Risk
10/16/2012
01:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Keeping Data Out Of The Insecure Cloud

Companies looking to keep their data safe need to give their employees a choice of solid file-sharing services and apps. Otherwise, it's back to their insecure favorites

File sharing is both a boon and a danger to companies.

While speeding communications between employees and corporate partners, unrestricted file sharing carries with it the risk of leaking sensitive information. Services such as Dropbox, Google Drive, Apple's iCloud, and Microsoft SkyDrive allow workers and consumers to share files and collaborate, while at the same time increasing the likelihood that attackers get access to -- or malicious insiders make off with -- confidential documents.

"There is no way that you can be totally sure that people are putting enterprise data somewhere where they shouldn't," says Dimitri Volkmann, vice president of product strategy for enterprise technology provide Good Technology, which provides mobile business software and platforms. "It's an illusion to think it's possible."

Yet companies cannot ban the tools for collaboration because the benefits of quickly sharing files are just too high. Three-quarters of small and midsize businesses, for example, have adopted file sharing for productivity reasons, according to a June survey funded by software-security firm Symantec. Other research, by analyst firm Aberdeen Group, found that two-thirds of best-in-class companies use secure file sharing, while only a third of laggards use the technology.

"The evidence is that the top performers continue to address the need to share data through secure, reliable and well-managed commercial solutions, while all others, perhaps overwhelmed (by complexity) may be losing control of their policies and processes in this area," Derek Brink, vice president and IT research fellow with Aberdeen, stated in the report.

To secure their data, companies need to set strict policies and educate their employees on the dangers of unrestricted file sharing. Yet using just the stick will not work; you need a carrot as well, says Good's Volkmann.

"Because of the nature of the bring-your-own-device [BYOD] trend ... from an IT perspective, if you don't find a way to give your employees a solution that is secure, they will find an insecure one," he says.

[ IBM tracked cases that show an increasing number of large password stores targeted by thieves, even when the passwords are hashed with encryption mechanisms. See Bashing The Hash: IBM X-Force On Password Follies. ]

To convince workers to use a service, it has to be well-designed, Volkmann says. Companies should focus on providing consumer-friendly, but secure, options to file sharing and regain control of the policies securing the data.

Nearly 80 percent of companies using secure file-sharing service Accellion, for example, deploy the company's on-premise solution to create a private storage cloud. Employees can use the infrastructure no matter where they are located to share documents and collaborate, while giving the risk and compliance team the ability to monitor controls.

"It is important for an enterprise to pick a solution that offers the capabilities that end users are used to in a solution like Dropbox, but provide the IT folk with the security controls and the compliance reporting," says Hormazd Romer, senior director of product marketing for the firm.

Startup WatchDox has taken a similar approach, but focused on providing detailed monitoring of security controls while keeping the end user's experience simple.

Another aspect to managing the risk: When dealing with a cloud service, companies need to pay attention to the rights that a storage provider has to the enterprise data, Accellion's Romer says. In addition, while any modern file-sharing service should strongly encrypt the user's data, companies should be concerned about where the keys for that data is kept. Encryption keys stored with the data allows the service provider -- and possibly an attacker -- to easily access the data.

Good's Volkmann stresses that IT managers should not expect a perfect solution -- employees can bring in a personal device to get around any reasonable security a company's IT department can create.

"At the end of the day, employees could have a BlackBerry in their right pocket and a personal iPhone in their left pocket," he says. "It is really about education and giving them the right tools."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.