nHow to reverse the trend of BYOD becoming Bring Your Own Cloud.n
nnThere is little argument that cloud technology is both powerful and almostninfinitely useful. You can run up powerful systems without vast up-frontnspending on server hardware; you can cast aside the tasks of keeping servernand network kit up-to-date or replacing failed components; the ability tonrun your world in two distant regions with fail-over capability between thentwo is built into the service; and you can go from zero to a workable setupnin a very short amount of time.n
nnThe latter is particularly true for Software as a Service (SaaS) offerings.nFor example, using an AI-based transcription service to convert video andnaudio webinars and podcasts into text-based versions that are much easier tonsearch through when writing reports and articles based on them. We all knownpeople who use ChatGPT to write program code, job advertisements and thenlike, while cloud services like DropBox and other file sharing services makenmoving data around very simple indeed.n
nnNot the Intended Usen
nnHowever, there’s a problem: many cloud services are susceptible to misuse –noften inadvertent, sometimes not. The main issue is people uploadingnproprietary, often highly sensitive data to a cloud service. Getting ChatGPTnto produce your company accounts or write a medical report on your patients’ndata is always a bad idea, because once that data is out there in the cloudnyou have zero control over it and no guarantee that it won’t be loose on theninternet forever.n
nnThe benefits of cloud services – value and ease of getting up and running –nare also the potential downsides. If you’re not seeing “shadow IT” cloudnservices gradually starting to creep into the organization, with staffnsigning up to services without going through the formal IT purchasingnprocess, the chances are you’re not looking hard enough. When (not if) younfind these pockets of “Bring Your Own Cloud”, as it’s known, what can you donto fix the problem and stop them multiplying?n
nnAddressing Cloud Creepn
nnStep one is to have clear and disseminated policies that prohibit thentransfer of company data outside the organization, except to places andnservices for which such transfers are formally permitted. Writing a policyndoesn’t prevent someone from doing something undesirable, of course, butnit’s the essential foundation that underpins everything else you’re going tondo.n
nnNext, consider a web filtering product or service, so that you can controlnthe web sites and internet-based services your staff can get to. There arenmany, many of these on the market from a wide variety of reputablensuppliers, and the prevalence means they’re generally not inaccessiblynexpensive. These systems sit between your users’ browsers and the internetnand vet every web page they try to visit, permitting or denying access basednon the rules you’ve set. These systems are what companies use to preventnstaff from going to SaaS solutions you don’t want them to access. There’s ancatch, though: there’s no point installing a web filter on your officennetwork if staff take their laptops home and can access things you don’tnwant them to get to. So, pick one of the solutions that has an “agent” appnon every PC, because the agent will hold a copy of your filtering policy andnwill block access you want to prohibit no matter where the device is.n
nnThe other thing you can do is a bit of basic forensic accountancy. If peoplenaround the company are signing up to paid-for cloud services, the chancesnare they’re claiming the cost from the company, whether it’s on theirncompany card or via a personal expense claim. Work with your financendepartment and check what’s being charged to the company. Keep in mind thatnif you’re digging through credit card statements a bit of sleuthing might benrequired to figure out who the vendors actually are.n
nnThis is the foundation of what you can do to stem the rise of BYOC, but wenhaven’t really discussed whether this is what you want to do. Chances are,nafter all, that there’s a degree of benefit to at least some of the toolsnthat your users have signed up to without your knowledge. Your desire isn’tnto stop your users working, but to ensure that they’re not working withnsystems you don’t know about and risking breaches of confidentiality andndata protection.n
nnAn Approach to Addressing BYOCn
nnWhen you find BYOC, don’t just step in, turn it off and step out again. Takenthe time to speak with the users who have introduced it and understand whatnthey perceive to be its benefit. The outcome in each case will usually takenone of three forms.n
nnFirst, it may well be that the service just isn’t working as the user hopednor is even giving blatantly wrong answers. Take this real ChatGPT example,nfor instance:
n nn(We particularly like #2, where the song title is in fact the first twonwords of the first line).n
nnThis doesn’t necessarily mean the service isn’t useful, but if it’snnnot useful for your particular use casennthen the answer is simply to do away with it.n
nnOption two is that you’ll realize that the service is doing somethingnuseful, and seems to be doing it correctly, but that the particular choicenof product isn’t ideal. A lot of what you’ll find falls into this category,nso consider the value (generally a saving of time and/or cost) and if it’snworth spending time on it, research the alternatives. This is where younmight find organizations switching from, for example, ChatGPT to morencontained, commercial services like Microsoft’s Copilot. You can ensure thendata stays within your subscription rather than being fair game for anyonenon the wider internet.n
nnOption three may sound a little surprising: you may well decide that thenservice the user has signed up to is so valuable and unique that it’s worthnconsidering signing up to it formally as a supported corporate app. You cannthen go through whatever due-diligence processes are required to on-boardnthe supplier, preferably hook it into your organization’s systems via SinglenSign-On (SSO), conduct a proper legal review of the terms and conditions,nand so on. Remember: cybersecurity controls should be risk-based, so it maynbe considered acceptable to adopt a cloud system with some risks bynbalancing these risks with highly restricted user access and very clearntraining to maximize awareness of what they can and can’t do. Cybersecuritynprofessionals tend not to like this approach, but don’t dismiss it out ofnhand.n
nnBring Your Own Cloud can be a pain and can open you up to cyber breaches orndata protection incidents. You simply can’t allow uncontrolled access tonarbitrary cloud systems. Nonetheless, don’t be too quick to simply to cutneverything off: technology to prevent people from accessing unsupportedncloud systems is essential (and, happily, not ferociously expensive), butnremember that if someone has signed up to a cloud service, they havenprobably done it for a reason, and that reason may be one that saves themntime and the company money. Fully evaluate what BYOC you have, go and talknto the users, turn off the overly risky stuff. Ultimately, think hard aboutnwhether you can work with them to move to something just as beneficial butnless risky.n
n- n
- n Find out more about ourn n CCSP certificationn n heren n
- n n Cloud Security Skill-Buildersn n grow what you know with short-format learning designed to fit your busyn schedulen n
- n n Download the CCSP Ultimate Guide heren n to get everything you need to know about the world’s leading cloudn security certificationn n