Infosecurity Europe: make exceptions to the principles for Dropbox, says Telefonica

The head of policy for the mobile operator Telefonica claims security personnel can find the right way to allow consumer cloud storage into the company network and make exceptions to the foundations.

Telefonica will make exceptions on the subject of popular cloud storage products, along with Dropbox, to take a look at to maintain visibility in their users.

The head of policy and company reporting for the parent company of Orange, Julian Jeffery, claimed security couldn't remain the ‘no guys' with such services, but had to be open with employees and are available to a compromise.

“It's all concerning the security culture,” he told SC Magazine at this week's Infosecurity Europe conference at Earls Court. “These services are great technologies which may help [employees] but we're not sure in the event that they are secure.

“Now it's about how we get the message out to people concerning the risk [and] that they themselves can torpedo the full organisation, despite the fact that they believe they're [using the services] for the neatest of reasons.”

Telefonica's approach is to encourage employees to come back to it with the service they would like to make use of and agree in what cases or with what data this is allowed, ensuring high levels of productivity, coupled with the required security.

“If they need to take advantage of these technologies, we [ask them] to come back to us and we do a risk assessment with them,” said Jeffrey.

“If it truly is something which may be used but perhaps is against policy, we put something in place and set some exceptions up.”

He admitted it was doing this with services that will not adhere to the firm's own privacy policies, but it surely was better to understand what was getting used and installed limitations.

“[Users] are happy because their jobs aren't at the line, however the company knows the danger,” added Jeffrey. “We must be quickly attentive to put it into [action].”

Andrew Hay, senior security analyst on the 451 Group, was more wary of such services, telling SC that businesses had to be accustomed to the hazards they posed. While he could see the advantages of the system Telefonica had installed place, he did question whether other organisations could emulate it.

“This method is nice for mature organisations, but for immature ones with a two-person IT team, i will not see it happening,” he said.

Talking a few university he consulted with, Hay said it had only one policy in place when he arrived and only added a different, despite all his warnings.

“Having someone come down and propose a case as to why you want an application is all [well and] good, but some organisations just tell them to head ahead and use it and would worry about it later,” he added.

But Jeffrey argued it was a “risk-based thing” and different bodies may have different pressures.

“A university is some thing, but when you're in a competitive market or regulated, with the consequences for your company of getting data breaches [being more serious], this is way more of a compelling argument that you simply can't let it happen,” he concluded.

“What you assert is correct, but this does work for mature companies and i'm lucky that I work for one.”