How dangerous are clouds? Computer networky question
June 25, 2015 2:40 PM Subscribe
Trying to get some info so I can try keep using Evernote and Trello at work. I'm having to deal with what seems quite ridiculous at work. Apparently something bad might come in through Evernote because it's a cloud and clouds aren't good. Could my cloudy Evernote 'pollute' the network somehow? Are these sorts of cloudy apps really such a super serious concern that all big corporate companies ban their use? We were told that this was the case at 'really big recognizable company'. (I do know about downloading attachments etc)
I get the need for network security and use policies. I know that many companies do ban things like social media on their networks at all times. I get that and am okay with that.
My workflow and management is pretty much all digital now. Digital keeps me organized. I don't lose info with digital. I can easily search digital. Digital is easy to carry around. Shared project apps keep me a few others organized together.
Apparently these are bad. Like really bad. Today we found out that anything but company email and looking up needed info on the net is bad and potentially dangerous and we don't know enough to know what is or isn't dangerous. Google stuff is bad too. (Though apparently mgt is knows enough about Google stuff to do all of their company business on gmail because for whatever reasons it's very difficult to switch to company email)
I know I sound flip about it. Most in my office feel like there's more behind this declaration then real actual fear of a virus. Our mgt is very insecure and wants and trys to be in control of everything. Like one manager a while back really wanted me to make my own personal 'to do' list in a way that they think is best but really is one of the worst ways because of the amount of time needed to spend managing the list. I tried it that way and it was awful.
So I do wonder if this new policy is part of a backlash against people doing things different then what the mgt is used to personally. For reasons that we can't seem to get a grasp on things like not taking notes in the same way or not taking enough notes seems to really bother one guy. It's weird. He'll even appear with photocopies of his notes to give us 'just in case' and at times will ask for your notes to compare to his notes 'just to make sure we're all on the same page.'
Doesn't seem to matter that work is getting done with more then satisfactory outcomes. There does seem to be a thing with them wanting to micromanage how things are done.
Anyways if there are indeed major security concerns with these sorts of apps then I'll deal. If not I'd like to at least be able to explain why they're not such a problem. Its not a hill to die on but I feel like I at least want to say something. And of course if worse comes to worse and I'm feeling snotty nicely suggest that if they are so fearful of clouds, external apps and pollution that gmail is a risk for them as well because x and y.
Really I just want to know if there is something behind what they're saying or if they just talking out of their ass's because of cluelessness or other reasons. They do talk out of their ass's quite a bit so it wouldn't be the first time. A lot of my a my co-workers job is cleaning up their ass talking messes so we're used to it.
I get the need for network security and use policies. I know that many companies do ban things like social media on their networks at all times. I get that and am okay with that.
My workflow and management is pretty much all digital now. Digital keeps me organized. I don't lose info with digital. I can easily search digital. Digital is easy to carry around. Shared project apps keep me a few others organized together.
Apparently these are bad. Like really bad. Today we found out that anything but company email and looking up needed info on the net is bad and potentially dangerous and we don't know enough to know what is or isn't dangerous. Google stuff is bad too. (Though apparently mgt is knows enough about Google stuff to do all of their company business on gmail because for whatever reasons it's very difficult to switch to company email)
I know I sound flip about it. Most in my office feel like there's more behind this declaration then real actual fear of a virus. Our mgt is very insecure and wants and trys to be in control of everything. Like one manager a while back really wanted me to make my own personal 'to do' list in a way that they think is best but really is one of the worst ways because of the amount of time needed to spend managing the list. I tried it that way and it was awful.
So I do wonder if this new policy is part of a backlash against people doing things different then what the mgt is used to personally. For reasons that we can't seem to get a grasp on things like not taking notes in the same way or not taking enough notes seems to really bother one guy. It's weird. He'll even appear with photocopies of his notes to give us 'just in case' and at times will ask for your notes to compare to his notes 'just to make sure we're all on the same page.'
