Be cloudy and secure...

Security


Cloud Security Authors: Elizabeth White, Yeshim Deniz, Shelly Palmer, Rick Popko, Jackie Kahle

Related Topics: Security Journal, Mobile Enterprise Application Platforms, Cloud Security Journal , Big Data on Ulitzer, Security

Article

The Secure Collaboration Big Bang - Finding Big Data's Higgs Boson

The challenge lies in how to transform chaotic collaboration

The huge growth in mobile technologies and new free collaboration services (e.g., Dropbox) is forcing organizations to find ways to coexist with these technologies, taking advantage of the efficiencies they bring, and ensuring that their data assets are adequately protected. Organizations have to provide employees with a secure method to collaborate and share information; if they don't, employees will take matters into their own hands; many already have. The challenge lies in how to transform chaotic collaboration, which, unfortunately, exists in most corporations today, into organized, secure collaboration that leverages modern file-sharing and synchronization technology without succumbing to the risks they bring.

File synchronization services create a virtual folder on your workstation, laptop, tablet, or smartphone that looks and behaves like a regular folder: you can save files in it, browse them, open them, and edit them. Unlike normal folders, though, the files inside them are automatically copied to a system somewhere "in the cloud." That means that they are stored on some server on the Internet, and as soon as they are uploaded they are copied to all the other devices that sync with your folder and made available to all those with whom you have chosen to share and collaborate.

In terms of management there are a lot of conveniences for organizations - you don't need to worry about things like backing up, disaster recovery, or hosting sites, as the cloud service takes care of those things (or so we assume).

For consumers, cloud services offer advantages over traditional file sharing platforms in that you have all your files whether or not you're connected to the Internet or your corporate network and you can access your files from your tablet and smartphone. Most importantly, however, we don't have to put any thought at all into using them:

  • There's a folder
  • You put files in it
  • They sync, and...wham! All of your files are available to you and to those with whom you collaborate

The very fact that we don't need to put a lot of thought into using these services also causes a big problem. With the line between personal use and corporate use blurring, employees are storing corporate data in cloud services without corporate approval or oversight.

This means that, unless you're actively blocking all cloud services, it's almost certain that your employees are using them. If you do block them (without offering an acceptable solution) then it's almost certain that your employees are using them anyway-working on their personal devices entirely outside of the corporate network.

This not only opens you up to data theft and data breaches, but exposes your company to compliance and regulatory offenses which could put you out of business. Many organizations are subject to regulations concerning customer information, financial information and other types of sensitive data.

Ensuring regulatory compliance is already a challenge in established IT environments - how can organizations be sure that regulated content isn't being stored in cloud repositories where controls may not be as mature?

There are a number of key questions that organizations need to ask about cloud synchronization services:

  • Who are these cloud service providers and how do they protect their networks?
  • How is disaster recovery performed?
  • Are actual access events and permissions changes audited, and how can they be integrated with existing audit trails?
  • How can organizations make sure they even have a copy of all the data an employee has created, much less make sure employees aren't taking data when they leave?
  • How can organizations inspect them to make sure they are behaving as they claim?

In addition to the security concerns, there are issues of manageability. Cloud services are just starting to integrate with corporate directory services infrastructures (e.g. Active Directory), so that means maintaining separate user and group entities, managing access control lists in yet another system and having processes and controls in place to demonstrate that access is maintained and reviewed consistently by the appropriate parties. With organizations already overwhelmed with managing access controls for the data that resides inside their networks, adding an additional platform outside the infrastructure will only increase workload and complexity.

Gartner believes that providing file synchronization across as many diverse devices as possible will be most effective in meeting user needs, thereby discouraging users from seeking unauthorized file sharing technologies ("How to Control File Synchronization Services and Prevent Corporate Data Leakage," by Jay Heiser, and Lawrence Pingree, Published 31 January 2012).

Based on Gartner's assessment that "Huge Amounts of Proprietary and Regulated Data Are Leaking Onto Noncorporate Devices, Outside of Enterprise Controls and Audit Trails," and the analysis above, here are three conclusions that can be drawn about the current state of file sharing for organizations:

  1. Cloud-based file synchronization services have become so popular that they threaten to scatter organizational assets.
  2. Today's cloud-based file synchronization services sacrifice a level of control and do not fully integrate with existing infrastructure.
  3. Organizations must offer sanctioned file synchronization services and device interoperability or they run the risk of losing control of digital assets outside the corporate LAN.

Organizations are at a turning point - they can either let things go as they are now, where their employees use personal devices and free cloud services to store organizational assets wherever they choose, or select a separate, cloud-based file synchronization service that will add additional management overhead, and new risks that are difficult to quantify.

There is an alternative though - what if organizations could offer file-synchronization services with their existing infrastructure, taking advantage of the storage that they already own, authenticating with their own user catalog, and integrating with protection and management technology and processes they already have? Businesses could then offer the cloud experience with their existing infrastructure.

Imagine:

  • Data is stored in the right place, on storage that organizations already own
  • Existing data protection and management regimes can be utilized

There was once a time when the power of the IT security department would enable most organizations to ignore file synchronization services. However, the world has moved on, and in an era where one third of your employees could be below the age of 25 - and have grown up with social networking - you cannot stop them doing what comes as naturally as breathing.

The problem is that cloud-based file synchronization services are the norm, and when an enterprise attempts to ban them they will fail. It is therefore a reality that organizations are losing their grip on more of their corporate assets day by day. Time is ticking away and most organizations are drifting - ignoring to make a decision about what to do and running the risk of painting themselves into a corner.

Very soon the data they rely on, the very lifeblood of their organization, will reside on hundreds of servers scattered across the world, with little means of controlling it. It is now time to choose - the risk and chaos which has been ushered into the enterprise by the Pied Piper's called users on one hand - or organized secure collaboration on the other. There is no other path available.

More Stories By David Gibson

David Gibson has been in the IT industry for over fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Director of Strategy at Varonis Systems, the leading provider of comprehensive data governance software. David holds many certifications, including CISSP. As a former a technical consultant, he has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems.