Consumer file sharing services in the cloud like Dropbox are popular but they do raise security concerns if they are used at work.
Yesterday’s media storm about the apparent leak of Dropbox customer credentials highlights two things. Firstly that everyone should use different passwords for their services to prevent a hack on one leading to a problem on another. Secondly, that organizations (and individuals for that matter) need to think carefully before putting their data on these public cloud services. And remember, Dropbox is not alone in having issues like this.
Everyone should use different passwords for their services to prevent a hack on one leading to a problem on another.
Cloud sharing services are being widely used for a simple reason – people want and need to send each other large files. Limits on file sizes that can be sent over their corporate email service mean they have to turn to sharing services that are often outside the organization’s safety net. This makes them a significant security, compliance and e-discovery concern that has to be addressed. For many organizations the risk of confidential information leaking out onto ungoverned consumer file sharing services like this is intolerable.
But it doesn’t have to be this way. You should be able to turn to the cloud to tackle the problem. You should be able to send large files within email and obey data protection procedures in place in the organization. However this does mean a rethink. What is needed is a secure service that can match the employees’ need for flexibility and function, with the IT team’s desire for control, security and visibility without placing a strain on email infrastructure.
Selecting the Right File Sharing Service
Security is, and should be, a key consideration in selecting any new service. Data privacy features can start with role-based access control and encryption for files in transit and at rest, but can differ between services. Integrated anti-malware controls are also invaluable, particularly in terms of protection against spam and phishing attacks, now routinely used in the majority of advanced targeted attacks.
For compliance purposes, it’s important that businesses know where their data and files are shared and stored. In order to help meet compliance standards and to provide a measure of disaster recovery protection, files should be duplicated and stored in geographically dispersed data centers.
It’s also worth finding a solution that provides a 100% service availability SLA including failover during outages in order to help ensure a seamless, uninterrupted service with constant access to files. In addition the service chosen should be as flexible and scalable as possible, providing support for an unlimited number of people at any given time.
A particularly useful function of enterprise-grade file sharing and storage services is the ability to manage all processes and get reporting via a single management console. This saves IT time and money by providing centralized administration and can help to encourage enforcement of corporate policies.
Ensuring Employees Adopt Your Chosen File Sharing Solution
Any service, no matter how well considered and implemented, will not be effective if employees do not buy into it and it‘s not blindingly simple to use. Another application, another login, another password – all these things will limit utilization of the ‘approved’ corporate service and drive them straight back to the consumer services they have been using to date.
Also employees should be well informed of the security issues surrounding the numerous consumer orientated options that are available. Otherwise there’s a strong likelihood that they will continue to make use of them, regardless of the company’s new investment.
Fundamentally though, large files should be shared where all other communication and file sharing is happening – within email itself. So applications like Mimecast’s Large File Send have been designed specifically to do this. Mimecast’s application allows secure file sharing from right inside Outlook and a specifically designed Mac app. This is a best of both worlds approach – best for the employee as they get to share what they want, where they want, and best for the IT team because it’s kept within the policy control and risk management rules of their enterprise.
Large file sharing over the cloud by employees doesn’t have to be risky if the right supporting technology is put in place. With the right alternative, they will happily leave consumer-oriented services and play ball. But you need to choose carefully – so make sure you focus on ease of use, integration with email, back-end reporting and enterprise grade security when making your service selection.
- ‘There are two types of phishing vectors – one the malicious attachment…and two, URLs to malicious sites’.
- ‘The average cost of a data breach is $3.5m up 15% from 2013’ discussing the Ponemon Institute ‘2014 Cost of a Data Breach Study: Global Analysis’ sponsored by IBM. Interestingly, class action law suits of effected customers are part of the calculation and might be a rising trend for organizations to address.
- ‘As it becomes more common for remote workers to operate outside of VPNs (BYOD and BYOC), enterprises must protect the user when they actually click’. ‘Even if users could put something on their mobile device to protect them, they are hesitant from a user experience perspective.’ – this was one of the key points in the session, as traditional approaches to security only protect users on the network and corporate managed devices. It’s important to think beyond this given BYOD and remote working. Protection must be available no matter the device used to access corporate email systems, without increasing the IT overhead or adversely affecting the users’ experience. As Rick suggested, organizations must ‘protect the click’.
- ‘Sometimes the URL isn’t bad at the time of delivery’ the attacker may turn the server over from benign to malicious after the email is sent.’
- ‘URL rewriting is emerging to protect the user…I recommended it as an RFP requirement.’
- ‘Whatever the culture of the organization, use that to (tailor) security training…increasing awareness and propensity to report incidents.’
- ‘(Phishing) is only going to get more and more sophisticated.’- which is why the protection organizations put in place now must be able to stay ahead of the attackers.
Steve Malone, Security Product Manager, Mimecast:
- ‘Phishing is viewed as a technology problem…the usual approach is to add more technology. But the issue is that adding more technology is actually increasing complexity.’ Steve further explained that the most successful approach is two-fold: choosing the right technology coupled with user education.
- ‘As we’ve got better at protecting against these attacks, the attackers have moved the goal posts. We now have to assume all the links in emails are bad.’
- ‘Clean up (post-attack) is generally very difficult and time consuming and the root cause is not addressed.’
- ‘Mimecast’s Targeted Threat Protection addresses advanced attacks in email by rewriting the URLs. It means protection regardless of the device used.’
- ‘We’re building into the service a real-time education component for users.’
