Tag Archives: cloud security

Tech

Can the enterprise allow employees to use the public cloud?

Leave a comment

The theme today isn’t about enterprise clouds that are my normal topic, but instead, clouds where end users fly. Face it – your users are in their own clouds. Is that a nervous tic I see on your face?

iCloud OwnCloud

Dropbox

Magic sauce

Store my files

Store your files

Store our files

Mix them all together

Stir with random care

You said that file is where?
I find this harrowing. Users face no real way, without a lot of work that they’re disinclined to do or even understand, to know if a personal device’s files will be stored securely in any particular cloud provider’s bin.

There are no standards. No seals of approvals worth spit. Random selection will take place, with a bias towards something your operating system provider conveniently provides.

Or maybe the home machine is a Mac (see: iCloud) and the office machine runs Windows 7, and the phone is an Android. People interchange files frequently from one device to another without thinking about the ramifications of a differing cloud provider. More copies are better, of course, because people want the convenience of just getting their files, photos, music, videos, and yes, work products, on demand. Demand is for now, not hauling out another device, booting it up, waiting for a logon, logging in (too many machines don’t require passwords), maybe a signal, then maneuvering to some deep folder to fetch a file. Convenience rules.

This flies in the face of the hopes, dreams, and practical realities of security officers, policy makers, and IT professionals everywhere. It also explains the successful business model behind every convenience store in the world – time pressure.

There are ways to keep sensitive data from finding its way into someone’s messy cloud cache, ranging from draconian to astute. Much depends on the values an organization imposes on its users. Yes, they have to be based on trust, and yes, people – even organized and thoughtful people – can be messy with data assets.

Sophisticated data loss prevention schemes are in place in some environments. Others force users to logon to virtual sessions and work within the ostensibly safe boundaries of those sessions. Some use sophisticated document or work-product tracking. Others force and use seriously sophisticated, often OS-based, policy controls (ex: Microsoft’s Group Policy Objects) in an effort to impose moats around applications and, hopefully, their data. Swimming moats gets an airborne drone when clipboards are enabled…a trick I’ve had recently demonstrated to me.

Can you implement an approved cloud? How would you judge it? Encryption on the wire in addition to in-storage? Who do you whitelist?

My values, and those of most of my colleagues, say not to allow any organizational data to end up stored in places we don’t control and can’t audit – period, end of page, and job, if we catch you. Like BYOD, I also recognize that users will be users, and policies vary on the issue from draconian (yeah, you’re fired) to “this is our list of approved sites.” Don’t use XY or Z, as they’re unapproved, meaning blacklisting cloud storage.

If you get a chance, tell me which you – or your employer – might approve of, and why, in three sentences or less. You can also say things like: “No Way, I’ll be shot at dawn if I say this, but…” and/or if they would (Upworthy alert) Change This One Thing.

 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

Apple

Apple now emailing users when iCloud accessed via Web

Leave a comment

It’s one of several security improvements expected from the company following its involvement in last week’s celebrity photo theft

In the wake of last week’s theft of celebrity photos, Apple has started beefing up security for its iCloud service. The move, part of improvements also promised by Apple CEO Tim Cook last week, comes just a day before one of the company’s biggest events of the year.
icloud security logout

On the Web, iCloud’s advanced account settings allow you to log out all currently logged in sessions.

As first reported by MacRumors, Apple will now send iCloud users an email whenever they (or someone purporting to be them) log into iCloud.com via a Web browser. This seems to happen even if the browser and computer in question are ones that a user has previously logged in with. Apple’s email advises users to change their Apple ID password if they believe someone else is accessing their account. (As an additional tool, iCloud’s Web interface does provide the ability to log out every currently logged in browser in its Account Settings > Advanced.)

Granted, in my brief test, the email arrived ten minutes after I logged in, which could still give an interloper plenty of time to do some damage. Currently iCloud’s Web interface does not have the option to require two-step authentication when logging into your account.
icloud security login

Apple now sends you an email, notifying you when someone has logged into your iCloud account via the Web.

Given the broad publicity over this security issue, it seems likely Apple will take at least some time at Tuesday’s event to respond and potentially discuss what measures are being taken to ensure the security of its users. No doubt the company hopes that this incident won’t overshadow what most assume to be the launch of the next iPhone.


Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com