Free cloud storage is tempting, but is the price too high?
Connecting state and local government leaders
The services have obvious appeal to employees, but have a history of breaches. Pennsylvania's CISO, for one, steers agencies to in-house or enterprise storage services.
The free cloud storage services proliferating on the Web can be tempting for agencies employees — being free, for starters — and a lot of employees have taken advantage of them. But they can be security risks, and states such as Pennsylvania are trying to steer agencies away from using them, suggesting enterprise services as first options.
Despite definite strides in improving the security of these services, the free cloud storage solutions have security shortcomings and have historically experienced major breaches, said Erik Avakian, Pennsylvania’s chief information security officer. “Some have suffered significant breaches over the past several years, and some have experienced some form of downtime and security problems and/or breaches,” Avakian said.
The IT security expert expressed his views on how to control state employees’ use of free cloud file-sharing services in the National Association of State Chief Information Officers’ issue brief, “Capitals in the Clouds Part V: Managing the Risk of Free Cloud Services.”
Users of these cloud services can never be sure what level of security a provider is implementing to secure user data, Avakian noted. “Additionally, some providers do not guarantee user ownership or return of data once service is terminated,” he said, adding data location is often not guaranteed either -- it may be in servers outside of the United States. Also, there is a greater risk of mismanagement, theft or loss to data compared to an in-house solution, since a user’s data is stored on servers shared by many different customers, Avakian said.
“There is significant risk of sensitive data being placed in these services and subject to potential breach and monitoring and preventing such instances is very difficult,” he noted.
Avakian did not mention the names of companies that experienced security breaches. However, a security breach in August 2012 sent Dropbox users unsolicited e-mails. A stolen password was used to access an employee's account, allowing a document containing user e-mail addresses to be copied. User names and passwords stolen from other sites also were used to sign into some of Dropbox members' accounts. The breach prompted the company to implement new security measures.
It is easy to see why these services are attractive to government employees who use them in their personal life, the brief states. These solutions are easy to access, configure and use. They support multiple devices -- notably, mobile devices -- and data in multiple formats. And, most importantly, these file-sharing services are free.
However, since the release of the 2012 NASCIO and Deloitte Cybersecurity Study, states have raised more questions on cloud providers' security and policies. In addition to the May 2012 Capitals in the Clouds IV guidance on rogue cloud users, states continue to seek ways to put the proper controls in place, meet security standards, craft acceptable use policies and identify the open records and legal concerns regarding terms of service, the brief says.
At the same time, state CIOs understand they must support the business objectives of their agency customers and offer enterprise alternatives to free cloud services.
Avakian noted that “the risk and legal ramifications of using such services needs to be evaluated on a provider-by-provider basis.” Service providers that allow dual-factor authentication and user- provided encryption keys should be favored, he said.
Pennsylvania does use an enterprise Web filter to block the “cloud storage,” category. But there may be potential business needs for using these services, so an agency can request a waiver that requires the head of the agency to sign a document accepting the risks of using the services, Avakian said.
Pennsylvania plans to implement an enterprise data loss prevention (DLP) solution at the network perimeter to prevent data breaches and leakage, Avakian noted. The network DLP will be able to inspect inside encrypted files and web content for sensitive data and then report and alert on infractions.
Pennsylvania officials are trying to steer agencies towards internal solutions and enterprise secure file storage services, Avakian said.