BAD IT departments are like this, but Good IT departments are ambushed by Shadow IT which has not been procured through the correct processes, so they make strategic decisions with all of the best intentions in the world, based on the information they have, but then the OP is blocked from using a sync they’re not aware of. IT departments are also asked by Senior Leadership teams and Board to put reasonable controls in place to stop attacks and data leakage.
Working in Information Security, I can see both sides of the argument
I worked a place where the development team had to support a user created system, that duplicated functionality in our actual system, because it had become so ingrained. We were actually forbidden to add features to the real system because they would ‘break’ the shadow system. We were incredulous.
We would need to devote resources to debug a system that had no documentation, was never tested, no source control, was edited in production, and at times was responsible for lost data. But it was our fault when things didn’t work. I bailed. And that company is no longer in business (senior management left quite a bit to be desired).
In the past it was Excel “Databases” and Access databases. These days it’s SaaS services, IFTTT and other linking services, and buying software on credit cards.
So please be kind to your IT/Info Sec/Cyber Security teams. They’re making changes with all of the best intentions, but they may have no idea that Joe Bloggs has implemented Text Expander for the Support team (looks like a key logger to anti malware), or that the finance team are using 1password with local vaults sync’d via Dropbox (a classic method of stealing data).
I do not know your exact situation, but you might want to consider first, if your current workflow goes along with your companies rules (if there are any), before you are complaining about your broken workflow with somebody else in your company.
This happened to me a few weeks ago, no notice or consultation, it just stopped working. Initially I thought it was a fault, but quickly realised that in settings the box had been un-checked, then I could confirm in the MDM profile information that this policy change had occurred.
I believe the core issue is that people had been asked to not to store work data on iCloud drive as it isn’t approved for use, and doesn’t offer data sovereignty, a key requirement for our business.
Corp IT are suggesting they are going to review this decision, but I highly doubt it. Sadly this is the progression of corporate lockdown of devices, as MacOS is still fairly new they are slowly crippling the O/S. So far Corp IT have also disabled iCloud Keychain.
I’ve been thinking about using another sync service to replicate data across iCloud Drive and OneDrive, as we are still able to use personal OneDrive spaces.
I did not store company info on my personal iCloud Drive. But sometimes it was handy to access my personal information during the day. Have they blocked the icloud.com website?
Apple does a good/great job of securing their hardware, but iCloud isn’t designed for business use. If Optimize Mac Storage gets turned on (which happens every time I update macOS) then files don’t get backed up. That alone is enough to prevent me from using it. This may change but, IMO, not as long as Apple continues to pay Google and Amazon something like $700,000,000 per year to store iCloud data.
I’m on the other side of this (I’m the head of the information security for my employer). I use iCloud drive for my personal stuff extensively, but there is absolutely no way that I’d sanction its use in our workplace. From a corporate security/records management point of view, iCloud Drive is not a “secure” service and the risks we would incur would not be acceptable. That’s kind of moot though, because its use here is proscribed by privacy legislation.
On the other hand, there is no way that our IT department would make such a decision either; deciding things like that is not their job.
As unpopular as the idea may be, the trend is for less and less data to be resident on endpoint devices. The aggregate risk of having important or critical data spread out over thousands of devices in users’ hands (or cloud services with whom you don’t have formal agreements), coupled with a threat landscape that’s evolving at an accelerating pace, is too high to be acceptable.
That sounds harsher than I mean for it to be, but a proliferation of personal workflow solutions that rely on unsanctioned cloud services along with the collective efforts of various nefarious actors are driving me to keeping several Kentucky distilleries in business
ETA: Just turning something like this off without explanation or communication is disrespectful, regardless of the reasons. Upsetting people in this way rarely serves the cause of security
But in my experience most company data isn’t mission critical. Many people are doing things where diy automations, etc…, are probably more helpful than harmful. Isn’t there a way to protect the really valuable stuff and be less locked down on other stuff? (Genuine questions.)
But the president of a company has a different view of what must be kept confidential than I do. No one cares what I think. it is the invisible tech security people who take the heat when the company president’s sensibility is triggered.
Good questions. At my last company we had traditional file servers with directories for individuals, groups, and departments. Several Windows/Linux/Unix application servers and an IBM midrange computer that ran our CRM, Payroll, Personnel, and Accounting. And access to everything was restricted to authorized users only. For example, as the I.T. director I had admin/root access to all the hardware but I did not have access to any of the applications on the IBM. So, IMO, each bucket of information was pretty locked down.
But, for example, our accountants had a Excel plug-in that allowed them to authenticate and query the accounting application on the IBM. Once that data was loaded into their spreadsheet, should they choose, they could email that information to anyone, or upload it to iCloud or Dropbox, etc. Or just send it to another employee that wasn’t authorized to have the information. That is one reason companies are locking things down and/or moving to the cloud.
Google and Microsoft have ways to keep information from being shared with unauthorized users, but for that to work you have to close other access points. You have to protect your data from careless employees just as much as you do criminals.
And yet … anyone with a smart phone can take a shot of the screen and send it wherever they want, at their leisure (not from work networks), with WhatsApp or Signal…
I just wonder how much is security theater, succeeding in preventing the casual misdeed, but doing little to prevent the more damaging kinds of corporate espionage.
I also recognize that my understanding of digital security is limited enough that I don’t really have enough information to answer that.
If that’s a concern then you either appy controls that prevent it from happening, apply compensating controls that reduce the risk to an acceptable level, or make an informed choice to accept the risk.
I think it’s also worth observing that there’s an enormous difference between people deliberately breaking rules/behaving with malice, and unintentionally risky behaviour. The latter can (and should) be dealt with by a combination of communication, policy, education, and technical limiting.
Sure, the same can be said of the “we can see you naked” scanners at the airport.
But it’s not ‘security theater’ when you adopt the best technology and practices you can afford. And then hope some clueless user or ‘the rules don’t apply to me’ executive doesn’t click on a malicious link and bring everything down.
Finding a balance between security and convenience isn’t easy.
