You are on page 1of 16

Copyright Quocirca 2014

Rob Bamforth
Quocirca Ltd
Tel : +44 7802 175796
Email: 8ob.8amforLh[

Clive Longbottom
Quocirca Ltd
Tel: +44 118 948 3360
Lmall: Cllve.LongboLLom[

!"#$%"& %"&" ()& $%"&"*
!"#$%&"'()*% ,- .&( "*( /.0)- $ ("1" 2$,&') 13 4) 15.&1 &*($'/)*) *% #- $6)0) -) 13

Cctober 2014

1he use of mob||e techno|og|es |n the enterpr|se has grown s|gn|f|cant|y,
but comp|ete organ|sat|ona| contro| has weakened w|th the r|se of
emp|oyees' consumer awareness, cho|ce, and a des|re to br|ng your own
dev|ce (8CD).

W|th a mu|t|p||c|ty of mob||e opt|ons for both persona| and bus|ness use,
management of the key corporate asset - data - becomes cr|t|ca|. Wh||e
the use of c|oud based serv|ces and storage augments and comp|ements
mob||e f|ex|b|||ty wh||e g|v|ng enterpr|se I1 some semb|ance of contro|, th|s
too has been sub[ect to ad hoc adopt|on and needs to be cons|dered
carefu||y to ensure prec|ous data |s correct|y managed and secured.

Quocirca 2014 - 2 -

!"#$%&'(# *%++,-.
!"#$%"& %"&" ()& $%"&"*
!"#$%&#' )*+%#' &*%,$- *. /00'-- $* 1/$/ 2* 3/,14%,43/,1 5%$3 / ,''1 $* 0',$6/#%-' /,1 7%6$"/#%-' $3' 89 0*6': ;'67%0'-< /&&#%0/$%*,
/00'-- /,1 1/$/ /6' 1'#%7'6'1 *, 1')/,1 1%6'0$ $* $3' 3/,1 *. $3' "-'6: =>"$-*"60%,2? $3%- 0/&/+%#%$@ $* / -'67%0' &6*7%1'6 %, $3'
0#*"1 )/A'- -',-': B*5'7'6< $3' A'@ ',$'6&6%-' /--'$< 1/$/< ,''1- $* +' &6*$'0$'1 %, $3' 0#*"1< *, $3' )*7'< /,1 /$ 6'-$< *,
53/$ %- &*$',$%/##@ -*)'+*1@ '#-'?- )*+%#' 1'7%0' /- ')&#*@''- $/A' /17/,$/2' *. $3' *&&*6$",%$@ $* +6%,2 @*"6 *5, 1'7%0'
CDE>FG .*6 5*6A &"6&*-'-: H''&%,2 '7'6@$3%,2 5%$3%, /, *62/,%-/$%*,/# ")+6'##/ *6 ",1'6 89?- #*0A /,1 A'@ %- ,* #*,2'6 /
0*))'60%/##@ 7%/+#' /&&6*/03< -* *62/,%-/$%*,- ,''1 $* 2'$ -)/6$'6 /$ -/.'2"/61%,2 1/$/< +/-'1 *, %$- 7/#"'< 7"#,'6/+%#%$@< /,1

8CD magn|f|es
mob||e secur|ty
lL was always golng Lo be Lough once l1 access devlces became moblle, ouL of Lhe offlce, easy
Lo lose or have sLolen. CperaLlng plaLform numbers have grown and Lhe old model of a
sLandard corporaLe bulld LhaL was applled Lo Cs/lapLops has gone forever. Lmployee cholces
and asplraLlons now mean LhaL almosL any plaLform could appear ln Lhe workplace. l1
managemenL has Lo work ouL ways Lo accepL Lhls whlle sLlll applylng conLrols.
Data, not dev|ces, are
at root of the mob||e
secur|ty cha||enge

Moblle uevlce ManagemenL (MuM) mlghL have been Lhe openlng salvo ln aLLempLs Lo apply
more conLrol, buL Lhe devlce ls noL Lhe prlmary LargeL. Concerns abouL corporaLe daLa securlLy
keep many l1 managers awake aL nlghL, wlLh Lhe rlsk of damaglng employee's personal daLa on
Lhelr own devlce an lmporLanL secondary concern.
Mob||e and c|oud
adopt|on tend to be

Moblle and 8?Cu ls noL a slngle devlce lssue. lL lnvolves a mulLlpllclLy of devlces spread across
all roles ln Lhe workforce, coupled wlLh mulLlple, ofLen-dlfferenL, capablllLy devlces per person.
1hls ls why Lhe flexlblllLy of sharlng and collaboraLlng beLween people and devlces uslng a
slmple user experlence flLs well wlLh Lhe on demand model of cloud sLorage and servlces.
Consumer c|oud
storage |s not a
re||ab|e answer for
Ad hoc lnformaLlon and personal daLa mlghL be readlly sLored ln consumer cloud-based
servlces, buL Lhls does noL necessarlly LranslaLe well for Lhe enLerprlse. lndlvlduals have Lhelr
own preferences and Lhere are plenLy of opLlons Lo fulfll Lhem, buL Lhe buslness needs
conslsLency and securlLy. 1hose organlsaLlons embraclng 8?Cu seem Lo have a beLLer handle
on whaL ls requlred for enLerprlse cloud sLorage.
Lnterpr|se c|oud
storage |s not as
|ocat|on-agnost|c as
|t f|rst appeared

