How to tackle changing cloud security threats: A guide

Source – cloudcomputing-news.net

IT workers face a serious challenge when it comes to file sharing. In one corner is corporate governance which seeks to protect businesses and prevent cyber-attacks. In the opposite corner are end users who want to work more efficiently – collaboratively – by sharing or saving files.

The best way of ending this conflict is to find middle ground. In attempting this resolution, enterprises need to find the right balance between IT security and governance on one side and the needs of employees on the other. To ensure cloud protection when storing or sharing files, businesses need to provide end to end encryption, data residency control, authentication of internal and external collaborators and a good user experience.

The first key aspect is providing end-to end encryption. The encryption can only be successful if it is latency free which ensures performance isn’t adversely affected.  The enterprise also needs ownership of the keys in order to implement the encryption successfully.

Although some companies will have a positive view of a service provider managing security keys, as it reduces the stress of managing this function, there are downsides. A third-party provider may be required to hand over data to a government, thereby losing control of the security of the document.

Is there any halfway option that avoids this loss of control? One way is to allow only the owner of the encryption keys the ability to decrypt those keys used on the public service. With this model, they own the hardware and the keys.

Yet another option is to keep the hardware on-site. This means the data and metadata is on site and provides peace-of-mind to organisations for whom security is a major priority.

In summary, the route picked by any organisation is determined by the approach that best suits its business. While some companies may prefer owning the keys due to their size and the flexibility it offers as the business changes, others will be content to hand over control to a third party. The strategy will therefore be decided by the degree of control required and capacity to adapt.

The second aspect is having 100% data residency control; a necessity that no organisation can bypass. As we see an ever-increasing layer of regulations put in place, at a national and regional level, data residency has become more important.

The issue is more prominent in Europe, in particular the 27 member states of the EU, although data residency is a worldwide factor. Many international companies aim to standardise to one single solution. Conforming to international laws is a requirement for a company with multiple offices in different regions. So, a US company with offices in Europe will need to conform to UK laws as well as those of the EU. In the US itself, interstate laws may also apply. In Europe, some countries have to keep the data in the country it was created.

To complicate matters further, different types of data have different requirements which determines where that data can be hosted and the approach that needs to be taken. An enterprise may require two solutions or just one which enables it to comply for all kinds of data.

As regulation change is inevitable and regular, enterprises should own data storage or have control over residency.  Having the agility to adapt to changing regulations can only benefit companies. Regulation change needs to be carefully considered and included in strategic planning by enterprise, allowing themselves a degree of latitude as circumstances change.

The third aspect is putting in place advanced authentication for internal collaborators. To minimise the risk of passwords being hacked, one solution is two factor authentication. Users risk leaving themselves open to hacking and breaches by reusing the same passwords and passwords with only minor variations. To avoid this vulnerability, two factor or multi-factor passwords should be used.

The fourth aspect is authenticating external collaborators. There are inherent risks with this area of authentication. Inevitably, sharing data to external partners, suppliers and clients is crucial for business success. IT needs to play a key role in controlling what is being shared, with whom and how information is being shared. In addition, IT needs to know how long data is being shared for and it must control sharing permissions which can be stopped when required. There are many examples of how sharing data and access to files can lead to security risks. One example is of participants in a webinar being given continued access to a shared company folder for over five years. During that time, the company ownership changed but access to shared information has remained the same.

The reason this factor is of greater importance is the risk of intellectual property being lost to a third party. When working with a third party on projects, sharing data happens frequently. Safeguards need to be in place so that all parties know who has rights to access or share specific information and what the terms and conditions are for that access. IT needs to provide the relevant tools to enable individuals to manage permissions. The security team’s role is to be aware of all the data being shared at any given point.

When collaboration occurs between internal enterprise users, one is safe in the knowledge that risks are to some extent contained, as the data rests within corporate boundaries. However, in many instances these days, IT must meet the needs of external collaborators for outsourced projects and work with contractors, designers and others.

The bigger challenge for IT is how to ensure confidentiality and data integrity, outside of its control. In order to achieve this, enterprises need to have in place robust policies for collaborators for authentication and have a complete view of permissions granted.

The final aspect is the risks of providing user-friendly file sharing services that come with risks to an organisation’s confidential and sensitive data. The increase in collaboration and employees behavioural change can severely impact businesses. There must be attractive advantages of using enterprise-controlled secure file sharing so users can switch from the file sharing methods they currently use.

Enterprise users have the ability to use convenient file sharing services such as Google Drive or Dropbox.  These tools allow users to access files anytime, on any device, at any location and make changes in real-time. The challenge for organisations is to implement enterprise file synching tools and policies before users start using unauthorised solutions.  This is only part of the solution. Companies need to remember that simply dealing with file sharing and not addressing the entire file data challenge will lead to problems in the long run. What is required is a solution which creates fully secure workplace collaboration.

Ensuring the user experience of the service is as good as a service such as Google Drive is crucial. If it isn’t, users will simply not want to switch over.  Users have an expectation level of file sharing services that must be matched by enterprises so that users can migrate onto more secure platforms.

When it comes to creating a file sharing strategy alongside a virtual desktop approach, it is inevitable that the user experience has to be better than the laptop experience, for it to be successful. For file sharing, the strategy must deliver what users regard as an accepted standard. One way of ensuring this happens is to enable more capabilities.

One successful technique is to have a file sharing capability which is faster, provides data protection and backup, at the same time enabling remote office and branch NAS. This will achieve the twin objectives of creating a secure environment for the enterprise and maintaining a high level of user experience.