Doesn't seem to matter that work is getting done with more then satisfactory outcomes. There does seem to be a thing with them wanting to micromanage how things are done.
Anyways if there are indeed major security concerns with these sorts of apps then I'll deal. If not I'd like to at least be able to explain why they're not such a problem. Its not a hill to die on but I feel like I at least want to say something. And of course if worse comes to worse and I'm feeling snotty nicely suggest that if they are so fearful of clouds, external apps and pollution that gmail is a risk for them as well because x and y.
Really I just want to know if there is something behind what they're saying or if they just talking out of their ass's because of cluelessness or other reasons. They do talk out of their ass's quite a bit so it wouldn't be the first time. A lot of my a my co-workers job is cleaning up their ass talking messes so we're used to it.
Are these sorts of cloudy apps really such a super serious concern that all big corporate companies ban their use?
This appears to be your only real question.
The answer to that is, "no, not all companies ban the use of cloud-based storage, but many companies manage how company material is stored." You are focusing on fairly benign information - notes, scheduling, etc (along with other seemingly irrelevant rants about your company - you might consider if you have other fundamental issues with your company than just Evernote), but the people that manage acceptable use policies are not generally considering that. They are considering core company property, private corporate records, critical infrastructure documents, and key intellectual property. Further, they are generally approaching the problem of information storage from the perspective of having one unifying policy, even if that unifying policy is overkill in some (many) specific areas.
So, yes, companies can be, and are, worried about valuable and/or regulated information being stored at unaccredited/unmanaged/unaccountable vendors. For instance, a hospital that stored patient information on Evernote or a government contractor that stored classified/ITAR-restricted documents on Evernote would be so mismanaged as to potentially be criminally liable. A technology company that kept critical schematics or drawings on an unencrypted cloud storage server would almost definitely find those schematics/drawings in the hands of a contract manufacturer that doesn't mind selling less-than-legal clones of devices.
That doesn't mean your company handles information like that, nor does it mean that Evernote/Google Drive/etc are actually insecure. It simply means that there are often legal and security barriers associated with a company approving use of a method for storing corporate information. Most people that handle these sorts of issues don't view the issues from the perspective of "unless we have a good reason to ban a tool, we will allow it", because then those people get in a lot of trouble when something goes wrong that they didn't foresee. They view the issues from the perspective of "unless we have a good reason to allow a tool, we will ban it", because that generally doesn't result in the policy-makers making mistakes that result in the company getting prosecuted and/or losing its market advantage.
Oh, and to a company, avoiding being prosecuted and/or losing its market advantage is a lot more important than how you keep meeting notes.
posted by saeculorum at 3:06 PM on June 25, 2015 [9 favorites]
This appears to be your only real question.
The answer to that is, "no, not all companies ban the use of cloud-based storage, but many companies manage how company material is stored." You are focusing on fairly benign information - notes, scheduling, etc (along with other seemingly irrelevant rants about your company - you might consider if you have other fundamental issues with your company than just Evernote), but the people that manage acceptable use policies are not generally considering that. They are considering core company property, private corporate records, critical infrastructure documents, and key intellectual property. Further, they are generally approaching the problem of information storage from the perspective of having one unifying policy, even if that unifying policy is overkill in some (many) specific areas.
So, yes, companies can be, and are, worried about valuable and/or regulated information being stored at unaccredited/unmanaged/unaccountable vendors. For instance, a hospital that stored patient information on Evernote or a government contractor that stored classified/ITAR-restricted documents on Evernote would be so mismanaged as to potentially be criminally liable. A technology company that kept critical schematics or drawings on an unencrypted cloud storage server would almost definitely find those schematics/drawings in the hands of a contract manufacturer that doesn't mind selling less-than-legal clones of devices.