1he orlglnal premlse of Lhe enLerprlse cloud sLorage model seemed locaLlon lndependenL:
access by anyone, anyLlme, anywhere, on anyLhlng, so lL should noL maLLer where Lhe servlce ls
hosLed. 1he naLural reLlcence of Lhose used Lo managlng daLa cenLres and daLa Lhey could 'puL
Lhelr arms around' magnlfled afLer revelaLlons of whaL appeared Lo be governmenL supporLed
eavesdropplng on prlvaLe corporaLe daLa. 1he geographlc locaLlon of where daLa ls sLored and
Lhe counLry of lncorporaLlon of Lhe company sLorlng lL has become an lssue.
Informat|on secur|ty
needs awareness,
d|scr|m|nat|on and
app||cat|on of
re|evant contro|s
1here are many Lools LhaL could be used Lo secure daLa on moblle devlces and cloud sLorage
sysLems LhaL ofLen work ln Landem wlLh Lhem. Powever, a slmple blankeL approach wlll noL
work, lf lL ls Loo secure and flexlblllLy ls losL, users wlll 'work around', Loo lax and preclous daLa
ls exposed. CrganlsaLlons need Lo know much more abouL Lhe conLenL and daLa Lhey are
managlng - lLs purpose, vulnerablllLy and value Lo Lhe organlsaLlon - ln order Lo LreaL dlfferenL
daLa accordlng Lo lLs requlremenLs and use Lools LhaL supporL Lhose requlremenLs.

When Lhlngs become more complex and appear ouL of conLrol or overloaded wlLh opLlons and posslblllLles Lhe besL Lhlng Lo do ls
become more focused. 1he focus for securlLy ln a world of a myrlad of moblle devlces owned and managed by lndlvlduals served by
servlces from remoLe Lhlrd parLles has Lo be on Lhe daLa, noL Lhe shlny devlces, mesh of neLworks, or daLacenLres populaLed by
servers. Safeguardlng daLa for Lhe buslness and lLs processes ls paramounL. 1he role ls noL Lermed 'Chlef 8,.*6)/$%*, Cfflcer'
wlLhouL good reason.

Quocirca 2014 - 3 -

!"#$%&'(#)%" - !!"! $% "&' ($)'
Where aL one Llme l1 could be regarded as well deflned and kepL ln a conLrollable box (albelL ofLen a large server
room), lL ls now hlghly dlspersed and unconLalnable. 1he dlsLrlbuLlon around neLworks sLarLed ln a falrly well
deflned manner Loo, wlLh local area and wlde area neLworks based on secure and proprleLary proLocols buL, once
Lhese opened up Lo Lhe lnLerneL, everyLhlng changed.

SecurlLy has been a key lssue for mosL l1 managers from Lhe flrsL lnLerneL connecLlons by buslnesses. uLLlng
flrewalls ln place wlLh comprehenslve rule seLs, neLwork address LranslaLlon Lo hlde and exLend neLwork addresses
wlLhln Lhe organlsaLlon from ouLslde, and demlllLarlsed zones fronLed by gaLeway servers, were all early moves Lo
help creaLe dlglLal perlmeLers Lo replace or supplemenL Lhe physlcal access conLrol Lo l1 and lLs preclous daLa asseLs.

Powever Lhls perlmeLer, once seml-permeable, has all buL dlssolved. 8oLh physlcally and dlglLally, Lhe use and
sLorage of enLerprlse daLa occurs remoLely from Lhe enveloplng conLrol of l1 Lo exLernal de-cenLrallsed exLenslons of
ln-house l1 servlces, ln Lhe cloud and moblle devlces, ln Lhe hands and pockeLs of users.

MoblllLy would be less of a problem lf l1
exerLed more compleLe conLrol of Lhe end
user devlces, buL ln a world where lndlvldual
cholce, coupled wlLh awareness and comforL
wlLh Lechnology, has soared, consumers
now wanL Lo exLend Lhelr personal cholces
lnLo Lhe workplace as employees.

8rlng your own devlce (8?Cu) ls Lhe ofL-
used shorLhand for Lhe phenomenon, buL lL
goes even furLher lnLo a compleLely
consumerlsed choose your own l1 from
devlces Lo cloud sLorage and soclal medla
Lools for communlcaLlon (C?Cx). l1
managers now need Lo flnd a way Lo proLecL
daLa, whlle accommodaLlng employee
cholce and flexlblllLy.

Cloud provlders brlnglng varlous capablllLles - lnfrasLrucLure, plaLform, and sofLware as-a-servlce - have offered
capaclLy on Lap Lo many organlsaLlons (someLlmes wlLh, someLlmes wlLhouL, Lhe full knowledge of l1) buL reallsaLlon
rapldly dawned LhaL Lhese exLernal provlders brlng dlfferenL and someLlmes addlLlonal securlLy challenges. 1hese go
beyond Lhe baslc proLecLlon and lsolaLlon of daLa from oLher buslnesses and Lhose wlLh crlmlnal lnLenL, buL also
perhaps proLecLlon from belng spled on or exposed Lo dlsLanL governmenLs. Whlle Lhls wlll mosL llkely be equally a
problem wlLh ln-house sysLems, many appear Lo percelve a greaLer rlsk wlLh daLa pushed ouL Lo cloud servlce

Moblle and cloud boLh offer lncreaslng flexlblllLy and adapLablllLy Lo organlsaLlons LhaL embrace Lhelr usage, buL
Lhere wlll always be exLra efforL for Lhose Lasked wlLh managlng l1 and proLecLlng Lhelr organlsaLlon's daLa. 1hls
reporL, based on recenL research conducLed wlLh over 700 l1 managers across Lurope, explores some of Lhe lssues
ralsed ln Lhese areas and some LhoughLs for how Lhey mlghL be addressed.

