Is Google compromising your cloud data security?

A lightning bolt going through a cloud

Posted on Tuesday, February 7, 2017

A new security flaw discovered by researchers at a Swiss telecom provider has underscored the importance of choosing business grade cloud services. According to the Swisscom report, unauthorized parties are able to gain access to data stored in the hosted file service Box.com using nothing more than a Google search.

The problem with consumer-level security

As well as storing and syncing files, Box.com is intended to simplify the process of sharing data with other users. Users select files or a folder and use the supplied tool to email their collaborators who receive a link back to a public landing page on Box.com.

So far so good. The security problem arises when these links become public knowledge. If the links are shared and used often enough, they can come to the attention of Google’s spiders, eventually appearing in search results.

Even more worrying for the CSO/CTO are Box’s default security settings at the file level. Unless users remember to manually adjust file access permissions, they are sent with the service default – full permission to read, write, edit and delete.

A disaster waiting to happen

So far there have not been any reports of businesses falling victim to Google indexing of Box.com landing pages – but the potential for trouble definitely exists. As the weak link in any IT security system, your users represent the most significant risk – particularly if they are expected to apply permissions themselves. Just 9% of businesses feel protected against insider threats.

It is little surprise that CTOs have resisted consumerisation of their infrastructure – B2C technology often trades security for simplicity. And that could be incredibly costly if intellectual property or sensitive data is leaked - or exposed unintentionally by Google.

Hybrid cloud to the rescue?

For maximum control of corporate data and sharing, CTOs could do worse than investigate a hybrid cloud alternative. Under this scenario, sensitive data is stored in house, with the option to “burst” processing and storage into a secure, enterprise-grade cloud service when required.

This hybrid cloud model can be further simplified through the use of intelligent software defined storage infrastructure in house, providing additional flexibility when managing changing access and retention needs. Better still, businesses can redeploy their existing storage – including post warranty gear – to provide additional capacity at no additional cost.

Whichever way your business chooses to proceed, consumer-oriented solutions like Box.com are unlikely to provider the security you need.

Next steps

For more help and advice, please get in touch.