That doesn't mean your company handles information like that, nor does it mean that Evernote/Google Drive/etc are actually insecure. It simply means that there are often legal and security barriers associated with a company approving use of a method for storing corporate information. Most people that handle these sorts of issues don't view the issues from the perspective of "unless we have a good reason to ban a tool, we will allow it", because then those people get in a lot of trouble when something goes wrong that they didn't foresee. They view the issues from the perspective of "unless we have a good reason to allow a tool, we will ban it", because that generally doesn't result in the policy-makers making mistakes that result in the company getting prosecuted and/or losing its market advantage.
Oh, and to a company, avoiding being prosecuted and/or losing its market advantage is a lot more important than how you keep meeting notes.
posted by saeculorum at 3:06 PM on June 25, 2015 [9 favorites]
When companies talk about security in the cloud, they're not necessarily talking about malware - they're talking about the security of the company's proprietary information.
Many organizations have confidential material that they don't wish to have known by any third parties - this can be anything from employee salary records to trade secrets. In addition, many American organizations are subject to regulations such as HIPAA and Sarbanes-Oxley, which require documented and audited methods in which information flows through a company. HIPAA's privacy rules also prevent the disclosure of private information to third parties.
When an individual sets up a personal account on a third-party cloud service and accesses it through the employer's computing hardware or network, there are many different ways in which confidential material could be leaked, or regulations could be violated:
* Confidential information is stored by the user on the service, making that information accessible by the third parties who run the service
* Security errors on the part of the third-party service can result in a leak of information. In the case of cloud services, those services are generally available from any node on the Internet, and a security related issue cannot be directly resolved or stopped by administrators of the company.
* Use of third party services by individuals using private accounts cannot be effectively audited for regulators.
* A cloud service may move or back up data to a data center outside of the countries or geographic locations that the company is contractually obligated to store information in. This is especially a concern for government contractors.
These issues do not prevent the use of cloud services by a company, but it does restrict their use. For example, upper management may prefer Google over other cloud vendors because Google ensures their services are audited and appropriate for use under HIPAA guidelines whereas Evernote is not. Google offers an eDiscovery service for legal and regulatory compliance. Evernote, to the best of my knowledge, does not.
You don't mention what field you're in, but if you're working for the government, a medical care provider, a public company, or one of many other regulated fields, your company may indeed be legally obligated to audit and assess the use of third-party services as part of the company's workflow, or prevented from allowing information to be stored with third-parties.
There is also the matter of sharing and company ownership of the information you're working with. In the event that you leave the company - whether because of another opportunity or because of illness or death - the company will likely want to make sure that the core of your work is both backed up and available to other parties, so that the work you did on their behalf remains part of the company. When you set up a private account, when you leave the company, much of your work could disappear. If the cloud service closes its doors - which does happen - or automatically deletes your data, the company will be out of luck.
Finally, a cloud service may be substantially more expensive than using existing company resources. Evernote isn't all that cheap for a business account, and while you personally may feel you're more effective using it, the company likely doesn't want to pay for something that you could technically do - albeit using their workflow - using existing company resources.
As such, there are many valid reasons why a company may ask you to store any information that you're working on on behalf of the company on servers either administered by or fully run by the company - due to security concerns, regulations, contractual requirements, data integrity, contingency planning and price - and not a cloud service. Some companies don't have those constraints or concerns, but many do. It's not just virii that create the kind of concern you're encountering on behalf of the IT department - there are multiple genuine risks that can stem from letting people indiscriminately use cloud accounts.
posted by eschatfische at 3:10 PM on June 25, 2015 [12 favorites]
Many organizations have confidential material that they don't wish to have known by any third parties - this can be anything from employee salary records to trade secrets. In addition, many American organizations are subject to regulations such as HIPAA and Sarbanes-Oxley, which require documented and audited methods in which information flows through a company. HIPAA's privacy rules also prevent the disclosure of private information to third parties.
