The disappointing truth regarding data privacy and security
By Saimon Michelson, Product Manager, CTERA Networks
With thousands of the tech industry’s security experts converging at Black Hat in Las Vegas this week, what better time to talk to privacy, security and cloud, a topic that appears in various forms on the Black Hat sessions schedule.
While the great thing about cloud today is that they’re ubiquitous, its troubling downside is that you never know where your data resides or who has access to it. Cloud providers boast compliance to the highest security standards, including state-of-the art physical protection of hosting facilities, electronic surveillance and ISO 27001 certifications, to name a few.
While such efforts may sound impressive, in reality they offer absolutely no defence to enterprises seeking a security model that cannot be owned, and provide no protection against government data requests, blind subpoenas and clandestine spying.
There are a number of examples of regulatory challenges facing enterprises that want to adopt cloud computing. The US Patriot Act stipulates that the US government may collect data from US-based cloud companies regardless of the data’s physical location. As part of the PRISM program, the NSA secretly collects Internet communications from major US Internet companies, including Google and Microsoft.
Adoption of popular Enterprise File Sync and Share (EFSS) services has been further impacted by data residency laws and privacy regulations that require an organisation’s information to be tightly controlled, and prohibits moving data outside of defined jurisdictions.
Enterprise key management to the rescue? Think again
Many SaaS companies will tell you that it matters less where the data is physically located, and more where the encryption keys are managed. One way around data privacy and residency regulations is encrypting everything before sending it to the cloud, and keeping the encryption keys on-premises, while allowing the encrypted data to be stored at public cloud providers. This is sound advice.
Attempting to implement this idea, many public cloud file services have announced their support for enterprise key management (EKM) to push security-conscious, cloud-averse organisations to adopt the cloud by placing the encryption keys in the customer’s hands.
While at first this may seem like a good approach to data security, it’s neither sufficient nor comprehensive.
Since large portions of the enterprise file sync and share functionality (essentially everything except the key storage) is in the public cloud, you still need to trust that your service provider:
1. Wasn’t instructed by the government to install an auditing device, responsible for tapping and recording ALL of your data, metadata, encryption keys and user identities.
2. Won’t impersonate your user accounts to access their data.
3. Won’t generate links or collaboration shares to data on behalf of your users.
4. Doesn’t cache the keys that are used to encrypt your files.
Furthermore, EKM, whether cloud-based or on-prem, provides a ‘post-mortem’ solution for preventing data arriving at unwanted hands. What can you do about the data compromised between the time the security breach started until the time you received the notice and decided to retract the access on your EKM server? And after doing so, your entire file service is now inaccessible to your corporate users.
Your enterprise data service needs to provide you with controls that will enable you to take proactive measures and adhere to secure file transfer standards to prevent sensitive corporate data loss or leakage.
After meeting data residency compliance and regulations, what else should you look for in your choice of data service?
1. Ensure that you are not compromising your corporate user identities:
User identities are subject to hacking and are compromised on a daily basis. The identity theft resource center (ITRC) reports over 348 identity theft breaches documented since January 2015 in government institutions, medical/healthcare organisations, credit card companies, etc. Enterprises must protect their corporate user identities since loss of user identity is likely to result in loss of the user’s corporate data.
2. Ensure you are not compromising your corporate metadata:
Collecting evidence on the existence of data and its properties could pose a threat as much as losing the data itself. Some cloud storage solution providers do not adhere this strategy and keep all of their customer’s metadata centralised in a public place. Thus, indirectly requesting enterprises to put their faith in them, which poses a significant risk to data confidentiality and integrity.
Understanding the risks of introducing a file sharing service
Today’s organisations, needless to say, rely on data confidentiality to protect their intellectual property and maintain their competitive-edge. On the other hand, cloud file sharing services, by their nature, were designed for two finger taps, fire-and-forget sharing, to increase user productivity. This results in an exponential growth in the amount of shares, 3rd party shares (broadening the user’s collaboration circles), instigating a conceptual change in how users attach importance to their data.
Now, assuming all collaboration shares are created between internal corporate users, the problem is somewhat contained as data still resides inside corporate borders. But that’s hardly the case these days. Today, IT is required to satisfy external collaboration needs to accommodate outsource projects and enable collaboration with external, private, contractors, designers, etc. The question then becomes: how would you ensure the confidentiality and integrity of data when it resides outside of your jurisdiction?
The existence of such easy-to-use file sharing services, the growth in user collaboration needs, and the behavioural change among today’s users poses a huge risk to your organisation’s sensitive data that may ultimately have severe impact on your company’s business.
Bullet-proofing your enterprise data services
In this age of cyber threats and exponential data growth, organisations cannot afford to take the optimistic approach or put on blindfolds and pray that their company’s sensitive information doesn’t get compromised. Breaches are the new normal.
Privacy is not passive and reality shows that investments must be made in solutions that provide controls for applying both network and application security. For some of the hackers greatest hits, feel free to visit this visualisation of the world’s most significant corporate and government data breaches.
To ensure a complete, bullet proof data service, there are certain components you must to own and control.
You must own your corporate:
• User Identities
• Encryption Keys
You must control your corporate:
• Data Residency
• Network Countermeasures
• Internal and External Sharing Policies
And at all times, you need to ensure that you’re in the driver’s seat, and that you didn’t hand over your car keys along with your corporate’s data security and privacy to someone else. As your company’s security expert, you are the one chosen to protect your organisation’s data. Our recommendation is to invest in a system that allows you to apply your corporate policies, integrate your corporate security countermeasure systems while gaining continuous insight to your corporate user usage patterns.