- Security TWENTY
- Women in Security
What the gurus of secure collaboration couldn’t tell you – how to do it right; by David Gibson, VP of Strategy, Varonis Systems.
Collaboration has grown to be critical to many enterprises, in fact it is become a bit of a fetish, lauded by management gurus, sought after by CEOs and the ultimate collaboration techniques chased after by middle management for decades. It is ironic therefore that the huge burst of actual digital file-sharing which is at present allowing unparalleled collaboration amongst the masses in the enterprise, has come about not through management strategy but through consumer pressure. The introduction of cloud-based file synchronisation such as Amazon, Gmail and iCloud has led to a state of interconnectedness which even the most visionary writer of management-speak books could not have imagined. However, as David Gibson, VP of Strategy for Varonis Systems, suggests in this article, this slow creep of interconnection through consumerisation is exposing organisations to potential criminal activity, major data breaches, increased insider threat and the multiplication of common albeit innocent mistakes. However, there is another way he says; and he outlines a strategy for secure collaboration which can work within the enterprise.
Organisations are making progress in securing the enterprise and the huge amounts of data which we produce, consume and analyse. However, despite best efforts to secure that information, data breaches continue to hit the headlines day after day. There has never been a more pressing need for enterprise-level collaboration technologies that ensure that data is accessible to the right people by the right devices, stored in the right places, and protected and managed efficiently.
Faced with huge growth in mobile technologies and new free collaboration services (eg. Dropbox), organisations need to find ways to coexist with these technologies, taking advantage of the efficiencies they bring, and ensuring that their data assets are adequately protected. Employees need a secure method to collaborate and share information; if IT doesn’t provide one they will take matters into their own hands; many already have. The challenge lies in how to transform chaotic collaboration, which, unfortunately, exists in most corporations today, into organised, secure collaboration that leverages modern file-sharing and synchronisation technology without succumbing to the risks they bring.
File synchronisation services create a virtual folder on your workstation, laptop, tablet, or smart phone that looks and behaves like a regular folder: you can save files in it, browse them, open them, and edit them. Unlike normal folders, though, the files inside them are automatically copied to a system somewhere “in the cloud.” That means that they are stored on some server on the internet, and as soon as they are uploaded they are copied to all the other devices that sync with your folder and made available to all those with whom you have chosen to share and collaborate.
There are a lot of conveniences for organisations in terms of management; you don’t need to worry about things like backing up, disaster recovery, or hosting sites, as the cloud service takes care of those things (or so we assume).
For consumers, cloud services offer advantages over traditional file sharing platforms in that you have all your files whether or not you’re connected to the internet or your corporate network and you can access your files from your tablet and smart phone. The most compelling thing, however, is that we don’t have to put any thought at all into using them:
•There’s a folder
•You put files in it
•They sync, and …
•Wham! All your files are available to you and to those with whom you collaborate
The fact that we don’t need to put a lot of thought into using these services is also a big problem. The line between personal use and corporate use has blurred, and employees are storing corporate data in cloud services without corporate approval or oversight.
In fact, unless you’re actively blocking all cloud services, it’s almost certain that your employees are using them. If you do block them (without offering an acceptable solution) then it’s almost certain that your employees are using them anyway—working on their personal devices entirely outside of the corporate network.
This not only opens you up to data theft and data breaches, but exposes your company to compliance and regulatory offences which could put you out of business. Many organisations are subject to regulations concerning customer information, financial information and other types of sensitive data. Ensuring regulatory compliance is already a challenge in established IT environments – how can organisations be sure that regulated content isn’t being stored in cloud repositories where controls may not be as mature?
Some key questions organisations need to ask about cloud synchronisation services are:
•Who are these cloud service providers and how do they protect their networks?
•Are actual access events and permissions changes audited, and how can they be integrated with existing audit trails?
•How is disaster recovery performed?
•How can organisations inspect them to make sure they are behaving as they claim?
•How can organisations make sure they even have a copy of all the data an employee has created, much less make sure employees aren’t taking data when they leave?
In addition to the security concerns, there are issues of manageability. Cloud services are just starting to integrate with corporate directory services infrastructures (eg. Active Directory), so that means maintaining separate user and group entities, managing access control lists in yet another system and having processes and controls in place to demonstrate that access is maintained and reviewed consistently by the appropriate parties. Organisations are already overwhelmed with managing access controls for the data that resides inside their networks—adding an additional platform outside the infrastructure will only increase workload and complexity.
“Gartner believes that providing file synchronization across as many diverse devices as possible will be most effective in meeting user needs, thereby discouraging users from seeking unauthorised file sharing technologies.”
Based on Gartner’s assessment that “Huge Amounts of Proprietary and Regulated Data Are Leaking Onto Noncorporate Devices, Outside of Enterprise Controls and Audit Trails,” and the analysis above, here are three conclusions that can be drawn about file sharing for organisations:
1.Cloud-based file synchronisation services have become so popular that they threaten to scatter organisational assets.
2.Organisations must offer sanctioned file synchronisation services and device interoperability or they run the risk of losing control of digital assets outside the corporate LAN.
3.Today’s cloud based file synchronisation services sacrifice a level of control and do not fully integrate with existing infrastructure.
Organisations are at a turning point —one where they either let things go as they are now, where their employees use personal devices and free cloud services to store organisational assets wherever they choose, or select a separate, cloud-based file synchronisation service that will add additional management overhead, and new risks that are difficult to quantify.
However, there is another way. What if organisations could offer file-synchronisation services with their existing infrastructure, taking advantage of the storage that they already own, authenticating with their own user catalogue, and integrating with protection and management technology and processes they already have? Organisations could then offer the cloud experience with their existing infrastructure. Imagine:
-Data is stored in the right place, on storage that organisations already own
-Authentication, authorisation follow existing processes
-Existing data protection and management regimes can be utilised
Hopefully we managed to make it clear that organisations cannot afford to ignore creeping consumerisation and the introduction of collaboration methods into the enterprise – which can damage it fundamentally. However, consumerisation has shown that collaboration is not only possible but inherent in human activity and a very positive force to be harnessed by the corporation. Whether we like it or not employees like collaborating amongst themselves and rather than losing control the enterprise has to seize on the good points of consumerisation and gently clamp down on the bad ones. It is unfortunate but true that unless organisations choose and direct course of action and put policies into place they run the risk of being in an impossible situation very soon—data that their organisation relies on to function and data that they are responsible for will be scattered over thousands and even hundreds of thousands of servers, data centres, and workstations all across the globe over which they have absolutely no power. It is time for organisations to introduce a coherent policy for collaboration in place of the dangerous ad hoc creep of consumerisation which is the reality of most enterprises.