When an individual sets up a personal account on a third-party cloud service and accesses it through the employer's computing hardware or network, there are many different ways in which confidential material could be leaked, or regulations could be violated:
* Confidential information is stored by the user on the service, making that information accessible by the third parties who run the service
* Security errors on the part of the third-party service can result in a leak of information. In the case of cloud services, those services are generally available from any node on the Internet, and a security related issue cannot be directly resolved or stopped by administrators of the company.
* Use of third party services by individuals using private accounts cannot be effectively audited for regulators.
* A cloud service may move or back up data to a data center outside of the countries or geographic locations that the company is contractually obligated to store information in. This is especially a concern for government contractors.
These issues do not prevent the use of cloud services by a company, but it does restrict their use. For example, upper management may prefer Google over other cloud vendors because Google ensures their services are audited and appropriate for use under HIPAA guidelines whereas Evernote is not. Google offers an eDiscovery service for legal and regulatory compliance. Evernote, to the best of my knowledge, does not.
You don't mention what field you're in, but if you're working for the government, a medical care provider, a public company, or one of many other regulated fields, your company may indeed be legally obligated to audit and assess the use of third-party services as part of the company's workflow, or prevented from allowing information to be stored with third-parties.
There is also the matter of sharing and company ownership of the information you're working with. In the event that you leave the company - whether because of another opportunity or because of illness or death - the company will likely want to make sure that the core of your work is both backed up and available to other parties, so that the work you did on their behalf remains part of the company. When you set up a private account, when you leave the company, much of your work could disappear. If the cloud service closes its doors - which does happen - or automatically deletes your data, the company will be out of luck.
Finally, a cloud service may be substantially more expensive than using existing company resources. Evernote isn't all that cheap for a business account, and while you personally may feel you're more effective using it, the company likely doesn't want to pay for something that you could technically do - albeit using their workflow - using existing company resources.
As such, there are many valid reasons why a company may ask you to store any information that you're working on on behalf of the company on servers either administered by or fully run by the company - due to security concerns, regulations, contractual requirements, data integrity, contingency planning and price - and not a cloud service. Some companies don't have those constraints or concerns, but many do. It's not just virii that create the kind of concern you're encountering on behalf of the IT department - there are multiple genuine risks that can stem from letting people indiscriminately use cloud accounts.
posted by eschatfische at 3:10 PM on June 25, 2015 [12 favorites]
All the points made so far are very good. I'd like to add:
Cloud computing is basically a fancy term for making what used to be your problem into some random company's problem. You might luck out and they might actually have a viable business plan that involves surviving more than a year or two. But in general, it removes your ability to determine the competence with which your information is handled, the security with which your information is stored, and creates a new dependency on an external entity's survival.
In some cases, for example, cloud vendors have gone bankrupt, or failed to provide adequate recovery and redundancy, or have made themselves major security targets. Consider, for example, the recent breach at LastPass. In general, yes, it's really nice to outsource a problem to someone else and "not have to worry about it", but at the same time, you're opening up a whole new can of worms.
posted by jgreco at 3:25 PM on June 25, 2015 [5 favorites]
Cloud computing is basically a fancy term for making what used to be your problem into some random company's problem. You might luck out and they might actually have a viable business plan that involves surviving more than a year or two. But in general, it removes your ability to determine the competence with which your information is handled, the security with which your information is stored, and creates a new dependency on an external entity's survival.
In some cases, for example, cloud vendors have gone bankrupt, or failed to provide adequate recovery and redundancy, or have made themselves major security targets. Consider, for example, the recent breach at LastPass. In general, yes, it's really nice to outsource a problem to someone else and "not have to worry about it", but at the same time, you're opening up a whole new can of worms.
posted by jgreco at 3:25 PM on June 25, 2015 [5 favorites]
Evernote isn't all that cheap for a business account, and while you personally may feel you're more effective using it, the company likely doesn't want to pay for something that you could technically do - albeit using their workflow - using existing company resources.
