If you’re like most people, you use file sharing services to send and share your files via the cloud. But how do you know that the files you share via these tools are safe? Do you trust the cloud service provider and the security measures they’ve put in place? How sure are you that these security measures are foolproof?
These questions are all valid for personal use of these services, but take on a whole new level of importance when the services are being used as part of a corporate IT policy. With any of the questions above, the weakest point of failure is usually the end user, and bad password habits in particular leave individuals and their employers open to risks.
Recently it made the rounds in the media that a cloud file sharing service was hacked in 2012 with the passwords and usernames of up 68 million users being stolen. It highlights a number of risks for organisations that use Enterprise File Sync and Share (EFSS) solutions as either their primary storage for corporate data or those that allow employees to put corporate data onto their personal accounts.
But it’s not just the cloud services, or the passwords. Working with files or cloud services through unauthorised hardware such as home computers or mobile devices, increases the risks to a company of a security breach taking place. This could be a hack, or data being shared accidentally in an unencrypted format to an unauthorised person. Devices off the corporate network, and in the shadows, are not protected to the same level as those known to corporate IT, and the same is true of cloud services. They will not be subject to the same corporate, regulatory (HIPPA, SOX, PCI, etc.) policies in relation to encryption, authentication, identity and access management, threat detection, device management, or something as straightforward as password policy.
Using cloud services and unauthorised devices can also mean that the regulations by which a company must adhere are being ignored, putting the company at risk of sanctions, as well as creating an opportunity for employees to consciously break rules – even commit crimes.
Employees are of course, largely, just looking for the best and most efficient way of getting a job done, even if they are less aware, or conscious of considering, the security implications of using personal cloud storage accounts to facilitate the movement of files. Taking a step back from which cloud services should or should not be authorised for use by an IT department, simpler questions need to be asked about the files themselves: Who should be able to move files? Who is allowed to receive them? What protection is in place when those files are on the move and at rest?
By starting from this point, it allows IT departments to think thoroughly about how they will control the use of all applications and hardware that can be used to move files. But more fundamentally than this, they need to consider, when all else fails, how do we protect the files?
When utilising an EFSS, IT Managers should ask themselves how vital or confidential the files are that employees are sharing. Would they feel comfortable if someone other than the intended recipient saw these files? What if a hacker or malicious insider were to gain access? How would a data leak affect the business? If you’re an IT Pro and questions like these make you feel even the slightest bit uncomfortable – and they should – then you need to take additional steps now to protect your company data before an incident occurs.
We’ve seen that having user credentials and other account information protected by a password is simply not enough. Despite educational efforts to help users create unique passwords for each of their accounts, it’s human nature to be repetitive. So it’s common place for users to use the same (or similar) password across multiple different log-ins. This means allowing employees to access their personal EFSS accounts to use for business needs offers a window that malicious attackers can exploit and leaves your data vulnerable as it’s very possible that their password is being used for additional personal accounts.
Protect data at source
As we alluded to earlier, the primary concern should be protecting data at its source. This means knowing what controls are in place to control the way data moves to and from EFSS services, and how it’s protected while on that service. Any data that you would fear losing, or is sensitive in any way, should always be encrypted at the end point in the organisation. This can also be used to ensure that when data leaves the organisation it is encrypted at those external end points – access to the files remains completely under the control of the organsation, and the centrally controlled encryption key server.
It is also important to consider the scenario in which a personal cloud service account has been used by an employee, and then they leave the organsation. Without encryption the user retains access to those files, and the organisation would have no way of removing them from the cloud service, or infact any other device. If all files in the cloud are encrypted by the organisation, all of the time, it is possible to remove access, without knowing which have been shared, by whom, or with which cloud service. The files will stay where they are, but will be encrypted and illegible, with the user losing access to the organisation’s centrally held encryption keys.
Real world hacks on EFSS providers also demonstrate why it is critical to use solutions where the encryption keys are always in the control of the organisation, rather than the cloud service. This adds yet another level of protection should a breach of usernames/passwords occur at a 3rd party cloud service provider.
These are just some of the reasons why It’s important that organisations enforce encryption automatically through their security policy to help avoid disaster. Encrypting at the source may not stop a hacker from gaining access to an employee’s EFSS account, but it will prevent the data itself from being disclosed. When an organisation keeps control of their keys by encrypting the data before it ever is sent to an EFSS service, then – and only then – are private keys are never seen or accessed by 3rd party vendors. In this scenario, if the EFSS provider or device is ever breached, a business can ensure that their data is still safe from prying eyes.
Data encryption, when executed properly, protects the sensitive information stored within any given organisation. Although there are many myths attributed to data encryption, the surprising truth of the matter is that at its core, data encryption provides a foundational piece to any data security and cloud strategy.
The last line of defence
At the heart of implementing a cloud strategy to support the use of these services is having the correct tools to allow the data within the environment to be secured. One of the biggest mistakes made by companies is using different tools for the unique environments such as private cloud services, public cloud services, mobile device management etc. But this is not necessary, there are tools that allow this to be managed from a single platform, as well as managing the services fundamental to effective protection, such as encryption and anti-virus.
You may not be able to remove human error from the variables that impact security, but with encryption you can ensure that you data has the best possible chance of being protected if all your other defences fall by the wayside. It is the final opportunity any business has to protect itself.
Mark Hickman, Chief Operating Officer at WinMagic
Image Credit: Sergey Nivens / Shutterstock