Preventing the commingling of company and personal data means focusing on securing the company data.
Google's new Inactive Account Manager feature has added options and predictability to the process of distributing digital assets when someone dies, or when someone simply stops using the service for a preset period of time. In both instances, there may be implications for companies whose data, either inadvertently or deliberately, is commingled with a person's personal digital assets.
According to Andreas Tuerk, product manager at Google, these personal assets can include: +1s, Blogger, Contacts and Circles, Drive, Gmail, Google+ Profiles, Pages and Streams, Picasa Web Albums, Google Voice, and YouTube. Google's attempt to put a process in place at least tries to handle these situations, whereas in most cases, social media platforms and cloud and other services don't have any processes allowing the owners of data to specify who gets what when they die or stop using the services.
On the one hand, the existence of a process provides the semblance of an orderly transition, but having their data passed on to unknown third parties may not be the kind of transition enterprises want.
"This is a real concern for enterprises because, whether we like it or not, users share a lot of enterprise data through personal social media services," said Andrew Storms, director of security operations for Tripwire, makers of IT security and compliance automation solutions. "Unfortunately, by the time it's discovered in users' accounts there's not much businesses can do. Once corporate data leaves the company's network, it's almost impossible to control. It's not realistic to expect Google to be responsible for filtering the content in abandoned accounts, much less following up with some attempt to find the 'rightful' owners. The only way businesses can address this problem is with realistic, enforceable security policies that nip the transfer of sensitive corporate data to personal accounts in the bud."
Jerry Irvine, CIO of Prescient Solutions, a provider of CIO-level advisory support and on-site IT services, and member of the National Cyber Security Partnership task force, echoed those concerns saying the risks for enterprises are extremely serious because of well-known vulnerabilities with clients using shadow-like applications on their devices that allow them to commingle both their personal and corporate data. He said that's an understood risk, and companies can write security policies and implement procedures to limit or mitigate it. But, he said, with things like Google's Inactive Account Manager it's not only the employee they have to be concerned about, but now other people as well. Irvine thinks this is a little more problematic for the enterprise than if a public platform has no allowance at all for this type of event.
The goal is to minimize or eliminate the movement of company data to consumer-based email and cloud services. While mobile device management and mobile application management tools that also incorporate data loss prevention will move an enterprise close to that goal, many companies are still not using them. For example, the 2013 PMG Cloud Sprawl Survey (available April 29) found that barely half of all survey respondents have policies in place governing the use of public cloud storage services. That spells trouble as the number and variety of mobile devices expand and users connect them to an expanding array of public social media and public cloud services.
Indeed, the PMG survey reveals that more than half of IT professionals expect the unauthorized use of the public cloud will negatively impact operations and resources. So companies are also turning to hybrid clouds.
"Cloud services will continue to expand within companies, in fact this study (PMG's) found 43 percent of IT respondents turn to the cloud because it offers faster deployment," said Joe LeCompte, principal at PMG. "Savvy IT departments are focusing on finding better ways to offer enterprise-grade cloud services to internal users as a way to stem cloud sprawl and safeguard corporate information."
Ultimately, Irvine says it's really about where to focus data security efforts. "In the old days you secured the physical perimeter of your environment, but that physical perimeter doesn't exist anymore," he said. Today's answer he says is data security, and being data centric when setting up security.
By focusing on the data, it doesn't matter if Google or any other cloud-based service or platform decides to implement new policies that affect how data is stored, transmitted, and shared. Options like Inactive Account Manager simply remain a personal data management tool, while enterprise data stays under the company's control.