The cloud computing evolution is well entrenched, and has made significant changes to how organizations share, sync, edit, create and collaborate-on content. However, this computing revolution is a double-edged sword. There are benefits—increased computing power, ease-of-use, and new flexibility in the case of cloud computing. However, these new features and benefits also bring new difficulties and risks. The security risks alone are enough to make any government agency cringe.
For IT departments, these new risks typically emerge as security vulnerabilities. Attackers are quick to exploit design flaws or architectural weaknesses that can be used to steal data, sabotage networks, or siphon funds. Over time, vendors and customers discover these flaws and weaknesses—usually the hard way, by discovering that they have been exploited—and fix them.
For government agencies, the race to contain new threats is definitely on. New cloud risks are sweeping through departments as mobile devices emerge as the computing form factor of choice for federal workers. Employees are not just bringing a single device to work, either. A recent survey by iPass found that the typical mobile worker now carries 3.5 mobile devices, which might include any combination of smartphones, laptops, and tablets.
Recognizing that employees love their devices and won’t leave them home, a number of agencies have formally adopted BYOD policies, and the Federal CIO Council created a mobile computing decision framework, to support agencies who were looking to introduce this new technology into their workflow. Employees can now store business data and do work on their own mobile devices, rather than just on those officially provisioned by their company.
So what does this mean for the teams and administrators responsible for network security?
New Security Risks
To assess the risks of cloud computing, we need to consider everything from data contamination to user habits to the activities of criminal syndicates. The blurring of personal and business computing is creating special challenges for government agencies, such as:
Security as an Afterthought
Consumer devices like iPads were not designed with rigorous data security in mind. Many mobile devices either lack advanced security features or have them disabled by default. Even basic features such as screen locks are turned off, and most users leave them that way. And if a laptop is brought from home by an employee, it will also not have the rigorous security settings that an agency device would have, introducing the risk of data leakage or hacking into the agency network.
Today, an employee’s vacation photos are likely to reside on a smartphone or tablet that the employee brings also uses for work. The photos, and other content, share storage space along with confidential business data when the employee logs into agency networks. Never before has personal data mixed so freely and casually with business information.
This combining of data introduces new risks to the enterprise. Through carelessly configured back-ups or file copies, personal content might accidentally end up on corporate file servers. Worse, personal files that contain malware might spread to business files and from the mobile device to internal file servers and other enterprise assets.
New Forms of Malware
New forms of malware targeting devices are on the rise, especially for mobile. IBM predicts that mobile malware will grow 15% annually for the next few years. Hackers and criminal syndicates realize that most mobile devices are less secure than more traditional devices like laptops. They have begun targeting mobile devices for attacks ranging from mischievous pranks to advanced persistent threats that stealthily copy internal data over many months, transmitting it to remote control centers on the world.