Everyone in enterprise sphere has heard about such concept as BYOD (Bring Your Own Device). Employees use their mobile devices (smartphones, tablets) at work for business purposes. And while business leaders have been discussing the pros and cons of this concept, another trend appeared — BYOC (Bring Your Own Cloud).
BYOC means the use of some third-party cloud storage and application services (e.g. iCloud, Google Drive, Evernote, Dropbox, etc.) by employees to perform various job roles in the enterprise. Moreover, they are assigned to these services as private users, but corporate ones. At home or at work, you probably use some of these cloud-based apps every day:
BYOC concept is becoming more and more popular thanks to the benefits it brings to the businesses. Sometimes, organizations encourage the use of free cloud services as a way to reduce operational costs to IT services. To ordinary users (employees), the following BYOC benefits are compelling:
· The possibility to get an access to documents and applications seamlessly using any devices from any location;
· All the data is backuped in the background and there is no need for configuration or disruption to the person’s workflow;
· The services are usually free or have nominal cost.
One of the biggest downside of the BYOC concept is that it is really difficult for an organization to control BYOC services, which are usually hosted by a third-party provider and owned or controlled by employees. Employers just have no right to prohibit the use of a particular cloud service. It may lead to serious security problems when confidential information may go online even unintentionally.
According to Christina Von der Ahe and Daniel Corbett from Orrick Herrington & Sutcliffe LLP’s article, numerous issues reflect this problem. For instance, the below cases illustrate the potential pitfalls employers face in crafting use parameters that permit employee flexibility while fully addressing the risks of cloud computing and BYOC policies:
- Toyota Indus. Eq. Mfg. Inc. v. Land (S.D. Ind. July 21, 2014): an engineering design manager, David Land, worked in one of Toyota’s production facilities and had access to proprietary technical, commercial and financial data. Land announced his resignation, but did not share that he had accepted a position with a rival company. Using the cloud service Google Drive — and in spite of a comprehensive confidentiality agreement — Land appropriated hundreds of Toyota’s confidential documents and continued to access these documents after his employment with the rival company began. Toyota sought and obtained an injunction on Land’s continued rival employment until he gave up possession of the documents.
- Frisco Medical Center LLP v. Bledsoe (E.D. Tex. Nov. 30, 2015): As Frisco employees, both Cynthia and Michael Bledsoe had access to “confidential and proprietary information, trade secrets, and patient healthcare information.” Both resigned. Thereafter, three separate digital forensic investigations revealed that the husband-and-wife team had used Dropbox to appropriate thousands of confidential documents immediately after Cynthia Bledsoe accepted a prospective position with a different company. These documents included “peer review information, [Frisco’s] monthly operating costs, employee information, and patient medical records.” The district court granted Frisco’s motion for summary judgment on its numerous claims.
- De Simone v. VSL Pharmaceuticals v. Exegi Pharma LLC (D. Md. Sept. 23, 2015): following an acrimonious dispute over ownership of intellectual property related to bacteria, CEO Claudio De Simone performed “wipes” on the company-owned servers and computers and transferred nearly all of VSL’s corporate documents to his private Dropbox account. Thereafter, De Simone refused to divulge the information to the company, who eventually filed suit in district court. Although the trial court ultimately concluded that De Simone’s actions had not constituted “theft” of trade secrets, it granted injunctive relief to speed release of the hostage documents.
Besides these stories, the use of BYOC brings up the following issues:
- Increased complexity: “Having a number of unmonitored and unauthorized services running on your network introduces vulnerability and complexity to your infrastructure that must be brought under control. IT teams who are already struggling to reign in the complexity of their data center due to IT tool clutter and poor capacity planning now find themselves trying to monitor and manage services that are running in a domain outside of their control.” — writes Zenoss’ Chris Smith in InfoQ.
2. Straining of resources. It is a common thing when corporate networks cannot handle the surge in documents sharing via cloud services. And it results in less bandwidth for daily routine work.
3. Cloud “sprawl” — when employees don’t use the same tools, it restrains the collaboration and reduces work efficiency.
What to do?
Some people don’t see any problems in BYOC trend, however, many organizations don’t want to put up with such situation. One of the most common ways out in this situation is to sign an agreement with some vendor or to buy a business version of a cloud service. Most of free cloud services have “business” packages introducing personal-enterprise cloud approach, which means that employees control their personal accounts while enterprises have the full control over enterprise cloud storages.
It is not possible to stop the boundaries between personal and business activities. 75% of U.S. consumers said they were planning to use personal cloud services in the near future, and 72% said they planned to use them for both work and personal documents storage.
And it is high time for companies to define their positions on this issue: to allow employees to use private cloud spaces for file sharing or not, and if yes, how to protect the sensitive data from being stolen or leaked.