) users are still going to use such backup and file sharing services. After all, in many cases they're doing this for themselves and not for the betterment of the business.
Some people may argue that many of these applications are for personal use and don't really affect the business. I believe that if these services are running on computers that store or process business information (including personal smartphones and computers at home) then it's a business problem that needs to fall under the umbrella of business oversight and control. Otherwise, you're going to have a Wild West-like environment that's treading on thin ice. As Ayn Rand said, "We can evade reality, but we cannot evade the consequences of evading reality." Something needs to be done before something bad happens.
About the author: Kevin Beaver is an information security consultant, expert witness, author and speaker with Atlanta-based Principle Logic, LLC. With over 21 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around compliance and minimizing information risks. He has authored/co-authored eight books on information security including the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.
This was first published in October 2010