Quocirca 2014 - 4 -

!"#$%&'() +#$,%& $",-.( ,/( #0-
1he lssue for l1 managemenL ls rapldly becomlng one noL of how much conLrol Lhey can exerL, buL how llLLle power
Lhey have. 1here has for decades been an elemenL of 'rogue' or 'shadow' l1, purchased Lhrough employee expenses.
Powever Lhls ls now no longer Lhe odd deskLop C or lLem of sofLware, buL cloud based servlces aL one end of Lhe
specLrum and moblle devlces aL Lhe oLher. 1he dlfference beLween Lhem ls LhaL aL Lhe moblle end lL ls employees
who are buylng Lhe lLems for Lhemselves and
wlLh mulLlple purposes ln mlnd - consumer
and work - ofLen uslng freely avallable
appllcaLlons and cloud sLorage appllcaLlons.

When employees preLLy much had one Lype
of moblle devlce (Lyplcally a lapLop), exerLlng
conLrol wlLh a sLandard bulld operaLlng
sysLem lmage and a flxed seL of appllcaLlons
was posslble.

Addlng more corporaLe owned and supplled
devlces lnLo Lhe mlx - moblle phones,
smarLphone and uAs - has requlred more
sophlsLlcaLed managemenL Lools, buL lL ls Lhe
personal ownershlp of one or more moblle
devlces LhaL really sLarLs Lo cause problems
(llgure 2).

Many ln l1 managemenL have noLlced LhaL Lhls may have sLarLed wlLh Lhe odd senlor execuLlve saylng l wanL Lo use
my favourlLe devlce" Lo read emall, buL lL has exploded lnLo an appeLlLe and expecLaLlon for any and every
neLworked devlce belonglng Lo Lhe lndlvldual Lo be able Lo perform some work funcLlons.

Lver smarLer moblle gadgeLs are no longer
Lhe preserve of Lhe well-off senlor
execuLlves or geeky early adopLers, Lhey are
avallable, affordable, and deslrable and
almosL everyone wlll wanL aL some polnL Lo
use Lhelr preferred devlce for some of Lhelr
workplace acLlvlLles.

no wonder Lhls ls a slgnlflcanL concern for
many of Lhose Lrylng Lo manage Lhe
slLuaLlon (llgure 3). very few organlsaLlons
have everyLhlng under conLrol, and more
Lhan half have ma[or concerns. Whlle more
Lhlnk Lhey have a handle on Lhe lssue of
conLrolllng Lhe hardware - Lhe devlces
Lhemselves - Lhese concerns rapldly
lncrease when lL comes Lo daLa.

1hls should be no surprlse. AlLhough moblle devlces can be seen as cosLly, desplLe masslve eroslon ln prlces as Lhey
have become commodlLles, Lhe prollferaLlon of use across organlsaLlons has greaLer lmpacL on lndlrecL cosLs -
securlLy, Lralnlng, employee saLlsfacLlon, producLlvlLy eLc. - Lhan ln Lhe dlrecL cosL of Lhe hardware lLself. 1he cosL of
Larlffs ls sLlll a Lhorny lssue, buL here 8?Cu brlngs greaLer complexlLy and poLenLlally greaLer cosLs, dependlng on
how well personal and work usage ls spllL or accounLed for.

Quocirca 2014 - 5 -

WlLh daLa, Lhe problem ls noL only a maLLer of proLecLlng and keeplng Lrack of valuable corporaLe asseLs made
vulnerable by Lhem belng Laken, accessed, or creaLed ouLslde Lhe organlsaLlon's perlmeLer, buL lL ls compounded by
Lhe presence of employees' own daLa and conLenL. 1hls has a value of lLs own Lo Lhe lndlvldual, and Lhe organlsaLlon
has Lo Lake care lLs securlLy conLrols do noL have adverse affecLs on prlvaLe asseLs.

lnformaLlon securlLy and, Lo a lesser exLenL,
devlce securlLy are Lhe Lop concerns, wlLh
all Lhe usual suspecLs - supporL, sLandards,
eLc. - followlng on behlnd.

8?Cu, however, creaLes new concerns
abouL ownershlp and llablllLles, whlch, whlle
noL uppermosL, are sLarLlng Lo appear more
slgnlflcanLly ln Lhe background of l1 Lhlnklng
as an overall concern (llgure 4).

lor l1 managers Lhere are lncreaslng rlsks
from dolng someLhlng LhaL mlghL affecL an
employee's personal possesslons. 1hls ls no
longer a slmple Lechnology lssue, buL one of
Lhe wlder relaLlonshlp beLween employees
and employers and wlll lnvolve llne
managers, P8 and personnel deparLmenLs
due Lo Lhe lmpacL on prlvacy.

8?Cu ls galnlng dlfferenL levels of supporL ln dlfferenL organlsaLlons buL, for Lhe purposes of dlsLlngulshlng beLween
Lhose organlsaLlons LhaL are embraclng lL or noL, Lhose LhaL appear Lo be Lrylng Lo avold Lhe lssue, 'denlers', are Lhe
organlsaLlons who say Lhey do noL llke 8?Cu or Lhey wlll only allow lL ln excepLlonal clrcumsLances.

