Public WiFi plus cloud file sharing

Ben Kepes writes about an infosec panic:

Bitglass, a company that is all about protecting organizational data, wanted to see the impacts of widespread use of public wi-fi, alongside the use of unsanctioned file sharing solutions…
…Bitglass’ threat research team tested two real-world scenarios—public wi-fi use and sharing of data from within a cloud app. The assumption being that the combination of public (and, one assumes, at-risk) wi-fi and cloud file sharing apps (shock, horror, cue the “cloud is risky” FUD) would deliver a double blow of cataclysmic risk.

Source: Public WiFi plus cloud file sharing: A recipe for InfoSec panic? « The Diversity Blog

Kepes goes on to talk about his experience of using public wi-fi. He says he uses it a lot and never runs into trouble.

That makes sense. But it misses something. Kepes is motivated. He owns a business. He has enough experience, knowledge and sense to steer clear of obvious traps.

You, I and Kepes might be sensible. You can’t assume everyone using an enterprise computing app on a mobile device will be as careful or as savvy.

No amount of training or awareness programmes changes that.

Public WiFi, risky, not too risky

Organisations are at risk from careless use of public WiFi. As Kepes points out the level of risk might not be high.

There is a simple way to deal with the risk. Build VPN functionality into every heavy-duty mobile enterprise app. That way that users have a secure, encrypted end-to-end link from their mobile device to the server handling their data.

VPNs are not expensive, they are not hard to build. They don’t impose much of a performance overhead.

Enterprise software companies can absorb the cost, a few cents per month, into their pricing model. It makes sense to guarantee security with an insurance policy against data being hijacked between a mobile device and the server.

Kepes’ point, is spreading fear, uncertainty and doubt undermines cloud computing. In general, cloud is more secure than older computing models. You might not expect cloud infrastructure vendors to address mobile access risks; it should be a priority for an enterprise SaaS business.