Skip to Content

SAP CIO: iCloud and DropBox Not Secure Enough, We’ll Build Our Own

Users love cloud storage services like DropBox and iCloud for their power and ease of use. IT managers hate them for the ginormous potential for data leakage and loss they create. But clamping down on them isn’t so straightforward.  

In the past, a CIO could simply decree DropBox and iCloud verboten and his or her will would be carried out. IT management software would prevent banned applications from being installed, while network firewalls would block outlawed Web sites or network ports. End of story.

That’s not so simple today. Many smartphones and tablets used inside companies remain unsecured by Mobile Device Management (MDM) software.  At the SAPPHIRE conference in Madrid last week, SAP CIO Oliver Bussmann gave a talk to fellow CIOs about how SAP is using its subsidiary Sybase’s Afaria MDM software to secure the 11,000 iPads used by its employees.

“I had a CIO ask me afterward, ‘Should we also do this [use MDM] with our iPhones?'” he said. “It just shows how there’s a lack of information.”

Another issue is that many of the Samsung Galaxy smartphones and iPads used inside companies today are owned by the employees themselves, courtesy of shrunken budgets and the desire of workers to Bring Their Own Devices.

That creates a legal grey area in regions like Europe, where strong data privacy laws there allow workers to unilaterally revoke their consent for employers to secure and manage the data residing on their phones and tablets at any time. Allowing BYOD devices can create liability risk for companies.

Moreover, we’ve moved on from command-and-control IT shops towards the ‘consumerization of IT’ era. Conditioned to the slick devices and apps they use at home, employees are rebelling against the ugly, kludgy gear and software they are issued at work. It’s not just a matter of aesthetics. Consumer devices are more powerful and easier to use than their enterprise counterparts.

In this era, CIOs need to strike a balance between enabler – and dictator. That’s what Bussmann is doing. Using Afaria, he plans to shut down access to iCloud to his employees by the end of the month. “The risk is far too high,” he said.

But in closing that door, he plans to open another. His team has already created a prototype of a document-sharing service that will be released to employees by the end of year.

Based on the WebDAV standard, Bussmann says the goals are to make it as easy to use as iCloud or DropBox for both mobile devices and laptops (something SharePoint, what many companies use today, is poor at), while also providing the security only an internal, behind-the-firewall network can.

Bussmann talked up the service at SAPPHIRE and says he got a strong reception from other CIOs. So strong, he says, that if things go well, the service might eventually end up being offered to SAP customers.

If you’re curious to learn more, you can ask Oliver himself during a one-hour Tweetchat tomorrow Tuesday November 15. Watch the #SAPchat hashtag starting at 11 am EST/8 am PST, and submit any questions using that hashtag.

You must be Logged on to comment or reply to a post.
  • Thanks for the blog post Eric. As a former sysadmin who always pushed for it myself, I'm delighted to see the consumerisation of IT finally gathering pace. I agree that Dropbox has not been the most secure of storage areas, with a number of highlighted flaws. I can also see how companies that have to follow data governance regulations and the like will be concerned about remote storage of data on iCloud.

    However, it's an entirely different thing to say that iCloud is "not secure enough". Given that it's a new service with (AFAIK) no disclosed vulnerabilities, how does Bussmann know this?

    • Hi John - I passed along your ? to Oliver at this morning's Tweetchat. "It is a security concern to move confidential documents into a public zone," he tweeted. By that, I take it is a broad architectural concern with iCloud - the fact that corporate documents can be auto-uploaded to a server not under SAP's control - not any specific vulnerabilities with iCloud.

      Here's his tweet:

      And the rest of the tweetchat:

      • Hi Eric, thanks for passing that along and the reply. I'm well aware of the concerns around using cloud-based storage - as I said it has implications for data governance etc. However, a CIO of a major company like SAP should understand the difference between having security concerns about a new service and saying "iCloud is not secure enough"; these are two entirely different statements and the latter cannot be supported as of yet (it may well turn out to be the case, but we cannot know that yet).

        I'll check out the Twitter conversation on it, thanks for the link.

  • I'm curious what @sapcio actually means when he says that he is going to shut down access to iCloud. iCloud is not one thing. Rather it is a set of services, including (reading through my iPhone setting screen) syncing of Contacts, Calendars, Mail, Reminders, Bookmarks, Notes, and DOCUMENTS. Plus there are services like Photo Stream, Find my iPhone, iCloud backups, and iTunes Match. Whew.

    So which ones are going to be turned off? If we're only concerned about documents being synced, then turning off everything seems a bit much. Does Afaria provide these sorts of more fine-grained controls?

    Personally, I don't know much of the context, but this seems to me like an overreaction. I've been using apps for ages that automatically sync all documents created in them to servers (much less secure servers than iCloud). I assume that many SAP employees do the same. If these apps started using iCloud for their document syncing, then that would be a major security *improvement*. On the other hand, if @sapcio blocks iCloud document syncing, then these employees will just go back to using the less secure alternatives. I'm not sure this is a great idea.


    • Great point Ethan. I'm also not familiar with Afaria, but I had assumed that it (and other MDM products) would have provided functionality to prevent these apps syncing with anything outside the company's network (assuming they're on the company's WiFi to begin with, but then if they're running on a cellular network that is outside the company's domain and presumably not their responsibility). Is this true Eric? Need to do some digging into Afaria myself, I'm very interested in the whole area.

      In defence of Bussmann I would say it's almost the CIO's _job_ to overreact to new services that affect the location of his employee's data, in the sense that it's ultimately his responsibility to ensure the safety, confidentiality and integrity of the data. iCloud is a new service and as yet unproven, so someone in his position is really only being responsible when advising caution (again, assuming they are already restricting individual apps!).