BYOD exposes the perils of Cloud storage

It's risky to keep corporate data on consumer-oriented Cloud storage systems, according to IT executives and analyst

The dangers of using consumer Cloud storage systems became clearer earlier this month, when a hacker claimed that he accessed presidential candidate Mitt Romney's Dropbox storage and email accounts using an easily cracked password.

The apparent hack of Romney's accounts came on the heels of IBM's rollout of a bring-your-own-device (BYOD) policy that bans the use of Dropbox due to concerns that hackers could easily access sensitive information stored there.

Such examples make it clear that it's risky to keep corporate data on consumer-oriented Cloud storage systems, say IT executives and analysts.

"IBM has the world's biggest BYOD program, and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services," said Dion Hinchcliffe, an executive vice president at IT consulting firm Dachis Group.

Though companies are increasingly tightening their BYOD policies, most have yet to address the use of consumer apps and services such as cloud storage on mobile devices.

"Cloud data centers are becoming high-value targets" of data thieves, said Hinchcliffe, raising the possibility that "someone inside the company with the keys to the castle" could be bribed to share data with hackers. "There's a lot of temptation," he added.

Dave Malcom, chief information security officer at Hyatt Hotels, said he's keenly aware that employees are using consumer-grade cloud storage services with mobile devices on the job, and he's taking steps to address the situation.

For instance, the hotel chain is surveying employee workstations to determine whether cloud storage apps like Dropbox have been downloaded and, if so, what data is stored on them.

If a Cloud storage app has been downloaded, "there's probably a corresponding machine they're placing documents on that we don't own," Malcom said. "We're starting to get in front of it [and] we're trying to provide a corporately blessed service."

Among other things, Hyatt's BYOD policy requires employees to register mobile devices, and it prohibits the storage of confidential data outside the corporate firewall. The company also makes no bones about the fact that it remotely wipes all data from lost or stolen devices.

Nonetheless, "we're not naive enough to believe that a policy alone is the answer, and that we don't need technology" to help people follow the rules, said Malcom. "We want our employees to do the right things, but we know there may be times that they don't have the tools."

Malcom said that he hopes to start pushing employees toward using a corporate SharePoint system for content-sharing, though he acknowledges that it's not user-friendly on an iPad.

"If we can find someone like a that we can enter into an enterprise agreement with and help reduce some liability, we'd like to offer [that] to our user community," he said.

He noted that Hyatt is also trying to strengthen its passwords to avoid Romney's fate: "Ultimately, I'd like to get to biometrics or RFID proximity cards where you just have a four-digit PIN along with your card or your fingerprint in order to get on to our systems."

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on

Read more about storage in Computerworld's Storage Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

More about Box.netDropboxEvernoteHotmailIBM AustraliaIBM AustraliaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place