Quocirca 2014 - 6 -

!""#$%&' )*&+,*! #$% &'(')
All Lhese aspecLs of personal ownershlp mean LhaL Laklng conLrol of Lhe 8?Cu securlLy challenge requlres subLler
approaches Lhan l1 securlLy experLs are LradlLlonally used Lo. Cne consequence of Lhls ls LhaL lncreaslng levels of
conLexLual lnformaLlon need Lo be gaLhered Lo beLLer undersLand any parLlcular user's speclflc clrcumsLances - who
Lhey are, whaL devlce are Lhey uslng on whaL neLwork, and where Lhey are - ln order Lo Lhen lnLelllgenLly apply

1he more compleLe Lhls lnformaLlon, Lhe
beLLer Lhe plcLure, buL Lhere are of course
prlvacy conslderaLlons and poLenLlal legal
lssues. 1hls may resLrlcL any demand for
plnpolnL accuracy of locaLlon lnformaLlon,
buL may also sLlll sway Lhose Lhlnklng LhaL
some locaLlon lnformaLlon mlghL [usL be a
llLLle lnLruslve (llgure 3).

A more LradlLlonal seL of securlLy needs -
ldenLlLy and access conLrol - are deemed
mosL lmporLanL, followed by applylng
cerLaln conLrols and ensurlng good user
educaLlon. Whlle Lhese are lmporLanL, Lhe
Lechnology ls lncreaslngly avallable Lo apply
more flnely Luned conLrol around whaL daLa
mlghL be more senslLlve or vulnerable, and
knowlng when and where lL can safely be
used as well as by whom.

Applylng more granular conLrols, however, also requlres more LhoughL and efforL upfronL. ldenLlfylng whaL
lnformaLlon Lype ls belng accessed ls useful, buL only lf lnformaLlon has been classlfled ln Lhe flrsL place. lL seems
LhaL, Lyplcally, many organlsaLlons are poor aL classlfylng (or someLlmes knowlng) whaL daLa Lhey have and
assesslng lL based on vulnerablllLles and rlsks Lhe daLa mlghL be exposed Lo lf lL were Lo be compromlsed.

1aklng Lhls a sLage furLher and applylng
rules based on who wanLs access Lo whaL
daLa, where, when, and over whlch
neLworks, and from whlch devlces, ls an
addlLlonal level of conLrol LhaL means more
efforL and wlll lnvolve several people
ouLslde Lhe l1 managemenL funcLlon -
noLably llne of buslness managemenL and

lor many organlsaLlons lL ls slmpler Lo apply
Lhe blankeL access conLrols Lhey are already
famlllar wlLh from securlng Lhe use of
lapLops. 1hus vns sLlll domlnaLe, alLhough
now wlLh addlLlonal heed Laken Lo Lhe
securlLy rlsks of relylng on user names and
passwords, and so mulLl-facLor
auLhenLlcaLlon has also become lmporLanL
(llgure 6).

Quocirca 2014 - 7 -

1he average consumer now has Lo deal wlLh many user names and passwords wlLh Lhe hlgh probablllLy LhaL Lhese
seml-secured consumer servlces wlll be accessed from personal moblle devlces also used for work. lL mlghL also be
LhaL oLher members of Lhe famlly may also use Lhem, so lL ls vlLal LhaL organlsaLlons apply beLLer auLhenLlcaLlon Lo
corporaLe servlces accessed by 8?C devlces.

Cn-devlce encrypLlon ls deployed by only a
quarLer of organlsaLlons. erhaps many are
mlndful of Lhe consequences of maklng
mlsLakes on a devlce owned by an employee
and conLalnlng so much of Lhelr personal,
prlvaLe, and valuable (aL leasL Lo Lhem) daLa.

CreaLlng dlscreLe separaLlon, ln Lhe form of
a speclflc conLalner, ls less wldely used aL
Lhls momenL, and lnformaLlon ls also rarely
sLored encrypLed ln Lhls form on a devlce
(llgure 7).

Palf of Lhose who have a pollcy Lo sLore daLa
on Lhe devlce ln lLs own flle sysLem do aL
leasL apply encrypLlon, buL a much smaller
proporLlon use encrypLlon ln con[uncLlon
wlLh speclflc conLalners. 1hls ls sLrange slnce
havlng gone Lo Lhe Lrouble of creaLlng Lhe separaLlon, applylng encrypLlon Lo Lhe lnsulaLed enLlLy would seem Lo be
easler as lL ls cleanly separaLed from Lhe user's personal daLa.

Many organlsaLlons wlll Lry Lo avold Lhe
problem and prevenL lnformaLlon belng
sLored on user-owned devlces buL, [usL llke
everybody else, lf Lhe 8?Cu owner's devlce
ls used for work purposes, lL wlll requlre
access Lo lnformaLlon somewhere.

Where, and how, Lhls ls managed seems Lo
be Lackled dlfferenLly beLween Lhose
embraclng Lhe 8?Cu Lrend compared Lo
Lhose who are reslsLlng lL (llgure 8).

1hose embraclng 8?Cu Lake a much more
acLlve lnLeresL ln how lnformaLlon ls belng
accessed. very few have a full documenL
classlflcaLlon sysLem, buL mosL recognlse Lhe
need for 8?Cu flexlblllLy Lo be comblned
wlLh some enLerprlse conLrol.

Large numbers of 8?Cu 'denlers' on Lhe oLher hand, by noL permlLLlng access Lo corporaLe documenLs from 8?Cu
devlces, lncrease Lhe rlsk LhaL employees wlll resorL Lo uslng consumer cloud sLorage sysLems Lo bypass Lhe
problem. Whlle, ln Lheory, Lhese servlces should be well proLecLed, Lhere are regular lnsLances of breaches reporLed
ln Lhe medla. 1hey are deslgned for consumer lnformaLlon and daLa, whlch may lnclude personally valuable ldenLlLy
daLa and banklng deLalls, buL noLhlng qulLe as valuable or senslLlve as corporaLe daLa. Whlle Lhese are hlghly
Lroubllng and poLenLlally cosLly from a personal perspecLlve lf compromlsed, lL ls noL aL Lhe same level of cosL or
lmpacL as a corporaLe daLa breach.

