Friday 24 August 2012

Camera+Cloud = Long-term security risk

While it is now clear to the whole world that what happens in Vegas no longer stays in Vegas, the problem of rapid and often automatic uploading of images is something that needs concern everyone. Phone cameras have long been of concern to security officers but attempts to ban them in the workplace have largely failed outside of military or heavily regulated premises. While holding images of work documents and information on the phone was bad enough, but now many people with smartphones will have some automatic cloud upload enabled.

I've used phone, tablet and real cameras extensively for years to record white boards, and recently there has usually been a crowd of people doing the same. Save taking notes and provides an undebatable, ambiguous record of at least what was written down. It means that whiteboards can be wiped down immediately which seems like a good, secure thing to do.

Having those images immediately available on the laptop is handy too - it means that you can type them up easily, email them to colleagues or upload them to project tools like Huddle, IdeaPlane or Chatter. Or accidentally upload them to Facebook along with little Suzy's birthday party pictures.

And once on the cloud - whether public or private - they stay there. Until recently Apple's iPhoto Stream did not even allow deletion of images. DropBox automatically uploads images, as do other similar services. Android has Instant Upload for Google+. So a typical personal iPhone with access to a personal DropBox, work-related Egnyte, and a configured Photo Stream could end up with at least three copies of the photo. At least because each of those services will diligently copy the file to each and every device on which it is configured: laptop, desktop, tablet.

Apple's Photo Stream is a particular issues here as deleting a copy from one device does not remove it from the others in the same way the file-sharing systems work. A user with an iPhone, iPad and Macintosh will have to delete the same image three times making it easy to leave some alone. Android's Instant Upload is a little easier in that it only creates an on-line copy but again this will not be removed when the handset copy is deleted.

Unlike the Minox-totting secret agent most staff will be blissfully unaware of this, but consider disgruntled employees coming across a forgotten shot on a confidential whiteboard on their own iPad having returned a work iPhone. Lots of potential for trouble.

Since the BYOD cat is out of the bag in many companies, certainly for senior staff who can afford smartphones, it is now clear if prevention is possible. Reminders, education, policy and contractual protections all help until better management tools arrive.

No comments:

Post a Comment