Many departments try to save money and time by deploying cloud computing services on their own, without the involvement of IT. A recent report from security experts shows why that’s a bad idea.
Often, those rogue cloud computing deployments involve storage services. Employees may use unapproved cloud storage applications to store documents so they can be worked on from multiple locations, or to share information among co-workers.
Typically, those employees turn to consumer-grape applications, such as the popular Dropbox, which may not have the security controls IT would like to see.
The security and privacy issues with Dropbox were displayed last year, when a Dropbox employee’s account was compromised, leading to the breach of a document containing user email addresses.
Cloud storage at risk
A paper released recently by two developers, Dhiru Kholia, with the Openwall open source project, and Przemyslaw Wegrzyn, with CodePainters, shows another way to compromise Dropbox accounts.
Basically, the developers were able to reverse engineer the code for Dropbox and write an open source client used to access accounts.
From there, they used code injection techniques to intercept SSL data and bypass Dropbox’s two-factor authentication.
While the report focuses on Dropbox, the developers said they were also able to use similar techniques to get around the security restrictions in other cloud-based storage systems.
The lesson for businesses: There are a lot of options out there for cloud computing services, but not all of them have the right security controls in place to protect sensitive corporate data.
That’s why it’s a good idea to write a company-wide cloud computing policy that includes restrictions on deploying cloud services without IT’s input or approval.
FinanceTechNews.com delivers the latest Finance news once a week to the inboxes of over 150,000 Finance professionals.