Convenience and security rarely play well together.
The last week saw IBM putting a stop to utilization of personal cloud services like DropBox and SkyDrive. http://www.theregister.co.uk/2012/05/25/ibm_bans_dropbox_siri/
IBM identified the service as a risk to security, and they are right. BYOD brings many challenges and a big one for organizations is stopping users from storing company documents public cloud drives. Cloud drives create a huge funnel through which organizational documents can be siphoned to a location outside the organization. It's never immediately clear where the endpoints of cloud drives are and just who has access when a document is copied to a cloud drive folder.
People don't use cloud drives because they want to share confidential documents, but because they are convenient. Unfortunately convenience is the bane of security. With cloud drives you never know if someone has set their permissions correctly (everything stored in their cloud drive could be shared with the world because of a permissions stuff up). If a laptop or mobile phone that is connected to a cloud drive is stolen or misplaced, then whoever finds it might have access to the contents of the cloud drive. How many cloud drive services allow you to remotely disconnect a node in the event that you lose the device hosting the node?
If you allow BYOD, how do you block cloud drives? In the olden days you could put a block at the organizational firewall or proxy. Today many BYOD devices have built-in broadband chips and the organization has no network layer control over what people can and cannot access. You can create an organizational policy banning the use of these services, but unless you inspect each and every person's BYOD computer, you won't really know. The advantage of network layer blocks is that they tend to be more effective than policy blocks.
One technology that's available in Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 is Active Directory Rights Management Services. When correctly deployed, AD RMS blocks people from opening documents that they aren't authorized to open, whether they are attempting to do it on the local organizational network, or at home with a file that they are opening from a folder mapped to a cloud drive. Even though AD RMS has been around for a while, it still lacks the sort of simple interface that encourages wider deployment.
If your organization is considering a BYOD policy, you have to come up with some policy around the utilization of cloud drives. You could take the IBM approach and ban them outright, or try to find some sort of middle ground.
Follow me on twitter: @orinthomas
