Q&A: Where businesses are going wrong with cloud security

Data security and data protection are areas that can't be ignored in the modern business landscape that is filled with cyber threats a-plenty.

We sat down with Patrick Heim, Head of Trust at Security at Dropbox, to discuss how the industry is developing and where businesses are going wrong with cloud security.

1. What lessons did enterprises learn from 2015 in terms of data protection and security?

One of the big lessons is that moving to the cloud — if executed properly — can be a great way to reduce risk. If you look at recent security incidents like the Office of Personnel Management breach, they're happening more often in cases where organisations are trying to keep and manage everything in-house. But companies are finding that this approach doesn't often scale. Most organisations have neither the resources nor expertise to manage today’s growing array of internal and external security risks.

By contrast, major cloud services, for their very survival, have to build and evolve the infrastructure and expertise needed to secure massive amounts of data for millions of users. When an organisation leverages the built-in risk mitigation of a well-established cloud service and integrates it with security tools that are customised to meet the organisation’s needs, it can effectively scale the IT security department and maximise both visibility and control.

2. How do you think the public perception of data privacy has shifted?

Consumers and businesses have a choice in the services that they use, so the concept of being able to trust your most important information with that service is becoming increasingly relevant and important to consumers as they explore their options. A first step in selecting the right cloud solution is to look into the company’s history to see how transparent it is and how strongly it advocates for its users.

People who are shopping around for a cloud service should be paying attention to whether services are transparent about how they work with governments and law enforcement, and whether they have third-party validation that they practice what they preach in terms of data privacy.

3. What are your thoughts on the Apple-FBI encryption debate?

Companies have the right to provide trusted products and services to its users. Dropbox does not support the use of authority to undermine the security of a company’s products.

4. Dropbox for Business recently achieved ISO 27018 certification. How much work did it take to achieve that and why is it an important milestone for Dropbox?

Building a culture of trust and making things secure is a lot of work but is fundamental to what we do and our philosophy as a company. We have been building a strong foundation since Dropbox started and this certification was a great recognition that we’ve been doing the right things.

5. Where are companies still going wrong with cloud security?

There are companies and tech leaders that still view the cloud as the enemy - they may feel that they have lost control and visibility and want to regain it by locking or limiting what employees in their organisations can do. This is a fundamentally limited way of thinking about the cloud.

Instead, companies should assess both the positives and negatives from a security and risk perspective. They should also measure the value to employees, i.e., how much more efficient, agile, and productive are employees when they receive access to a wide variety of tools. This sets a tone for a company’s culture and enables them to attract the brightest and best to an organisation. On the flip side, this value does need to be balanced with some of the negatives, including the perceived lack of control and security.

When we look at the security evaluation piece, not all cloud providers are the same. There shouldn’t be fear of well established, known providers, who have gone through the security process and third-party certifications. There needs to be a shift in thinking — from block and control — to looking at how employees are using tools and what is making them more productive, and then figuring out a way to make those environments safe.

Innovative companies are adopting the “commercial” versions of popular consumer products. There are a variety of security vendors that are helping companies “make it safe” by giving companies more visibility into and control of the cloud solutions its employees are already using. This way, you’re able to balance the risk with the benefits to employees, such as increased productivity, flexibility, and enablement.

6. How do you see the industry developing throughout the rest of 2016?

The landscape of security threats is becoming increasingly broad, and the degree of expertise needed to solve any one security problem is becoming higher and more specialised. It will be important for companies to have a secure foundation combined with custom third-party solutions to enable a business to meet its particular security needs.

Instead of seeking a one-size-fits-all solution to address all of a company’s security needs, we’ll continue to see companies trend towards creating a strong security ecosystem where different solutions and providers all interconnect to provide a security foundation that is greater than the sum of its parts.

Photo Credit: Jirsak/Shutterstock