Quocirca 2014 - 8 -

!""#$%& (")* *+,-,. !" !$% &'"()
1here ls no slngle 'cloud', much ln Lhe same way LhaL Lhere ls no slngle neLwork called 'Lhe lnLerneL'. Cloud, as a
concepL, ls a way of dellverlng servlces, hence Lhe Lerms 'prlvaLe cloud' for cloud-llke servlces dellvered solely for a
slngle organlsaLlon from lLs own daLa cenLre, or exLernally hosLed and 'publlc cloud' for slmllar servlces dellvered
from an exLernal daLa cenLre over publlc neLworks. ln many clrcumsLances, a hybrld of boLh publlc and prlvaLe wlll
be Lhe reallLy.

More moblle and mulLlple devlce usage - wheLher corporaLely or lndlvldually owned - lncreases Lhe need for belng
able Lo access lnformaLlon from mulLlple locaLlons. hyslcally movlng lL from place Lo place Lhrough exLernal medla
- e.g. memory sLlcks - ls now ouL-daLed and, ln any evenL, brlngs many securlLy challenges and Lhe rlsk LhaL Lhe
physlcal medla can be losL.

SLorage of daLa 'ouL Lhere' ln a place LhaL can be accessed from any connecLed devlce, anywhere, has greaL appeal
Lo Lhe lndlvldual and colleagues Lhey wanL Lo share daLa wlLh, boLh wlLhln and beyond Lhe boundarles of Lhelr own
organlsaLlon, buL creaLes many headaches for Lhose Lasked wlLh keeplng everyLhlng secure.

Cfferlngs LargeLed aL lndlvlduals are
Lyplcally publlc cloud servlces. Lmployees
LhaL embrace 8?Cu wlll also embrace oLher
consumer appllcaLlons, whlch may affecL
whaL Lhey use Lo sLore and share daLa.
8?Cu for some wlll also lnLroduce 8?CC -
brlng your own cloud.

llgure 8 showed LhaL 8?Cu 'denlers' sLlll
have Lhe problem of employee adopLlon of
consumer cloud sLorage.

Sharlng personal daLa ln consumer cloud
sLorage servlces has become wldely
avallable, especlally as some plaLforms,
Apple's lCS for example, embed lL as a core
feaLure of Lhe devlce.

1hls wlll ralse Lhe specLre abouL rlsk and vulnerablllLy, and Lhere have been recenL breaches and daLa leakage from
some of Lhese publlc consumer cloud sLorage plaLforms. CfLen Lhls mlghL [usL resulL ln an embarrasslng loss of
prlvacy, buL securlLy credenLlals or personal deLalls can also be compromlsed. 1hls lnformaLlon, especlally en masse,
has commerclal value Lo Lhose LhaL sLeal or explolL lL and so Lhe larger Lhe user communlLy, Lhe greaLer Lhe poLenLlal
for lL Lo be LargeLed.

1here are lncreaslng numbers of cloud sLorage sysLems and Lools movlng Loward enLerprlse grade levels of
proLecLlon for daLa sLorage, whlle sLlll reLalnlng Lhe consumer feel LhaL has won over so many users Lo Lhe concepL.
lor Lhose companles embraclng 8?Cu, enLerprlse shared documenL sLores seem Lo be ln Lhe besL poslLlon Lo
provlde cloud flexlblllLy for employees, whlle sLlll lmposlng sulLable levels of securlLy for Lhe organlsaLlon.

1hese Lools should provlde Lhe addlLlonal conLrols LhaL saLlsfy Lhe demands of enLerprlse l1 managers buL, as soon
as Lhey are percelved as cumbersome by users, Lhey rlsk belng shunned ln favour of consumer alLernaLlves. 1hls ls
where lL ls lmporLanL Lo work closely wlLh 8?Cu employees Lo ensure Lhey undersLand how Lo geL Lhe besL, mosL
secure, and slmplesL use ouL of enLerprlse daLa sLorage sysLems and corporaLe verslons of cloud sLorage sysLems.

Quocirca 2014 - 9 -

8eyond meeLlng Lhe personal sharlng needs of lndlvlduals and Leams, Lhe use of Lhe cloud for sLorage and oLher
servlces has appeal Lo many enLerprlses. Cverall, only around one ln flve companles would avold cloud alLogeLher,
buL Lhe remalnder have dlfferenL aLLlLudes Lo wheLher Lhey would favour a prlvaLe cloud approach or be
comforLable wlLh aL leasL some of Lhelr l1 needs belng served by publlc cloud provlders (llgure 10).

1he plcLure ls even more complex when
looklng aL Lhe dlfferences beLween vlews of
Lhose organlsaLlons ln dlfferenL counLrles
across Lurope.

1here ls sLrongesL relucLance ln souLhern
Luropean counLrles Lowards any sorL of
cloud servlces, wlLh Lhe nordlc counLrles
belng Lhe mosL enLhuslasLlc, and wlLh a
pragmaLlc vlew LhaL a hybrld model wlll be
mosL prevalenL.

SLrlklngly, prlvaLe cloud has much more
appeal ln Lhe uk, and Lo a lesser exLenL ln
Lhe 8enelux counLrles and lberla as well as
Cermany and SwlLzerland (uCP).

Some of Lhe reLlcence Lowards any sorL of publlc cloud servlce wlll no doubL have arlsen as a resulL of recenL
lnLernaLlonal revelaLlons (Snowden eL al) abouL daLa snooplng by naLlon sLaLes, or raLher by Lhelr securlLy servlces.
1hls can, and ln some cases has, lead Lo a breakdown ln LrusL and naLurally wlll resulL ln more scruLlny of Lhose
provldlng producLs and servlces.