In addition to what the others have said, it happens with some frequency that software is available under one license/price for personal use and another for commercial use. You could actually open your company up to litigation by using software or services that are purchased personally and used commercially. This is a form of software piracy, and a liability for the company.
posted by Pogo_Fuzzybutt at 3:28 PM on June 25, 2015 [3 favorites]
In addition to what the others have said, it happens with some frequency that software is available under one license/price for personal use and another for commercial use. You could actually open your company up to litigation by using software or services that are purchased personally and used commercially. This is a form of software piracy, and a liability for the company.
posted by Pogo_Fuzzybutt at 3:28 PM on June 25, 2015 [3 favorites]
(I Am a Professional Network Security Engineer)
The problem with these apps is the potential for data exfiltration and loss of company IP and secrets. If you have contractors in your company the problem expounds. if you don't have network access control then you don't know what's on your network connecting and storing data to cloud services. You don't know who is managing the data storage and security in cloud systems. You don't know if the user is "posting to the cloud" and making stuff public or not. You can't really scan for it because the cloud systems will shut down your access if you try to scrape them, and even then the URL's are dynamic and company secrets are always changing and well, SECRET so it's kind of difficult to scan for data on cloud systems because secrets are not always known by the security analyst searching for stuff. OR it's password protected, or it's encrypted.
Basically using a personal cloud service is like using personal email for business. If you have been asked to stop, then stop. If you don't like it, get a new job.
There are services like skyfence and others that act as cloud security proxies to help corporations allow employees to use cloud services, but they tend to cause more problems than they fix overall and employees still get annoyed.
At the end of the day though, you aren't being very professional and if I had to deal with you in a meeting and you acted like that my CIO would fire you on the spot.
posted by Annika Cicada at 3:32 PM on June 25, 2015 [9 favorites]
The problem with these apps is the potential for data exfiltration and loss of company IP and secrets. If you have contractors in your company the problem expounds. if you don't have network access control then you don't know what's on your network connecting and storing data to cloud services. You don't know who is managing the data storage and security in cloud systems. You don't know if the user is "posting to the cloud" and making stuff public or not. You can't really scan for it because the cloud systems will shut down your access if you try to scrape them, and even then the URL's are dynamic and company secrets are always changing and well, SECRET so it's kind of difficult to scan for data on cloud systems because secrets are not always known by the security analyst searching for stuff. OR it's password protected, or it's encrypted.
Basically using a personal cloud service is like using personal email for business. If you have been asked to stop, then stop. If you don't like it, get a new job.
There are services like skyfence and others that act as cloud security proxies to help corporations allow employees to use cloud services, but they tend to cause more problems than they fix overall and employees still get annoyed.
At the end of the day though, you aren't being very professional and if I had to deal with you in a meeting and you acted like that my CIO would fire you on the spot.
posted by Annika Cicada at 3:32 PM on June 25, 2015 [9 favorites]
I Am An Information Assurance Manager, IANYIAM...
...I just want to know if there is something behind what they're saying or if they just talking out of their ass...
Purely pragmatically - it doesn't matter. Once something is 'policy', wherever you go, there you are. You could ask if there is a waiver or exceptions policy paired with that.
Basically using a personal cloud service is like using personal email for business. If you have been asked to stop, then stop.
I pretty much agree. But if you like the company and plan to be around, it could be worthwhile to begin advocating for commercial/enterprise licensing and private hosting. The CIO's office is probably a starting point for this type of dialog.
posted by j_curiouser at 4:04 PM on June 25, 2015
...I just want to know if there is something behind what they're saying or if they just talking out of their ass...
Purely pragmatically - it doesn't matter. Once something is 'policy', wherever you go, there you are. You could ask if there is a waiver or exceptions policy paired with that.
Basically using a personal cloud service is like using personal email for business. If you have been asked to stop, then stop.
