S 5.158 Use of web disk space

Initiation responsibility: IT Security Officer, Head of IT, Supervisor

Implementation responsibility: User

Disk space made available by Internet providers is referred to as web disk space (or also online hard drives). Customers are assigned web disk space by a web provider in order to store files in the longer term and to be able to access the data easily via the Internet. Particularly mobile employees appreciate this option, because they are able to access their data from any location quickly and without any restrictions. In order to exchange larger amounts of data, these services are also used readily. However, this also entails a high risk, because it is more difficult to control data flows due to the access to external storage options.

The protection of data confidentiality not only depends on whether data communication and storage is protected and secured adequately at the provider, but also on the question from which external IT systems the data is retrieved, what happens to it afterwards and where it is stored again.

Typical problems include, for example:

• Employees use external web disk space in order to retrieve company-internal data in an Internet café or in another company. If the information transmitted (both authentication and user data) is not protected and secured adequately, unauthorised persons can subsequently also access other company-internal data stored there.
• An employee retrieves data from home in order to process it at the weekend. Because his private PC was infected with malicious software (malware), the processed files were also infected.

The availability of the stored data depends on several factors: Availability of the Internet connection and the systems at the provider. In the case of longer-term storage of data, the provider's business model must also be examined in order to assess whether continuous operations and constant prevailing conditions can be guaranteed.

Speed of the connection: If the web disk space is to be used as storage location for the data backup, not only the time required to transmit the information to be backed up to the provider, but also the time required to reinstall the data backup are important. For a professional data backup, most other solutions for data backups within your own organisation are faster and easier to control (and possibly also more cost-effective).

The way web disk space is handled should be regulated clearly-in every organisation. In this respect, there are several variants:

• Organisations can decide to generally ban the use of web disk space. The employees must then be notified of this. In addition, this ban can be supported by technical means, i.e. using filters regarding known providers. In this respect, however, one should be aware of the fact that users can always find new ways to access such services.
• The organisation can officially approve the use of web disk space for business purposes and define appropriate general conditions for this purpose.

In any case, a government agency or company should establish clear regulations on how such services are to be used (see also S 2.460 Regulated use of external services). In these regulations, the following aspects should be clarified, amongst others:

• Business and private use should not be mixed.
• It must be clarified under which general prevailing conditions web disk space is allowed to be used for business purposes (e.g. for forwarding information, for protection against malicious software, etc.).
• Before using web disk space, the terms and conditions of business of web disk space providers should be examined carefully as to whether the mentioned terms and conditions are acceptable from one's own perspective.
• The access rights to web disk space must be defined precisely and updated at regular intervals to ensure that only authorised persons can access the data stored.
• The exchange of data should be protected and security in any case using SSL/TLS encryption.
• In addition, confidential data must be stored in encrypted form in order to protect them against being accessed by unauthorised persons.
• It must be defined from where (environmental security) and to which IT systems stored data are allowed to be retrieved.

Review questions:

• Has the use of web disk space been regulated clearly in the organisation?