With relatively recent high profile breaches like the iCloud affair still in our minds, it's time to take a long hard look at the risks posed by SaaS file sync and share (FSS) solutions. It's been said many times that such solutions are not secure – but let's go beyond the slogans, dissect what exactly they are doing that's so unseemly, and what conclusions businesses should draw from all this.
In order to understand the pattern, I've gone back over the past year or so to examine various incidents, and magically ended up with seven of them – and so I bring you the seven deadly sins of file syncing and sharing.
Lust
Hackers are lusting after your FSS data: As reported by a Google study early last year, and demonstrated also by a Dropbox disclosure in 2012, account hijacking is a common threat.
The possibilities for hackers are endless – in many cases they simply used the accounts to target users with spam, but given that FSS services sync files to your computer, access to accounts can easily be used to insert malware into users' PCs, or indeed for anything from keylogging to infiltrating enterprise systems. Naturally, the more widely used services are more likely to be targeted by hackers.
Your penance: There are ways to mitigate such risks, including user authentication using Active Directory integration, frequent password changes, as well as two-factor or multi-factor authentication methods, can all do a lot to prevent account hijacking.
Gluttony
Big Brother will gobble up your data: As was revealed by Edward Snowden, the National Security Agency's PRISM program taps into user data from a variety of US-based service providers including Apple, Google, and others. Dropbox has also been receiving requests for disclosure, and one can only guess how much data is collected by other means that don't involve the NSA asking nicely.
Your penance: If you want to make your files less appetising and less accessible to intelligence agencies, you can either go completely private on your own infrastructure, or use a cloud service that allows you to encrypt your data at the source and be the sole owner of the encryption keys.
Greed
Global encryption key, de-duplication across all accounts equals more money: Look at any FSS provider and they will tell you that your data is encrypted with military-grade encryption. That's about as useful as knowing that your house has a door and it's locked. But who holds the key? And how many other doors use the same key?
Dropbox was sued in 2011 for misleading users on security, and changed their security statement as a result. But the truth remains that they (and many other providers) continue to de-duplicate all files across user accounts to increase storage space utilisation and optimize their profit margins – pure and simple.
With companies like Box losing nearly $170 million (around £110 million, AU$220 million) in only 12 months, it's no surprise that SaaS vendors are feeling the pressure to make profits at the expense of your security. That may be okay for consumers – who cares if their photo of the Eiffel Tower is de-duplicated against the almost identical variations that millions of other people uploaded – but for enterprises this is unacceptable in terms of security and privacy standards, and could also raise serious compliance issues.
Your penance: Verify that your provider gives you control of the encryption keys.
Sloth
Comfort trumps security: This one is on us, folks – the users. Almost all FSS providers have options for two-factor authentication and strong passwords that would have prevented breaches like the iCloud celebrity photo leak, but usually they don't enforce them. Therefore users take the path of least resistance and leave themselves vulnerable to breaches.
Your penance: In a business setting, IT should enforce such policies. At the very least you should control your encryption keys and enforce strong password policies.
Wrath
Be prepared to incur the wrath of your CFO: Enterprise users that use unsanctioned FSS services may cost the enterprise more money than was previously estimated. A recent study found that the use of such services is multiplying the cost of data breaches due to the lack of IT control. Whereas previously a leaky application or server could just be shut down, now this involves many (sometimes unknown) services providers. It puts a big dollar sign on the cloud services sprawl issue.
Your penance: Simply put – don't use cloud services that don't have the stamp of approval from IT for business use, tempting as it may be.
Envy
What do we do? We covet – your files: Microsoft OneDrive for Business, as it turns out, inserts code into synchronised files, thus altering them (note – this is not metadata enveloping the file, it's inside the file). The issue was discovered when compatibility issues arose with Office files.
On principle, it is unacceptable to have your entrusted files tampered with. It can also cause major problems for businesses that need to comply with Sarbanes-Oxley, HIPAA or any regulation that demands proof of data integrity and no tampering.
Your penance: Ensure that the solution you're using guarantees zero tampering, and provides data integrity checks.
Pride
Oh, the hubris: File sync and share providers constantly pretend that they can replace backup. FSS is very useful, but it is no substitute backup for a variety of reasons. It is bi-directional sync, so a file deleted locally is also deleted in the cloud; versioning is limited.
Your penance: If you're planning to use FSS as backup – don't. Use a backup solution for backup, and better yet, find a solution that offers both functions from a single client.
Steer clear of the cloud?
So with all this happening, does that mean that the cloud is inherently unsafe for business?
No. Nothing is 100% safe, but cloud services can be (and many are) just as safe as in-house enterprise IT services, and in the case of smaller companies sometimes safer – because tier 1 cloud providers abide by the strictest practices demanded by their blue-chip clients.
Keep this in mind – very few companies can manage both consumer-grade services and enterprise-grade services and do justice to both. In such cases I would expect such solutions to be completely separate from each other – run by different divisions, in different data centres, with different admins and support staff.
The requirements and economic incentive for consumer versus enterprise solutions are diametrically opposed, and reconciling them is improbable to the extreme. If you plan to use a service that caters to both types of audiences, verify the measures they are taking to keep them apart.
What else can you do? Dig one level deeper than the security slogans, and ensure that the services or software you are using has these features:
- Source-based encryption: Encrypting your files before they are sent to the cloud. This in addition to TLS/SSL in-transit encryption
- Private encryption key management: The ability to control your encryption keys exclusively, preventing service provider staff and other third-parties from accessing your files when stored in the cloud
- Password policy enforcement: Ability to enforce use of strong passwords and password expiration period on users
- Two-factor authentication: Ability to require two-factor authentication (via email or SMS) for account/device activation as well as shared link access
- Data integrity checks: Preventing 'man in the middle' attacks and tampering with your files by ensuring that the data which arrived in the cloud is the same data that left your device. This is typically done using hashes or fingerprinting such as the SHA-1 standard
- Rani Osnat is VP Strategic Marketing & Customer Experience at CTERA
No comments:
Post a Comment