This is the fifth installment of The Top 10 Quick-Tips for Shoring Up Your Cloud Data Security. Last time we looked at the need to extend DLP policies to data in/going to the cloud and this week we look at some of the hidden cloud security risks of open source code sharing sites.
Top 10 Quick-Tips for Shoring Up your Cloud Data Security
Tip #10: Ensure consistent egress policies across regions
Tip # 9: Don’t rely on URL categorization services for cloud access policy enforcement.
Tip #8: Carefully monitor cloud policy exceptions for misuse
Tip #7: Don’t neglect Data Loss Prevention (DLP) for the cloud
Tip #6: Prevent the loss of IP through code sharing sites
Everybody has IP in their code now
Coding is not just for software companies anymore. Companies in every industry – financial services, transportation, media, manufacturing, healthcare – all rely heavily on developers to create internal software that keeps their businesses running and provides an advantage over the competition. Much of the code developed is proprietary, but companies are increasingly leveraging open source code to support their development.
Don’t get me wrong – the open source movement is great and is here to stay (sharing is caring?). That being said, there are some hidden risks people need to know about in order to use open source code without endangering their organization’s intellectual property. One risk is that you may be downloading malware and implementing it into your code, but this article examines the other side of the issue – code that is uploaded and the risk of IP loss in doing so.
Risky T’s & C’s
Popular cloud services for sharing open source code include GitHub, SourceForge, and Codehaus among many others. Most developers understand that, based on the terms and conditions of these sites, when they contribute code to an open source project, that code can become open source itself and that if the code is proprietary to their organization, their organization has lost exclusive legal rights to that code. Nonetheless, it happens and it happens a lot.
Enterprises block the wrong services
In our recent Cloud Adoption and Risk Report, we found that, similar to patterns found around file sharing services, enterprises are blocking the IT development services they are most familiar with, not the services that present the most risk. For example, GitHub, a popular open source development site is blocked 21% of the time, however Codehaus, a much riskier open source development site, is blocked only 1% of the time.
How to leverage open source safely
The key to leveraging open source safely is not “just block it”. Rather, you should take a measured approach. First, you need to understand which code sharing services your developers are currently using. Then, leverage a cloud service registry to identify the best low-risk services, and promote the use of those rather than the high-risk alternatives. Next, look for directionality to identify data that is uploaded rather than downloaded. In doing so you’ll minimize the risk of IP loss and ensure that your code remains your code. Finally, make sure you’re managing use and receive alerts when an anomalous occurrence, such as a large upload, occurs.