I pretty much agree. But if you like the company and plan to be around, it could be worthwhile to begin advocating for commercial/enterprise licensing and private hosting. The CIO's office is probably a starting point for this type of dialog.
posted by j_curiouser at 4:04 PM on June 25, 2015
In a similar position. I work for a Fortune 100 company. I want to use Slack for my team. IT says no, because security. So, you know, no Slack. It sucks, because they make other clunky "enterprise" options available and gaaaaah so annoying. But all I can do is push IT to approve Slack.
posted by chesty_a_arthur at 4:18 PM on June 25, 2015 [2 favorites]
posted by chesty_a_arthur at 4:18 PM on June 25, 2015 [2 favorites]
A lot of good thoughts above - a few thoughts I had
1. Is there a compromise solution here that your bosses would like that still meets your need. For instance "hey bosses - good that you've clarified the security situation and the concerns you have - it makes sense. Realizing efficiency and enablement is also something you want to promote - would a tool like self hosted Microsoft OneNote / Notezilla / etc. be something that you could champion"
2. Does you company have an innovation program? Maybe submit it as an idea with solid reasons why supporting these apps would help. Depending on size of you company maybe it will bypass the roadblocks / go to the right person?
3. Do you work with other companies who use cloud services? ("Hey boss - I appreciate the rule - but our large client X wants to collaborate via cloud tool Y - how can we support this revenue stream and get an exception?")
posted by inflatablekiwi at 5:54 PM on June 25, 2015
1. Is there a compromise solution here that your bosses would like that still meets your need. For instance "hey bosses - good that you've clarified the security situation and the concerns you have - it makes sense. Realizing efficiency and enablement is also something you want to promote - would a tool like self hosted Microsoft OneNote / Notezilla / etc. be something that you could champion"
2. Does you company have an innovation program? Maybe submit it as an idea with solid reasons why supporting these apps would help. Depending on size of you company maybe it will bypass the roadblocks / go to the right person?
3. Do you work with other companies who use cloud services? ("Hey boss - I appreciate the rule - but our large client X wants to collaborate via cloud tool Y - how can we support this revenue stream and get an exception?")
posted by inflatablekiwi at 5:54 PM on June 25, 2015
Yeah, basically what others have said. My company deals with sensitive/proprietary/etc. information on a regular basis and we are not allowed to use any sort of cloud storage services - Evernote, Dropbox, Google Drive, etc. I'm not involved in that decision chain, but I believe for us it's a two-way thing: if you've tied an account to your work computer and some unknown outside devices, there's the potential for contamination of the internal network (e.g., Dropbox syncs a bad file you downloaded at home to your work computer), plus the risk of leaking "sensitive" information (again e.g., you accidentally put PPE in a shared "cloud" folder on your work computer and it's uploaded to who knows where).
We're also stewards of government classified and unclassified-but-sensitive information, and if there's a "spill" then IT wants to contain that as easily as possible.
posted by backseatpilot at 6:57 PM on June 25, 2015
We're also stewards of government classified and unclassified-but-sensitive information, and if there's a "spill" then IT wants to contain that as easily as possible.
posted by backseatpilot at 6:57 PM on June 25, 2015
"The cloud" is actually a server farm somewhere. It's like if you were storing your files on some anonymous FTP server. Not necessarily insecure, but probably inappropriate for certain types of sensitive data.
posted by deathpanels at 3:56 AM on June 26, 2015
posted by deathpanels at 3:56 AM on June 26, 2015
and do note that a number of US gov't agencies have created their own clouds -- as in a big server farm somewhere with an API to access. Usually for secrecy (classified stuff) or security (internal/private networks not connected to the internet). So there are ways to make clouds secure, but the costs go up for it.
posted by k5.user at 7:23 AM on June 26, 2015
posted by k5.user at 7:23 AM on June 26, 2015
This thread is closed to new comments.
posted by H. Roark at 2:49 PM on June 25, 2015 [4 favorites]