"The BYOD [bring your own device] to work issue is huge because now you have devices you don't own trying to access your data over networks that you don't control," says Tom Clare, senior director of product marketing at Websense, a content security vendor.
Jacob Braun, president and COO of Waka Digital Media, a managed security service provider and consultancy in western Massachusetts, says one way to help limit the number of users wanting to run personal devices on the corporate network is to set up policy roadblocks.
These include limiting what they can do on the machine while attached to the network, requiring them to pay for mobile malware protections and confiscating the device if there is a security issue.
But there are legitimate circumstances for giving upper management controlled access through the cloud. Braun's company uses products such as Kaseya's mobile device management module, which is part of the vendors overall IT System Management platform, to gain that kind of control.
Joe Coyle, CTO for Capgemini Consulting, contends that in order to effectively support mobile devices you must make sure your provider's ID management scheme jibes with your internal one.
"They are coming in from everywhere, so if you lock them into their set roles through consistent ID management, then you have a decent shot at making sure they are not getting to data they - or their machines -- don't have rights to," Coyle says.
3. Push your cloud provider to put security in your SLA
Standard cloud service provider service-level agreements (SLA) barely touch on security, so it's a buyer beware kind of situation.
"Make sure your provider is willing to move well beyond simple monitoring of your service usage," says Torsten George, vice president, worldwide marketing at Agiliance, a security vendor that offers governance, risk and compliance services.
Customers have a right to push for insight into a provider's compliance posture, its overall security posture and how it stacks up against benchmarks for best security practices.
"Absolutely push for a custom security SLA," says Jeremy Crawford, CTO of MLSListings, a Silicon Valley-based regional Multiple Listing Service (MLS) that supports over 5,000 brokerages and 18,000 subscribers. Crawford has negotiated security focused SLAs with three public cloud providers. He takes a look at the providers' standard security agreement, but only consents to about 50% of the language in most cases. He pushes for more favorable language relating to visibility into the providers' systems and sets up specific terms about shared liability should there be a breach.
"You've got to have teeth in the contract or you'll have no legs to stand on if there is a data leak," Crawford says.
4. Act quickly
Richard Rees, manager of EMC's virtual cloud consulting services, says enterprises should move quickly on an overall strategic plan for pushing their business process out to the public cloud in a controlled fashion. By doing so, you avoid rogue pockets of public cloud within the companies.
"I am always surprised by how quickly departmental pilot projects morph into business critical applications," Rees says. Due to the relatively low cost of entry into most public cloud applications, the likelihood that they are being used without IT's knowledge is pretty high.
Read more about cloud computing in Network World's Cloud Computing section.