by Orlando Scott-Cowley
On-premises email and data archives are a growing challenge to organizations looking to reduce costs and management complexity.
Cloud archiving alternatives offer a compelling opportunity to remove the management headaches and deliver a secure, resilient and highly scalable archive service to meet requirements now and in the future. But concerns remain about the ideal migration strategy that balances effective risk management with new business requirements.
That’s why in this new webinar, I’ve teamed up with Gartner research director Alan Dayley to break down the beneﬁts of the cloud over on-premises email archiving. Together, we also explore the key considerations for migrating to the cloud, and look to the future of email archiving in the cloud.
Hybrid or 100% cloud? Should you migrate everything from legacy systems? How do I know if I even need archiving? We explore the key considerations and review what you need to think about regarding data sovereignty.
For customers thinking about moving to Ofﬁce 365, but concerned about their readiness, we’ll discuss migration strategies. Meanwhile, for those who have already made the move, we’ll discuss how a third party backup archive can make your data in Ofﬁce 365 fully resilient
There has never been a better time to move archives to the cloud.
Take a look at video here.
by Nathaniel Borenstein
I wasn’t there myself, but I heard from colleagues that Tim Berners-Lee (the originator of the WWW) keynoted at London’s IP EXPO Europe show earlier this month. He was asked why security wasn’t considered more in the beginning of the Internet.
This got me thinking back to those days and asking the same question. Why didn’t we early Internet guys predict the need or put the hours in on security from the start? After all, today there’s a whole industry now dedicated to the challenges of securing the Internet, as well as the data and communications carried over the network. Today, companies like Mimecast fight a never-ending struggle to keep the Internet reasonably secure.
Why didn’t we early Internet guys predict the need or put the hours in on security from the start? The good news is that the world runs on the Internet and there are thousands of smart people and companies working hard and fast to secure it and our data.
But many decades ago, there were so few people on the Internet that most of them knew each other by name. My late mentor, Einar Stefferud used to tell people his address was ‘stef @ any machine on the net.’ We mostly just trusted each other, as research colleagues. Besides, doing never-before-done amazing things is a lot more fun than preventing bad things that were, at the time, completely hypothetical.
For me, that’s all the explanation you should need. But I’ve plenty of other explanations and here are some of them:
1. They didn’t know how. When you’ve just built something new, by definition no one will know how to secure it. The people building them were specialists in all sorts of things, but not, with a few exceptions, security. They hoped that the security people could come in later and fix things up.
2. They didn’t want to. The early Internet pioneers tended to have a very egalitarian vision of the Internet. They wanted to open possibilities for everyone, not close them off from some people. While they would have readily said that some security would be needed, it just wasn’t what they wanted to work on. The vision of an Internet open to everyone tended to work against any efforts to secure it. Also, there was a lot of belief that anonymity should be possible on the net, so there was substantial resistance to requiring strong authentication of identity.
3. For most people, security was boring. Those who found it interesting generally wanted to work on something heavily used. Even security researchers — and there were some — generally trusted one another.
4. They feared it might be impossible. It was clear that Internet security would be very complex, and less clear that it would ever be truly possible. For that matter, they weren’t entirely sure that what they were trying to build with the Internet was even possible. Nearly all the protocol designers worried about security, and tried to make wise decisions when they could. But it’s hard to secure something before you’ve designed it.
The good news is that we now know the world loves (even runs) on the Internet and there are thousands of smart people and companies working hard and fast to secure it and our data. Nowadays there are university programs and whole careers to be made in various aspects of the Internet security industry.
It’s still an open question whether we can do so completely. The bad guys are constantly innovating so companies like Mimecast have to be relentless and in it for the long haul. This is a constant battle of cat vs. mouse between the Internet good guys protecting all of us from the bad guys out to steal our data, corrupt our systems or rob us plain and simple.
This is a worthy pursuit for any company, computer science graduate or expert. The world needs more smart, well-educated people worrying about security.
That’s why I’m particularly passionate about the need to get more young people, particularly women, interested in engineering at an early age. It may seem like an uphill battle. But there’s an encouraging shift visible in the emergence of targeted technology clubs and engineering toys designed to appeal to them from companies like Goldieblox, Roominate. Oh, and for the record, I’ve no financial interests in these firms or the toy industry. It’s just clear to me from my own experience as a parent and now grandparent, that if we inspire early, we can create the talent we need tomorrow.
by Dan Sloshberg
Consumer file sharing services in the cloud like Dropbox are popular but they do raise security concerns if they are used at work.
Yesterday’s media storm about the apparent leak of Dropbox customer credentials highlights two things. Firstly that everyone should use different passwords for their services to prevent a hack on one leading to a problem on another. Secondly, that organizations (and individuals for that matter) need to think carefully before putting their data on these public cloud services. And remember, Dropbox is not alone in having issues like this.
Everyone should use different passwords for their services to prevent a hack on one leading to a problem on another.
Cloud sharing services are being widely used for a simple reason – people want and need to send each other large files. Limits on file sizes that can be sent over their corporate email service mean they have to turn to sharing services that are often outside the organization’s safety net. This makes them a significant security, compliance and e-discovery concern that has to be addressed. For many organizations the risk of confidential information leaking out onto ungoverned consumer file sharing services like this is intolerable.
But it doesn’t have to be this way. You should be able to turn to the cloud to tackle the problem. You should be able to send large files within email and obey data protection procedures in place in the organization. However this does mean a rethink. What is needed is a secure service that can match the employees’ need for flexibility and function, with the IT team’s desire for control, security and visibility without placing a strain on email infrastructure.