LocaLlon has rapldly become an lssue wlLh
respecL Lo Lhe use of cloud, ln parLlcular -
where wlll daLa be sLored and, equally,
where ls Lhe company provldlng Lhe servlce
reglsLered or owned? (llgure 11).

1hls second polnL has become lmporLanL as
Lhere ls a rlsk LhaL 'forelgn' companles
managlng daLa may be requesLed by Lhelr
own governmenLs Lo dlsclose lnformaLlon,
especlally for reasons of naLlonal securlLy -
wheLher real or slmply percelved.

A level of proLecLlon and lsolaLlon ls
appearlng, and perhaps Lhe deflnlLlon of
'publlc' ls no longer as lnLernaLlonal as lL
once was.

1hls wlll sLarL Lo have an lmpacL on cosLs aL some polnL as lL erodes Lhe poLenLlal for economles of scale, buL many
cloud provlders are already well aware of Lhe senslLlvlLles and are endeavourlng Lo ensure Lhey can geo-fence Lhelr
offerlngs Lhrough local daLa cenLres Lo beLLer meeL Lhe needs of all cusLomers.

Quocirca 2014 - 10 -

Lnterpr|se c|oud contro|
Ceographlc consLralns aslde, once Lhe declslon has been Laken Lo use a publlc cloud servlce provlder, Lhere are
slmple quesLlons LhaL can be asked Lo beLLer undersLand Lhe sLraLegles puL ln place Lo mlnlmlse Lhe rlsks and
vulnerablllLy of any daLa belng sLored. Whlle some wlll feel LhaL real physlcal separaLlon ls requlred, Lhe ma[orlLy are
conLenL wlLh some form of vlrLual separaLlon (llgure 12).

vlrLuallsaLlon has become such an lnLegral
parL of daLa cenLre developmenL and
deploymenL LhaL Lhe concepLs and rlsks are
preLLy well undersLood. CuLsourclng Lhe
concepL Lo a cloud servlce provlder ls
Lherefore noL seen as someLhlng LhaL
greaLly lncreases rlsk.

Whlle sllghLly over half of respondenLs
wanLed a separaLe physlcal or vlrLual sysLem
dedlcaLed enLlrely Lo Lhelr organlsaLlon, a
slgnlflcanL percenLage was comforLable wlLh
slmply separaLlng off Lhe daLa. 1hls mlghL
lndlcaLe a hlgher degree of comforL wlLh Lhe
servlce provlder Lhan mlghL lnlLlally be

lL mlghL also lndlcaLe an undersLandlng LhaL noL all daLa ls Lhe same. 1he declslons Laken Lo use cloud servlces are
lncremenLal for mosL organlsaLlons l.e. we wlll move Lhls lnLo Lhe cloud, buL noL LhaL. 1hls dlscrlmlnaLlon beLween
Lhe dlfferenL requlremenLs for dlfferenL daLa seLs and workloads ls lmporLanL buL, unforLunaLely, many companles
do noL pro-acLlvely perform Lhls Lask well ln advance of Lhe need, as can be seen from how few reporLed havlng full
documenL classlflcaLlon sysLems ln llgure 8.

Some of Lhe dlfferences ln vlewpolnLs ln
llgure 12 mlghL be derlved from pasL
personal experlences, buL Lhere appears Lo
be a reasonable level of comforL LhaL servlce
provlders can offer dlfferenL levels of
lnsulaLlon or proLecLlon (once geographlc
concerns of governmenL or leglslaLlve
lnLerference are ruled ouL). 1hls comforL
seems Lo exLend Lo how daLa sLored ln Lhe
cloud should be encrypLed (llgure 13).

1he ma[orlLy are keen LhaL encrypLlon should
be hlgh level - and, glven many hlgh proflle
sLorles ln Lhe medla abouL neLworked
servlces belng hacked, who can blame Lhem
for Lhls LhoughL - buL mosL organlsaLlons are
happy for somebody else Lo be managlng Lhe

Cverall Lhe use of cloud servlce provlders for sLorage adapLablllLy Lo complemenL LhaL of moblle flexlblllLy requlres
some LhoughL, whaL do we need Lo sLore Lhere, how wlll lL be accessed easlly buL securely, and how can lL be made
safe from prylng eyes?

Quocirca 2014 - 11 -

C|oud 8urst

AlLhough lL mlghL seem overly pesslmlsLlc Lo Lhlnk abouL fallure, securlLy and daLa safeguardlng concerns need Lo
fully exLend from Lhe beglnnlng Lo rlghL Lo Lhe very end of a relaLlonshlp wlLh a cloud provlder. SecurlLy, ln parLlcular
Lhe secure deleLlon of daLa aL Lhe end, ls seen as lmporLanL buL, more lmporLanL perhaps, ls Lhe need Lo safeguard
Lhe buslness operaLlons LhaL depend on Lhe daLa.

1hus Lhe prlmary challenge ls how qulckly
can Lhe daLa be recovered and Lhen how
qulckly can lL be moved Lo a dlfferenL faclllLy
and Lhen used once more (llgure 14).

lnLeresLlngly, glven LhaL many of Lhose
lnvolved ln Lhe declslon processes abouL
movlng servlces Lo Lhe cloud focus on cosL
savlng, Lhe loss of money already pald ls noL
a promlnenL lssue.

Slowly buL surely organlsaLlons are sLarLlng
Lo recognlse LhaL Lhe budgeLs and cosLs LhaL
are Lled up ln hardware, sofLware or
servlces are noL as lmporLanL as Lhe value of
Lhe daLa belng managed.

