IT is getting cloud storage security all wrong
The first comes from survey conducted by Ipswitch File Transfer, a maker of secure file transfer and data monitoring software. It asked 555 IT professionals across the globe about their file sharing habits and found that while 76 percent of IT professionals say it is important to be able to securely transfer files, 61 percent use unsecured file-sharing clouds.
It also found 32 percent of IT professionals don’t have a file transfer policy in place, 25 percent plan to establish one, and another 25 percent said their company has a file transfer policy, but the enforcement is inconsistent.
Twenty-one percent reported they might have had a data breach in the past but they were not entirely sure, while 38 percent said their processes to identify and mitigate risks are inefficient.
Another survey by document management and digital imaging firm Crown Records Management and Censuswide, released on Clean Out Your Computer Day (February 8), found that 55 percent of IT decision makers in companies with more than 200 employees do not have a policy in place for email data retention, 58 percent do not audit their paper-based data regularly, 60 percent don’t practice regular reviews of files stored in the cloud or on-premises, and 64 percent do not filter what goes into the cloud.
Topping it all off, 76 percent don’t have a system helping them to differentiate between data which must and should not be retained.
"What this points out is something that's been around a long time, and cloud storage is just the latest place it shows up. People are running full out and often don’t take the time and do discovery and inventory to make sure things are more in order to adhering to the policies," says Jean Bozman, vice president and principal analyst of Hurwitz & Associates.
[Related: Top 7 storage certifications for IT pros]
We live in the now so we're just trying to do the best we can now, she added. "But having looked at disaster recovery and high availability, it's very important to take that pause, whether it’s over a holiday weekend of whatever and just document what you have," she adds.
Paul Castiglione, senior product marketing manager of Ipswitch, says a lot of cloud file sharing services are adding security features to cover for bad behavior, which is increasingly necessary.
"If we were all perfect individuals, there wouldn't be errors. But stats also show that in companies with data loss, one-third of the incidents was due to human error, one-third to process and network errors and one-third to malicious activity. So two-thirds of data loss is stuff I can control inside my network. Sure, I want to train my employees so they don’t make dumb mistakes but also provide the technology to make it impossible for them to make a mistake," Castiglione says.
He adds that while training is a critical aspect of compliance, automation should be in place so they can't do anything wrong in relation to file transfers and exchanges between on-premises and the cloud. Many customers he's encountered don’t allow manual file transfer at all.
"It may seem shocking but in the moving of secure data, it's typically to support an established business process of some kind," he said. "If I automate it, that will reduce human error, improve efficiencies, help employees with efficiency and not allow them to send a file to the wrong FTP server in Russia," said Castiglione.
Richard Stiles, vice president of product development with cloud storage provider StoAmigo, faults the vendors for letting the lawyers dictate the policies. "In most cases, what ends up happening is an attorney will write the policy for the protection of the vendor or cloud vendor and the client suffers because these policies are written to protect the vendor. They list things like how they are not responsible for down time, not responsible for data loss, and so on," he says.
He also says most cloud storage companies take a hands-off approach when it comes to storage. "Let's say I upload something to my cloud storage. That vendor that is selling me storage doesn’t part care what I'm putting in that server, all they care about is how much space I'm taking. There is no monitoring of the quality of the upload or download and no guarantee of checking for corruption between sender and receiver," he says.
And that especially goes for cleaning up your old data stores. Don't expect your provider to do that for you, nor should you want it to. "I can't imagine a client being ok with a third-party poring through their digital content in the cloud for them. Anyone who cares enough to back it up on cloud storage will have some expectation of privacy for the content," Stiles says.
Cloud storage providers don't get involved in data management, so once it gets to the storage repository, it sits. The host is not in the loop on the management of the data once it gets there because, quite frankly, the data is none of its business. So storage management, including deduplication and removal of old data, is your responsibility, not your provider.
[Related: Is DevOps good or bad for security]
"It all starts with the company," Stiles says. "They have to determine the value of the data. For some companies, the data is not that important, while for others, it's their life blood. People who use Facebook don’t care about their digital content. But if you are an attorney or a photographer, managing content is your life blood. So it all starts with the client."
Castiglione advocates automation to reduce human error, and says that there must be specific features and functions. For starters, any automation services or software should insure they have visibility to the file level, not just the folder level, and know who has accessed the files down to the file level. Also, make sure there is access control to insure their provider offers proper access control.
That said, he says cloud storage providers have lots of room for improvement. "Most of the file share vendors came from a place of offering simple to use consumer collaboration tools, not from a place of protecting the file and access. So it's a totally different mindset," Castiglione says.
Read your contract carefully. "My advice for anyone is read the terms and conditions. See what will they hold themselves responsible for and what is your responsibility for your data. That tells you what recourses you have," he says.
"Some cloud storage companies do a good job on educating their clients on what to do and how to do it. Others not so much. You'll see free services with a lot of free storage but you get what you pay for. There may not be a lot of support on the back end," Stiles adds.
And Bozman says make the time to look over what you have. "Schedule some time to look, or if your people are running full out, hire some additional headcount to help with that kind of thing. If they are all supporting production it's hard to stop and take a look. We run very lean and mean in it today. The ratio of people to devices is very high," she says.