It’s clear from the interest and the great questions we received at the end of the presentations that this is a hot topic. The evolution of threats is forcing IT teams to rethink the planning, purchasing and management of their business security systems. In addition, it’s being recognized that in order to stay ahead of the attackers, technology alone is not the answer – the complete solution needs to account for this and train users in a new way.
Please leave a comment or @reply me at @orlando_sc if you’ve any particular areas you want us to cover in our follow up posts.
The hot topic this week in London at IP EXPO Europe 2014 will not be Big Data. Twelve months seems a short time, but a lot has happened since IP EXPO 2013.
As we mentioned on this blog last month, the landscape has shifted fundamentally. Real jobs, real responsibility and scrutinized budgets are now associated with data, and the business intelligence organizations require from it.
The excitement of the last few years has been replaced with a pragmatic planning phase which includes less magical but more useful areas such as: organizational structure, training and infrastructure architecture. It’s a natural evolution for any burgeoning technology and, like other cloud vendors, we’re looking forward to the next few years where businesses invest more heavily in archiving, categorizing and exploiting their data.
But aside from a new era of pragmatism, what do we predict will be a reoccurring conversation at this year’s IP EXPO? Actually, we believe the strong trend this year will be one that has been around for a while – ‘Cloud Migration’.
There are still a huge number of organizations that are about to or are in the middle of moving their data to the cloud with all the opportunities and challenges that brings. This is why I’ll be presenting ‘The future of Enterprise Information Archiving’ on Wednesday the 8th and Thursday the 9th of October at 2:20 – 2:50pm in the Backup & Recovery Theatre – I’ll hopefully see you there.
We’ve also produced some short video trailers of the presentation – the first one is embedded below this post and titled ‘The Real Cost of Staying On-premises’ which looks at the economic impact of keeping your email archive on-premises.
If you’d like to find out more, do drop in to see us (Stand H10) and we’d be glad to talk about how we can help you plan the migration of your information archive to the cloud.
We’ve come a long way on the timeline of enterprise information security. About ten years ago we’d finally become used to the idea of a second firewall upgrade and were thinking about dedicated security teams and policies that had a reach much farther than just the IT team.
Today, and into the next twelve months, the list of priorities for CIOs and CISOs is far more complex and only bears a passing resemblance to the past.
The future looks far more advanced, from a security perspective, which by right is an accurate reflection of the nature of the threats that we now face. Traditional security technologies are struggling to keep up, and in many ways have seen their day. Today’s shopping list of security tools would include Mobile Device Management (MDM) services, next generation firewalls and threat detection tools as well as new more active types of host anti-virus; altogether more complex and advanced than the types of tools we were buying just a few years ago.
Also on the agenda are the softer, more human components of information security. Compliance tools and processes have never been more important, neither, and perhaps surprisingly for some, are formal enterprise privacy agreements for users. The latter in response to growing privacy concerns driven by major data leakage and snooping scandals, and the former—your staff—being a new frontier for soft security technologies and training, that seek to secure one of the weakest lines of defense in enterprise.
So all things considered, here are my predictions for the types of projects you’ll be seeing this year:
- Cloud identity and authorization: With the rise of cloud based services in the enterprise, IT teams will need to ensure access control requirements are met across all services. Using third party identity and authorization services that integrate with the cloud and on-premise directory services will be essential to enable the use of cloud services that can match your enterprise authentication policies.
- Cloud encryption: If not provided by a cloud security vendor already, more CIOs will demand their data be encrypted in the cloud with a separate cloud encryption tool. Public cloud services will be affected most to guarantee the confidentiality of data for the enterprise as CIOs seek to find ways to protect their information regardless of its storage location.
- Formal privacy programs: Privacy is critical to both customer and end user trust in your organization, with the added benefit of helping you comply with local laws and customs. CIOs will be creating privacy protection controls for their sensitive customer data and personal information that balance business enablement with business protection. This is a new concept for many, but as the line between enterprise and personal computing is increasingly unclear, CIOs will need to establish clear boundaries for data access, storage and monitoring.
- Next generation tech: The ‘next generation’ is never well defined, but we know the current generation of technologies is fast being outmoded. Security technology in particular has become easy for attackers to circumvent, so vendors are responding with next generation, more advanced, security solutions. Spear-phishing is a great example – all the most recent high profile attacks have bypassed traditional email security technologies, by the use of very well crafted malicious emails.
- Threat detection and response: Similarly, as threats change and become more stealth we need to address how we detect and respond to them, given the possibility we may not be able to prevent them all. End point and host detection will play a large role in these new projects as businesses look for ways to quickly detect the outbreak of a problem on an end point and seek to lock it down or remote wipe it as quickly as possible.
- Security governance: This has always been a growing part of a CIO’s responsibilities, and we’ll see IT GRC management and ITSM increase as rigor is brought to bear on the IT department, and the buy-in of IT initiatives by the rest of the organization becomes more normal.
- Mobile device management: BYOD has come and gone, or at least embedded itself in our everyday IT policy. Users, not satisfied with your policies being enforced on their personal devices, appear to be much happier with the containerized or compartmentalized use of business data and apps on those devices. Simply letting users bring their devices into your network is no longer acceptable as it once was, controlling the use or your data on their devices is now essential.
- Testing and training: Security training has always been part of our routine for users. Most new users are given a ‘sheep dip’ when they join, and a rare few given ongoing training thereafter. But, as the value of training is diminished by more successful attacks in the face of well trained staff, real-time testing becomes a more viable solution. There are numerous open source tools available to help you socially engineer your staff; we should expect to see these sort of activities being offered as services in the near future, and should take advantage of them – even if you’ve shied away from classic “pen-testing” in the past.