Infosecurity Europe: Telefonia say Dropbox needs exceptions from security policy

The head of policy for the mobile operator claims security can find how you can allow consumer cloud storage into the company network and make exceptions to the foundations.

Telefonica will make exceptions by way of popular cloud storage products, like Dropbox, to attempt and keep visibility in their users.

The head of policy and company reporting for the parent company of Orange, Julian Jeffery, claimed security couldn't stay the ‘no guys' with such services, but had to be open with employees and are available to a compromise.

“It's all in regards to the security culture,” he told SC Magazine at this week's Infosecurity conference at Earls Court. “These services are great technologies that may help [employees] but we aren't sure in the event that they are secure.”

“Now, that is about how we get the message out to people concerning the risk [and] that they themselves can torpedo the total organisation, even supposing they suspect they're [using the services] for the good of reasons.”

Telefonica's approach is to encourage employees to come back to them with the service they wish and agree in what cases or with what data it may be used, ensuring high levels of productivity, coupled with the required security.

“If they need to apply these technologies, we [ask them] to come back to us and we do a risk assessment with them,” said Jeffrey.

“If that's something which may be used but perhaps is against policy, we put something in place and set some exceptions up.”

He admitted they were doing this with services that won't adhere to the firm's own privacy policies, but it surely was better to grasp what was getting used and installed limitations.

“[Users] are happy because their jobs aren't at the line, however the company knows the danger,” added Jeffrey. “We need to be quickly conscious of put it into [action].”

Andrew Hay, senior security analyst on the 451 Group, was much more wary of such services, telling SC companies had to be aware about the dangers they posed. Whilst he could see some great benefits of the system Telefonica had installed place, he did question whether other organisations could emulate it.

“This method is sweet for mature organisations, but for immature ones with a two person IT team, i can't see it happening,” he said.

Talking a few university he consulted with, Hay said it had only one policy in place when he arrived and only added yet one more, despite all his warnings.

“Having someone come down and propose a case as to why you'd like an applications is all [well and] good, but some organisations just tell them to head ahead and use it and would worry about it later,” he added.

But Jeffrey argued it was a “risk based thing” and different bodies can have different pressures.

“A university is something, but when you're in a competitive market or regulated, with the results for your company of getting data breaches [being more serious], it's far more of a compelling argument that you simply can't let it happen,” he concluded.

“What you assert is correct, but this does work for mature companies and i'm lucky, I work for one.”