Google Drive Makes It Official: You MUST Plan for Risks of Cloud Storage

Slide Show

Creating a Data Loss Incident Plan

Questions and recommendations for businesses to consider while building a data loss incident plan.

When Google gets behind a technology, it's a safe bet that your staff members are going to be using it sometime soon, with or without your supervision or consent.


And so this week's formal announcement of Google Drive, the search giant's latest push into cloud services targeted directly at storage, has security officers and risk managers wondering how best to tackle the inevitability that users will soon be sending sensitive corporate information off to Google with little thought for compliance, leakage, uptime - all that fun stuff.

First off, let me say that cloud services in general fall into an overlap between the formal disciplines of security and risk management. Corporations essentially decide whether or not they want to allow users to employ services like Google Drive, and then set out to implement guidelines and preventative measures, as warranted. That's mostly security with a little governance thrown in for good measure.

You can view anything as a cost/benefit curve, of course, but risk managers tend to find the fact that data is being managed entirely outside the corporate umbrella a little frustrating, if not unnerving. This evergreen advice column at Risk Management Magazine lists the fact that not all data can be subject to consistent governance standards as a major risk with cloud storage. (It also frets about the possibility that your vendor may go out of business, which is probably not going to happen with Google).

With Google Drive, the most imminent risk is a consumer-grade solution being employed for storing and transmitting what might be pretty juicy info. This post from security vendor Sophos specifically addresses the issue of encryption and how clumsy, albeit possible, it can be with Dropbox, a leading cloud storage service that Google is targeting with Google Drive. The author concludes that a centralized solution for encryption key management and reporting (which Sophos happens to produce) to be used with bring-your-own-service (BYOS) cloud storage tools is probably a better solution for business.

Another option is to just implement a soup-to-nuts cloud storage system of your own and block use of consumer options through data loss prevention or other blacklisting tactics. Richard Edwards, principal analyst with Ovum, sent us a press release this morning saying that he sees "an inevitability" in the use of consumer cloud services, regardless of what IT says or does, and so giving users the carrot of a user-friendly option may be a smart move. (You can see a re-work of the press release here).

Regardless of the final solution IT decides on, risk managers at least need to be able to cite the issues associated with consumer or dedicated cloud services, including storage. (The InformationWeek piece we pointed to earlier in this post notes that Drive is really little more than an extension of Google Docs - in all cases, you are trusting your data to somebody else.)


Both this piece at and our own Paul Mah note that most cloud services rely on simple, static passwords for sign-on - well below even SMB networking best practices. Paul also smartly warns that having your data physically stored across the globe may open a weird matrix of legal regulations - no fun for your compliance office - and that cloud storage should be viewed as a single backup, from a disaster recovery perspective. Be sure to check out his post.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.