Is IBM Right to Ban Access to Cloud Applications?

Tweet

IBM recently announced they had banned employees using cloud-based applications including Dropbox, Apple’s iCloud and Microsoft Skydrive. Even Siri on the iPhone is on the list since spoken queries could be stored and accessed by third parties.

The ban has been implemented following IBM’s policy of allowing employees to use their own devices. Personnel working outside the office could use their own hardware rather than depending on that provided by the company.

The policy did not reduce costs. It created new challenges since the software wasn’t controlled by IBM and many employees were unaware of the potential security risks of file sharing, open wifi and webmail systems. IBM’s primary fear was that confidential commercial information could be lost — especially when many of the popular solutions are operated by their direct competitors.

The Cloud is Inherently Risky

It doesn’t matter what claims are made, web-based applications have always been a security risk (as recently demonstrated by LinkedIn). Few of us know where our data resides, how secure it is, or who can look at it. Even if you did know, your data is still sitting on a publicly accessible network; it’s a target for snoopers.

The only real security is the volume of data stored. If someone managed to access Dropbox’s back-end, it may be difficult to identify files belonging to a specific user. Locating a juicy document within many petabytes of data wouldn’t be easy.

Reading Between the Lines

I’m a little skeptical about IBMs announcement. If you’re really concerned about security, the last thing you do is reveal company policies. IBM claim to have banned Dropbox so you can guarantee a number of confidential documents were sitting on Dropbox’s servers at some point. They’re possibly still there.

In addition, IBM is an IT consultant — with their own cloud solutions offering “security-rich virtual environments”. In other words, you should consider hiring IBM because they understand the cloud and your company’s security concerns. Although it’s not stated directly, IBM has raised doubts about the services run by their competitors.

It’s a clever piece of indirect marketing which I’m helping to spread further!

You Can’t Stop Human Nature

In my opinion, IBM’s cloud-banning policy won’t work. If they expect employees to work outside the office, those people must copy confidential documents from IBM’s systems and put them elsewhere. If cloud applications are banned, employees will simply copy files to laptops or USB drives. Is that more secure?

IBM’s employees used Dropbox and other cloud applications because they were practical. It doesn’t matter what security protocols IBM puts in place; people will find ways circumvent those policies if it makes their working lives easier.

Does your company restrict cloud usage? Have you experienced data loss or security breaches using a web application? Comments welcome…

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.martinbean.co.uk/ Martin Bean

    I don’t get what they’re trying to do? It’s backwards: more and more things are going towards this cloud. If they want employees to stop accessing online services they may as well just cut the cable to their buildings.

  • http://blog.wyattbarnett.net Wyatt Barnett

    Do you know anyone who works at IBM Craig? I do and you’ve got a few facts wrong. First, everyone at IBM has a company issue laptop which is the only way to hook up to the corporate network. You can’t just install a VPN client and go. Things are locked down that at best your manager will get a notification you plugged in a thumb drive. Furthermore, most of the “cloud” services you speak of have been running in some form inside IBM for years. They really did invent this stuff and they have the resources to post private versions of things as they become required. It is a totally different world than that of small web consultancies and the businesses they support.

    • http://www.optimalworks.net/ Craig Buckler

      Thanks Wyatt.

      So why did Jeanette Horan, IBM’s chief information officer, announce the ban on cloud applications if they weren’t being used?

      • Eric

        Craig,

        I am in the same camp as Wyatt. When I am at my company and using their resources I have no right, or business using social media ( unless representing the company in an official capacity), or connecting their computer to my personal cloud accounts. You are just asking for astronomical problems if you do.

        I imagine Horan was addressing an issue all large enterprises deal with. I can assure you at my job I am repeatedly reminded routinely of our corp code of conduct that does in fact address much of the above.

        I enjoy your articles, but to Wyatt’s point until you are responsible for more than a thousand it assets you are not in a position to comment on this with expertise. In fact I would be weary of purchasing anything from sitepoint if this is your corporate attitude.

      • http://www.optimalworks.net/ Craig Buckler

        Eric,

        Organizations and Government departments lock down desktops. That’s understandable. However, you cannot then expect employees to work in their own time on their own hardware without losing some control. In this case, Horan admits staff were using applications such as Dropbox (although Wyatt claims this is not true).

        Cloud apps were banned so IBM effectively reverted back to locked environments. Again, I have no problem with that policy assuming IBM no longer expects users to work on their own devices.

        So IBM has publicly stated that cloud solutions are inherently insecure (which they are). Why do they continue to sell them?

  • http://www.webtutorialplus.com Gunjesh Kumar

    Its perfectly fine for IBM to ban access for cloud applications. As you have rightly said, the cloud data is never safe and there is always some security risk. If an employee wants to change his job, he or she can easily put the sensitive information on cloud and access it afterwards.

    Most of companies these days take many steps to control breach of sensitive information – like disabling USB drives, scanning external emails, restricting websites and applications, etc.
    I think banning cloud application is a correct step to protect sensitive information.

  • http://www.leachcreative.com Andrew

    IBM isn’t going to get anywhere with that policy, the only thing they’ll get is alienated employees, who learn to hide what they are doing better.

  • eric

    Craig,

    I now see where you are coming from. First item I will grant you if the enterprise lets you use your own device for work than they lose full ability to dictate what goes on a machine. They do still have the ability to dictate where you go while VPN’ed into their network.

    Second IBM certainly is not dumping on the cloud’s security as much as they are trying to get in front of users having an avenue to easily snag private information and remove it from their sphere of control.