Quocirca 2014 - 12 -

1he growLh of boLh moblle and cloud have a profound effecL on Lhe conLrol LhaL l1 managers have on daLa. 1hls has
become more pronounced on Lhe moblle slde wlLh Lhe surge ln 8?Cu and, on Lhe cloud slde, wlLh Lhe lmpllcaLlons
of whaL Lhe !une 2013 revelaLlons by Ldward Snowden mlghL mean for daLa managed by a Lhlrd parLy.

1he upshoL ls LhaL Lhe secure perlmeLer LhaL organlsaLlons llked Lo have wrapped around Lhelr l1 ls no longer
relevanL or posslble. 1he need for flexlblllLy aL Lhe edge and Lhe core of Lhe l1 lnfrasLrucLure has changed everyLhlng.

So how should Lhose Lasked wlLh securlng and managlng an organlsaLlon's preclous daLa reacL?

CerLalnly noL wlLh denlal.

8?Cu has a momenLum all of lLs own and employees are noL wllllngly (or producLlvely) golng Lo go back Lo Lhe old
days where 'work l1' was clearly dlfferenL and separaLe Lo 'home l1'. Slmllarly ouLsourclng l1 daLa and servlces Lo
exLernal provlders can reduce cosLs and, wlLh cloud on-demand buslness models, can dramaLlcally lncrease
flexlblllLy. 1here are rlsks of course, and new ones may have been made apparenL, buL Lhese can be managed.

1he besL approach ls Lo work ouL how Lo besL manage Lhe lncreased rlsks LhaL go wlLh Lhls lncreased flexlblllLy.

- Scope ouL Lhe problem - whaL ls lL LhaL ls belng puL aL rlsk? ls Lhere any form of documenL or daLa
classlflcaLlon sysLem, and lf noL, why noL? Lnsure Lhe level of rlsk and Lypes of vulnerablllLles are known.

- undersLand Lhe value of daLa - Lhls ls a buslness lssue, noL a Lechnology one. Assesslng Lhe value of daLa
can only be done ln con[uncLlon wlLh Lhe buslness. Pow does lL value dlfferenL daLa dlfferenLly?

- uaLa classlflcaLlon - Lhe appllcaLlon of resources for proLecLlon needs Lo be proporLlonaLe wlLh Lhe value
and rlsk Lo Lhe buslness. uon'L encrypL and resLrlcL access Lo Lhe menu of Lhe sLaff canLeen, buL equally
don'L play fasL and lose wlLh valuable corporaLe asseLs or cusLomer daLa LhaL should be kepL prlvaLe.

- roLecL Lhe process - Lhe value of daLa comes from lLs use, whlch ls Lhe reason why loss of access Lo daLa
can be [usL as damaglng as havlng lL accessed lnapproprlaLely. 8uslness processes LhaL depend on daLa
need Lo be proLecLed, noL slmply Lhe daLa lLself.

1here has been a Lendency Lo address l1 securlLy lssues by addresslng Lhe hardware - locklng lL down, proLecLlng
agalnsL vlruses, conLrolllng seLLlngs, and physlcally barrlng Lhose LhaL should noL be allowed access. 1hls no longer
works ln a world where Lhe edge devlces lncreaslngly belong Lo Lhe lndlvldual users Lhemselves and Lhe sysLems aL
Lhe core belong Lo a Lhlrd parLy, who mlghL also have Lhelr own buslness, as well as Lechnology, agendas. 1he focus
of securlLy has Lo shrlnk down Lo Lhe lndlvldual lLems LhaL hold Lhe Lrue value of l1, 'chunks' or 'ob[ecLs' of
commerclal daLa and proLecL Lhem wherever Lhey mlghL be, aL resL, and on Lhe move.

Quocirca 2014 - 13 -

!"#$%&'( !"#$% '( )*+",-( ! !"#$%&'( *'#+"$
1hls survey looked aL Lhe respondenLs', and Lhelr organlsaLlons', aLLlLudes Lo daLa securlLy around Lhe areas of brlng
your own devlce (8?Cu) and Lhe cloud. 1he research was conducLed wlLh 700 Lelephone lnLervlews of Lhose
responslble for lnformaLlon and daLa securlLy ln Lhelr respecLlve organlsaLlon, across several Luropean counLrles and
reglons (comprlsed of nelghbourlng counLrles) Lo ald analysls and undersLandlng.
1hus Lhe nordlcs lncludes 23
lnLervlews each from
uenmark, Sweden, norway,
and llnland, uCP comprlses 73
from Cermany and 23 from
SwlLzerland, 8enelux 30 from
each of 8elglum and Lhe
neLherlands, lberla 73 from
Spaln and 23 from orLugal.
1here were also a LoLal of 100
lnLervlews each ln uk, lrance,
and lLaly.

ln order Lo allow for analysls of
how Lhe 8?Cu Lrend wlll
develop, a repeaLable sysLem
of scorlng Lhe quesLlons ln Lhe
survey has been developed.
1hls wlll provlde a measurable
basellne score coverlng Lhe
maLurlLy of 8?Cu adopLlon
and relaLed vlews on securlLy,
wlLh 4 ma[or sub-lndlces and
an overall rolled-up lndex.

1he resulLs are shown ln
llgures 13 and 16, wlLh a
breakdown by reglon and
verLlcal markeL. 1he numbers
are generaLed from welghLlng
Lhe answers ln Lhe survey Lo
generaLe an overall plcLure,
and a hlgher number on Lhe
lndex lndlcaLes a greaLer level
of accepLance or lnLeresL ln Lhe

1he role LhaL Lhe cloud plays ln
supporLlng moblle users, and
especlally 8?Cu moblllLy, ls
cruclal. 1hls research looked
furLher aL aLLlLudes Lowards
securlLy concerns surroundlng
Lhe use of cloud.

