Jul 17 2013

Forget BYOD — Bring Your Own Cloud Is a Much Bigger Security Threat

Cloud software is the latest threat to networks and data on campus.

Software is the new hardware. Bring your own device (BYOD) programs have become prevalent, though few are officially sanctioned by colleges. In fact, just 24 percent of higher ed CIOs indicate that their college has a BYOD policy.

The fact that BYOD puts networks and sensitive data at risk is an issue. But the danger has more to do with the software running on the devices than the actual hardware. This is exactly why universities should be shifting the conversation from mobile devices, such as smartphones and tablets, to software. BYOD is a disorganized mess, and before the majority of colleges can even get a handle on it, bring your own cloud (BYOC) is knocking on the door.

A perfect example is Dropbox. They have become one of the most popular cloud-syncing services in the world. With 175 million users and an impressive 0.29 percent share of global bandwidth, the service has an increasing responsibility to keep users — and the networks they connect to — safe. The bigger Dropbox gets, however, the more of a target it becomes to hackers. As their security liability increases, so does the obligation of IT departments to keep their users safe.

But it’s not just Dropbox. Other products, like Box, Google Drive and Microsoft SkyDrive, offer similar syncing services. Many additional cloud services are accessed on campus everyday, including email, calendars and social media sites. Complicating the issue is the fact that most users sync their files with home computers, tablets and smartphones that connect to other networks.

Where should colleges draw the line?

Embrace the Cloud but Proceed with Caution

The simple truth is that colleges cannot — and should not — prevent their students from using cloud services. These tools are extremely valuable, and while they do pressure colleges to upgrade security, the tools lessen the schools’ burden to supply similar functionality. As Ken Hess wrote on ZDNet, “The solution to the problem is as complex as the problem itself.”

It's impossible to tell users who bring their own devices not to use personal cloud services. It's very difficult to prevent users from using those services inside the corporate network. The company can ban the Internet sites, ban the app from the corporate MDM or MAM suite, and can even write policies that ban the use of personal cloud services for uploading and storing corporate files. But, as any good corporate security professional knows: People are very creative in bypassing security.

Users are always the weakest security link in an organization. People either inadvertently or purposely bypass security as a matter of fact. Personal cloud services make that process easy.

The Key to Cloud Security Is Communication

Because security relies on user behavior as much as it does on a robust security strategy, it’s vital that colleges communicate their policies and best practices to students and faculty. After all, if users don’t know right from wrong — and the lines are increasingly blurry — they won’t be able to make smart decisions about which apps to use and what data to sync.

Our BYOD reference guide goes into greater detail about launching and maintaining a safe program. In the meantime, here are a few tips for communicating BYOD policies to your users:

  • Get out in front of the issue. IT is no longer a silo. It has infiltrated every aspect of learning, communication and productivity. Seventy-six percent of colleges don’t have a BYOD policy, and that is no longer adequate. Embrace IT in university-wide communication by engaging students in ongoing conversations about technology and security.
  • Remind students that they are accountable. With great power comes great responsibility. Free cloud syncing counts as great power, especially when it’s free to users. Along with this power is the responsibility to use it in a way that doesn’t endanger other users. This means students must abide by the rules set forth in the university’s official BYOD policy. However, if there is no policy, it’s nearly impossible to hold anyone but the college administrators accountable.
  • Keep your resources current. Blogs and social media are great ways to publish security resources for students. Remember that these resources should be simple, transparent and accessible. Avoid IT jargon and complex language. Resources that get to the point and are always current will be extremely useful.

How is your college tackling BYOD and BYOC? Let us know in the Comments section.

Collection Mix: Subjects/Thinkstock

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.