BYOD. If that acronym doesn’t strike fear into the heart of every chief exec or finance director, it should. Short for “Bring Your Own Device”, there’s been a proliferation of new technology that’s take the business world by storm; the tablet. More portable than a laptop, more connected than a mobile phone, these cross-over devices are incredibly popular, and rightly so. The flexibility they provide is truly amazing. Give a presentation, take photographs, jot down notes on the move, browse the internet, use business email and make calls, all from one easily transported device.
Some companies support these devices through their IT departments. Many don’t, but employees – especially those with a technical bent who like the latest & greatest in hi-tech gizmos – will purchase their own, and cross over from personal use to using them in their business lives. It’s a cost the employee bears rather than the company, it improves productivity and everyone’s happy, no? What’s not to like about this?
A lot. I’m going to focus on one big issue for businesses; the location where your company’s employees store your company data.
Location, location, location
There’s a new “killer app” out there, and it’s the free cloud storage offered by a number of companies; Google Drive, Microsoft SkyDrive, Apple iCloud and Dropbox to name but a few. All offer several gigabytes of free cloud storage, and larger amounts for very small additional costs. And they have plenty of takers; in November 2012, Dropbox announced it had 100 million registered users.
The reason for the uptake is simple. There will be a large number of these users that are storing pictures of their cute cat or who they saw for dinner last night, so that the limited storage on their tablet or phone goes further; and with download speeds available, storing them on the cloud doesn’t add much to the time taken to retrieve them. They’re the modern equivalent of the USB stick, often appearing as a fully synchronized and always available directory or folder on the device.
If it were just pictures of cute cats…
“Where exactly is our data?”
Increasingly, employees are storing business data on the cloud. Spreadsheets of sales, confidential company plans, personal information about suppliers, customers, contacts; a lot of company information is landing up – well, where exactly? We know it’s in the cloud somewhere, but is it even legal?
The short answer is no. Much of this is not legal, far less desirable.
There are strict limits that certain jurisdictions place on what data can be stored where. For instance, the EU and its member countries have laws that do not permit personal data to be stored where privacy can’t be guaranteed. According to a recent study (Data jurisdiction in cloud storage – are you compliant? May 2012)
… an exclusive Computing survey of more than 100 senior IT strategists across most types and sizes of enterprise reveals that a staggering 46 percent of them admit to not knowing if their organisation is legally allowed to store or process data outside of the EU – such as in common partner locations like the US or India… http://www.star.co.uk/Resources/Downloads/Data-jurisdiction-in-cloud-storage-are-you-compliant1
Outside the geography of the EU, there are some obvious places where you’d be foolish to store your data; Iran or China for example. But a large number of these free cloud services end up storing data outside the EU. The list of countries where EU generated data can be stored legally is remarkably short, and notably, it doesn’t include the
US or India. It would also appear that the number of UK companies that are aware of this important restriction is equally short. This is a serious problem, and with the EU proposing more legislation in 2014 to toughen up and make uniform all the current national laws, it’s set to be a bigger problem.
The first piece of advice that I can give is – get a lawyer. Even though you may not support BYOD in your company, and even though you might strictly warn off your staff from storing company data on them or in the cloud, believe me, it happens; and your company is liable. A good lawyer can help you set policy and educate both users and IT departments about best practice, and can help with the next important step; developing your own private, company specific and legal dropbox-like facility. Since it’s happening now, you may as well do it properly now.
Privacy on the network
What will be required, regardless of the model chosen to support your business & legal needs, is security of communication between the device and the cloud storage. Encryption and VPNs (virtual private networks) are essential to ensure that your data isn’t subject to “man in the middle” attacks while using public networks. And you’ll need the involvement of your employees. They’ll need to load specific software on their devices, and you’ll need to ensure it’s done. It has to be easy too; if it’s too difficult to use, they’ll return to using their own cloud storage, with all the risks that it entails.
A private cloud
The first thought might be to invest in a private cloud. Many storage vendors are now offering cloud storage, and some make available “dropbox”-like software functionality for a wide range of devices, either as part of the storage solution or in concert with other vendors. These are an attractive option if you have an IT department able to support them; and they can be used for other purposes too, such as application storage, for backups and application data. With a private cloud, you can be sure that you’re compliant in where your data is located.
A public trusted cloud
Google and other public cloud storage providers are now proving “model contracts” with guarantees that EU data will be stored inside the EU. That may not be enough for some classes of data, but it may suit your business needs and be adequate. In such an environment, the service provider makes available a multi-tenant solution; your company stores data with other companies, with a guarantee of data security and isolation between tenants.
What is absolutely sure is that your existing contracts with 3rd party suppliers won’t be up to the task of covering the potential issues; most of them are service agreements (a duty of performance) rather than licence agreements (the duties of responsibility and limitations). Many may surprise you with their very broad interpretation of copyright, and the ownership and use of content stored on their clouds.
The hybrid cloud
As the name implies, a hybrid storage cloud uses a combination of both public and private storage clouds. For example, a company may elect to store their sensitive data in the private storage cloud, while utilizing the elastic capacity and cost-effective public storage cloud for the storage of less sensitive data. Another example is in conjunction with hybrid computing clouds, the data from an internal storage cloud can be made available (replicated) to a public storage cloud for cloud computing tasks that need to access the same data that is available internally. Ramping up and down web based services based on demand fall into this category. And a combination of public and private clouds can be used to implement storage tiering, with lower cost tiers being implemented by a public cloud provider for data that no longer needs the latency of local access.
Hybrid implementations are often useful for archiving and backup functions, allowing local data to be replicated to the public cloud, thus lowering storage costs. Though hybrid clouds require more IT management than pure-play public clouds, many vendors offer rules-based solutions that enable simplified management across these resources, allowing development of customized solutions that balances cost benefits with security, legality, performance, capacity and so on.These varieties of cloud storage, and some of the other benefits and considerations of cloud storage, are presented in some detail in a white paper available from SNIA at http://www.snia.org/sites/default/files/CSI_Private_Hybrid_Cloud_White_Paper_final.pdf. You can also find tutorials on cloud architectures at
http://www.snia.org/education/tutorials/2012/fall#cloud
About those cat photos…
If you’ve got to the point of implementing a legal and secure cloud system for managing your employees’ use of their BYODs, you’re probably wondering; what data should be allowed on the corporate system? Given that you want your employees to use your service, I’d let them store their personal stuff on your company provided cloud. After all, you don’t want accidents where company data ends up with personal on unmanaged cloud storage because you’ve banned all use outside of work and users find it easier that way.
But do take care. Not everything that gets stored on the cloud is innocuous. While giving a lot of leeway, get legal advice on AUPs (acceptable use policies) and be as flexible as you can manage. As long as it’s decent, legal and reasonable (in other words, no pornography or ripped music tracks), let them store what they will, including the photos of the cat.
For more information about SNIA and Cloud Storage, please visit
www.snia.org/forums/csi and http://snia-europe.org/en/technology-topics/technology-communities/cloud-storage/index.cfm