Demograph|c sp||ts of |nterv|ewees

About Crac|e

WlLh more Lhan 390,000 cusLomers - lncludlng 100 of Lhe lorLune 100 - and wlLh deploymenLs across a wlde varleLy
of lndusLrles ln more Lhan 143 counLrles around Lhe globe, Cracle offers an opLlmlsed and fully lnLegraLed sLack of
buslness hardware and sofLware sysLems.

Cracle englneers hardware and sofLware Lo work LogeLher ln Lhe cloud and ln Lhe daLa cenLre - from servers and
sLorage, Lo daLabase and mlddleware, Lhrough appllcaLlons. Cracle sysLems:
rovlde beLLer performance, rellablllLy, securlLy, and flexlblllLy
Lower Lhe cosL and complexlLy of l1 lmplemenLaLlon and managemenL
uellver greaLer producLlvlLy, aglllLy, and beLLer buslness lnLelllgence

lor cusLomers needlng modular soluLlons, Cracle's open archlLecLure and mulLlple operaLlng-sysLem opLlons also
glve cusLomers unmaLched beneflLs from besL-of-breed producLs ln every layer of Lhe sLack, allowlng Lhem Lo bulld
Lhe besL lnfrasLrucLure for Lhelr enLerprlse.

About uoc|rca

Cuoclrca ls a prlmary research and analysls company speclallslng ln Lhe
buslness lmpacL of lnformaLlon Lechnology and communlcaLlons (l1C).
WlLh world-wlde, naLlve language reach, Cuoclrca provldes ln-depLh
lnslghLs lnLo Lhe vlews of buyers and lnfluencers ln large, mld-slzed and
small organlsaLlons. lLs analysL Leam ls made up of real-world
pracLlLloners wlLh flrsL-hand experlence of l1C dellvery who conLlnuously
research and Lrack Lhe lndusLry and lLs real usage ln Lhe markeLs.

1hrough researchlng percepLlons, Cuoclrca uncovers Lhe real hurdles Lo
Lechnology adopLlon - Lhe personal and pollLlcal aspecLs of an
organlsaLlon's envlronmenL and Lhe pressures of Lhe need for
demonsLrable buslness value ln any lmplemenLaLlon. 1hls capablllLy Lo
uncover and reporL back on Lhe end-user percepLlons ln Lhe markeL
enables Cuoclrca Lo provlde advlce on Lhe reallLles of Lechnology
adopLlon, noL Lhe promlses.

Cuoclrca research ls always pragmaLlc, buslness orlenLaLed and
conducLed ln Lhe conLexL of Lhe blgger plcLure. l1C has Lhe ablllLy Lo Lransform buslnesses and Lhe processes LhaL
drlve Lhem, buL ofLen falls Lo do so. Cuoclrca's mlsslon ls Lo help organlsaLlons lmprove Lhelr success raLe ln process
enablemenL Lhrough beLLer levels of undersLandlng and Lhe adopLlon of Lhe correcL Lechnologles aL Lhe correcL

Cuoclrca has a pro-acLlve prlmary research programme, regularly surveylng users, purchasers and resellers of l1C
producLs and servlces on emerglng, evolvlng and maLurlng Lechnologles. Cver Llme, Cuoclrca has bullL a plcLure of
long Lerm lnvesLmenL Lrends, provldlng lnvaluable lnformaLlon for Lhe whole of Lhe l1C communlLy.

Cuoclrca works wlLh global and local provlders of l1C producLs and servlces Lo help Lhem dellver on Lhe promlse LhaL
l1C holds for buslness. Cuoclrca's cllenLs lnclude Cracle, l8M, CA, C2, 1-Moblle, P, xerox, 8lcoh and SymanLec,
along wlLh oLher large and medlum slzed vendors, servlce provlders and more speclallsL flrms.

ueLalls of Cuoclrca's work and Lhe servlces lL offers can be found aL hLLp://

1hls reporL has been wrlLLen lndependenLly by Cuoclrca LLd. uurlng Lhe preparaLlon of Lhls reporL, Cuoclrca may
have used a number of sources for Lhe lnformaLlon and vlews provlded. AlLhough Cuoclrca has aLLempLed
wherever posslble Lo valldaLe Lhe lnformaLlon recelved from each vendor, Cuoclrca cannoL be held responslble for
any errors ln lnformaLlon recelved ln Lhls manner.

AlLhough Cuoclrca has Laken whaL sLeps lL can Lo ensure LhaL Lhe lnformaLlon provlded ln Lhls reporL ls Lrue and
reflecLs real markeL condlLlons, Cuoclrca cannoL Lake any responslblllLy for Lhe ulLlmaLe rellablllLy of Lhe deLalls
presenLed. 1herefore, Cuoclrca expressly dlsclalms all warranLles and clalms as Lo Lhe valldlLy of Lhe daLa presenLed
here, lncludlng any and all consequenLlal losses lncurred by any organlsaLlon or lndlvldual Laklng any acLlon based
on such daLa and advlce.

All brand and producL names are recognlsed and acknowledged as Lrademarks or servlce marks of Lhelr respecLlve

This report has been written
independently by Quocirca Ltd
to provide an overview of the
issues facing organisations
seeking to maximise the
effectiveness of todays
dynamic workforce.

The report draws on Quocircas
extensive knowledge of the
technology and business
arenas, and provides advice on
the approach that organisations
should take to create a more
effective and efficient
environment for future growth.