Selecting the Right File Sharing Service
Security is, and should be, a key consideration in selecting any new service. Data privacy features can start with role-based access control and encryption for files in transit and at rest, but can differ between services. Integrated anti-malware controls are also invaluable, particularly in terms of protection against spam and phishing attacks, now routinely used in the majority of advanced targeted attacks.
For compliance purposes, it’s important that businesses know where their data and files are shared and stored. In order to help meet compliance standards and to provide a measure of disaster recovery protection, files should be duplicated and stored in geographically dispersed data centers.
It’s also worth finding a solution that provides a 100% service availability SLA including failover during outages in order to help ensure a seamless, uninterrupted service with constant access to files. In addition the service chosen should be as flexible and scalable as possible, providing support for an unlimited number of people at any given time.
A particularly useful function of enterprise-grade file sharing and storage services is the ability to manage all processes and get reporting via a single management console. This saves IT time and money by providing centralized administration and can help to encourage enforcement of corporate policies.
Ensuring Employees Adopt Your Chosen File Sharing Solution
Any service, no matter how well considered and implemented, will not be effective if employees do not buy into it and it‘s not blindingly simple to use. Another application, another login, another password – all these things will limit utilization of the ‘approved’ corporate service and drive them straight back to the consumer services they have been using to date.
Also employees should be well informed of the security issues surrounding the numerous consumer orientated options that are available. Otherwise there’s a strong likelihood that they will continue to make use of them, regardless of the company’s new investment.
Fundamentally though, large files should be shared where all other communication and file sharing is happening – within email itself. So applications like Mimecast’s Large File Send have been designed specifically to do this. Mimecast’s application allows secure file sharing from right inside Outlook and a specifically designed Mac app. This is a best of both worlds approach – best for the employee as they get to share what they want, where they want, and best for the IT team because it’s kept within the policy control and risk management rules of their enterprise.
Large file sharing over the cloud by employees doesn’t have to be risky if the right supporting technology is put in place. With the right alternative, they will happily leave consumer-oriented services and play ball. But you need to choose carefully – so make sure you focus on ease of use, integration with email, back-end reporting and enterprise grade security when making your service selection.
by Orlando Scott-Cowley
First of all, I’d like to say a big ‘thank you’ to everyone who attended Tuesday’s Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’.
The interest has been huge, and we’ve made the recording of the session available here. We’ll also be focusing on key themes raised during the session over the coming weeks on this blog.
To start, we thought it would be useful to pull out and reflect on some key quotes from the session.
Recording of Mimecast webinar featuring Forrester on ‘Protecting Against Targeted Attacks’ from September 30th 2014, when practical steps to protect your business were outlined by Rick Holland.
Rick Holland, Principal Analyst, Forrester Research:
- ’67% of the espionage cases in organizations involved phishing’ discussing the Verizon ‘2014 Data Breach Investigations Report‘.
- ‘There are two types of phishing vectors – one the malicious attachment…and two, URLs to malicious sites’.
- ‘The average cost of a data breach is $3.5m up 15% from 2013’ discussing the Ponemon Institute ‘2014 Cost of a Data Breach Study: Global Analysis’ sponsored by IBM. Interestingly, class action law suits of effected customers are part of the calculation and might be a rising trend for organizations to address.
- ‘As it becomes more common for remote workers to operate outside of VPNs (BYOD and BYOC), enterprises must protect the user when they actually click’. ‘Even if users could put something on their mobile device to protect them, they are hesitant from a user experience perspective.’ – this was one of the key points in the session, as traditional approaches to security only protect users on the network and corporate managed devices. It’s important to think beyond this given BYOD and remote working. Protection must be available no matter the device used to access corporate email systems, without increasing the IT overhead or adversely affecting the users’ experience. As Rick suggested, organizations must ‘protect the click’.
- ‘Sometimes the URL isn’t bad at the time of delivery’ the attacker may turn the server over from benign to malicious after the email is sent.’
- ‘URL rewriting is emerging to protect the user…I recommended it as an RFP requirement.’
- ‘Whatever the culture of the organization, use that to (tailor) security training…increasing awareness and propensity to report incidents.’
- ‘(Phishing) is only going to get more and more sophisticated.’- which is why the protection organizations put in place now must be able to stay ahead of the attackers.
Steve Malone, Security Product Manager, Mimecast:
- ‘Phishing is viewed as a technology problem…the usual approach is to add more technology. But the issue is that adding more technology is actually increasing complexity.’ Steve further explained that the most successful approach is two-fold: choosing the right technology coupled with user education.
- ‘As we’ve got better at protecting against these attacks, the attackers have moved the goal posts. We now have to assume all the links in emails are bad.’
- ‘Clean up (post-attack) is generally very difficult and time consuming and the root cause is not addressed.’
- ‘Mimecast’s Targeted Threat Protection addresses advanced attacks in email by rewriting the URLs. It means protection regardless of the device used.’
- ‘We’re building into the service a real-time education component for users.’
It’s clear from the interest and the great questions we received at the end of the presentations that this is a hot topic. The evolution of threats is forcing IT teams to rethink the planning, purchasing and management of their business security systems. In addition, it’s being recognized that in order to stay ahead of the attackers, technology alone is not the answer – the complete solution needs to account for this and train users in a new way.
Please leave a comment or @reply me at @orlando_sc if you’ve any particular areas you want us to cover in our follow up posts.