Why is it becoming harder for IT staff to protect corporate data?
I think the key problem for IT in terms of protection of corporate data is one of control and, to put it at its simplest, it’s about understanding where the information is. If the IT department has a very good handle on where all the information is sitting, then it can apply DLP policies and put in place secure email gateways and other technologies that secure that data from external threats.
Users are now coming into the workplace with their own devices – the BYOD phenomenon that is well discussed now I think – and then, more recently, there is BYOC, Bring Your Own Cloud, where users are coming into the workplace and using Dropbox and other such services, choosing their own tools and primarily for file sync and share and that is what’s creating the problem for IT in terms of protection of corporate data.
It ultimately comes down to knowing where that data is and if IT hasn’t got the means to keep tabs on that, then their lives start to become very difficult and the increased risks of data loss become greater.
How greatly does BYOD or people working from home affect data security?
The potential for data security issues is massively heightened by both phenomena; BYOD and BYOC, simply because IT is in danger of losing control. I think with BYOD, you’re basically proliferating the number of places where data can be stored outside the corporate firewall and therefore outside the control of IT and IT’s policy for security.
So the first worry is data on the device, if it is the individual’s own device, then that is immediately a risk. And then, of course, the same thing with the likes of Dropbox where data is being stored outside the corporate archive or outside the corporate network, the risks are incrementally much higher.
When we listen to our customers talking about this, they’re starting to ask: "What is a sustainable solution to this problem?" Change the terminology from Bring Your Own Device to Choose Your Own Device, and the same is true for bring your own cloud. So when someone joins an organisation, IT says here are the approved devices we will support and cloud services we allow you to use. You can then provide guidelines on how those services can be used in such a way that mitigates potential risk and data loss.
What about small businesses that use BYOD because they cannot afford devices or cloud storage?
For small businesses, it can be an issue if you haven’t got the ability to use an archiving service. But some of the enterprise cloud services that are available today are much more cost effective, something like an Office 365 so you don’t have to worry about storing masses of data on premise.
It’s not only more secure but its also more cost effective. So I think perhaps for smaller businesses they need to be aware of enterprise cloud services that are available to them that give them the security and cost effectiveness. We may be talking about businesses that don’t have IT departments at all, but third party providers and services can take on that role and provide them with the security and the policy control that they need, because it’s just as important to a small business that they keep control of data or they’ll lose their IP to some sort of security breach.
How safe are free cloud storage devices such as Dropbox?
It’s not for me to tell you whether Dropbox is secure or not, but Dropbox is working very hard to position itself for business today. But what our customers are telling us is that they’re not comfortable with users using Dropbox inside the enterprise. They feel it is not enterprise grade. They are concerned about breaches and they would rather their users were adopting much higher enterprise grade technology than Dropbox.
On the other hand, they recognise it is a popular service. It does what it says on the tin and, until such time as they can educate their users and provide viable alternatives, they know they can’t just stamp it out and bring in IT policies that outlaw the use of Dropbox or other tools of that kind.
IT needs to control, manage and contain, rather than eradicate the use of such things. Our enterprise customers are looking at ways they can either mitigate the issue of Dropbox or move away from using Dropbox nearer the time.
The important thing for IT in terms of education of users is in terms of use cases. So if I want to send a very large doc for example, there may or may not be a policy in IT that limits the size from Outlook or across the exchange network, so they will use Dropbox to send that large file or WeTransfer or similar tools. It’s incumbent then on IT to educate users on the alternatives. So for example, one of the things Mimecast is doing for its customers is we have made available a service called Large File Send, which very simply allows users to send files up to 2GB without leaving Outlook.
There is a concern over data trails, but there is a way around that. For example, our file archive provides users with a Mimecast folder. If they drag and drop documents from Dropbox into that folder then that automatically puts that data into our archive and gives the IT dept peace of mind. To some degree that’s sort of the first step in educating users on how to use Dropbox in a safe way and then, further down the line, we can begin to introduce technologies such as Large File Send and other technologies that we have coming that eventually removes all the use cases for DB inside the business. I think that’s the key point of view from our standing as an enterprise software supplier, we need to erode the use cases for these cloud consumer cases over time, gradually introducing technology to replace them, and our customers are already beginning to see the benefit of that.
What additional threats are now present across the managed network?
There are bad people out there who are always trying to find ways of breaching networks and getting in and causing problems with advance network threats, and I think for businesses to try to handle this themselves is becoming increasingly difficult and once you have your data in a cloud archive you have much more visibility and control of that information, I think the same is also true of security perspective.
There are companies like ourselves that invest massive amounts of resources in staying on top of the ever changing landscape of potential security threats, we make it our business to ensure that our customers’ data can’t be breached, lost or compromised in any way.
But cloud is in a relative state of immaturity and there are some people who think I can’t trust my data with a cloud vendor or put my data because it might be less secure, but in fact the converse is true: I think in most cases, corporate data is much safer in the cloud because companies like ourselves simply cannot afford to have that corporate information breached, so we invest massive amounts in technologies and in people to ensure that can’t happen.
What is the risk in shadow IT networks?
The key risk of shadow networks is loss of control and visibility of where your information sits. The best way to understand it is to look at the nirvana if you like, the ideal scenario where all your information is in a single repository, so not only is everything subject to your DLP policies and so on, but it’s also accessible and visible to your IT dept and your end users.
The archive is not just about security, it’s also about accessibility and usability of that info whereas if your info is scattered across multiple storage in your LAN, not only are you being inefficient storing it, but it’s very difficult to make it safe and accessible. The way we look at a cloud archive is it’s there for e-discovery and security but it’s also there for people, it’s there to be used and accessed by users on their mobile devices wherever they happen to be. So we take a very different view on storage compared to some of the other vendors in the space.
Fundamentally, shadow IT takes away that visibility and control from shadow IT. If someone is sharing important corporate data with someone else outside the enterprise, and they’re using Dropbox, without specific safeguards in place, then that info is not inside the network, not subject to DLP and could easily end up in the wrong hands and It hink that’s the biggest fear for IT.