We have all witnessed the heavily publicized Snowden, Anthem and Sony incidents. And in the wake of potentially 25.7 million individuals who were affected by the Office of Personnel Management (OPM) data breach and, more recently, the Experian data breach affecting 15 million T-Mobile users, it is clear that organizations need to rethink data protection. One distinctly cloudy area is file security— which has become the new data leakage frontier.
The growth of cloud and mobile computing, the ease at which files can be shared and the diversity of collaboration methods have all contributed to file data leakage incidents. In a recent report by Enterprise Management Associates (EMA), 2015 State of File Collaboration Security, more than 80 percent of information security decision makers polled had experienced file data leakage incidents, yet 84 percent expressed moderate to no confidence in their capacity to secure confidential files. That’s like asking a mechanic, “Are you sure you fixed the oil leak in my car?” And getting the response, “I have moderate to no confidence…here are your keys.”
According to Skyhigh Networks’ Cloud Adoption and Risk Report earlier this year, 22 percent of files uploaded to a file-sharing service contained sensitive or confidential data, and 8 percent of external collaboration requests went to third party email addresses. That’s a lot of confidential files floating in cyberspace. As companies re-examine their enterprise content manager (ECM) systems and determine investments in cloud-based ECM and enterprise file sync and share (EFSS) platforms, security needs to take a front seat with usability and accessibility.
Moving to cloud-based enterprise content management systems, such as Dropbox and others, offers great benefits but also has inherent security risks. Gartner’s Cool Vendors in Printing and Imaging, 2015 report noted that: “Digital documents are very easy to share, but once you share them, you lose all control over who else might receive them, which is a big problem. With the right cloud-based tools, you can both distribute documents easily and control their distribution.” This insight was also reiterated in the EMA research report, where more than 90 percent of respondents cited the lack of protection of files leaving cloud-based platforms or device containers as the highest risk to adopting cloud-based file storage and collaboration services.
When employees place a file in a sanctioned, reputable cloud-based file storage program such as Dropbox or collaboration application such as Microsoft OneDrive, organizations can have reasonable confidence that communications and storage are secure. These systems also rely on the use of secure containers on the endpoint. While the files are in the ECM or EFSS domain, organizations have comprehensive security controls including provisioning, rights management, audit logging and file retention. ECM and EFSS vendors are investing in security. For example, Box has its Box Trust security ecosystem and recently added significant key management, file governance and watermarking capabilities. Microsoft has their Trust Center and Customer Lockbox features within Office 365. When files are in a repository, online or in an endpoint container, file owners and enterprises can readily update, recall, update and wipe files and gain insight into file use within the container.
But what happens to the file once it leaves the cloud application container on the authorized recipient’s computer? What if an employee or contractor forwards the file or loses his device? What if the shared file contains PII or information on a sensitive project? When that file leaves the network perimeter, by way of a share drive or email, or is pulled from a protected EFSS container, security provisions denigrate. We’ve all shared files with others in these systems and then copied the file onto our device, forwarded to another device or possibly shared it with another user we trust that may just be outside the scope of intended recipients. Once this occurs, the rights and controls associated with the users and the document are no longer there to prevent saving, copying, pasting, printing or even screenshots. In a digital world, security controls must be persistent for those files containing sensitive, confidential and regulated data – no matter if the file is shared internally or externally and regardless of storage, delivery and collaboration method.
This persistent file security must also provide a balance between control and usability. The majority of organizations publish policies on how to classify information and protect data. Available controls are often invoked by employees who are trusted to follow the policy. The question is how to further align technology controls with business needs and user workflows. In the aforementioned EMA survey, 70 percent of respondents believed that end users would invoke stronger security controls on files they share if empowered to do so. The key is to enable both transparent and user-directed data protection controls in a way that does not add material friction towards how users do their jobs, nor place a significant administrative burden on the IT organization.
Wondering where to start? Companies must first understand respective use cases and exposures that may exist with regards to information being accessed internally, and more importantly, shared with third parties; application hosting providers, contractors, partners, customers and even prospective customers. Aligning data protection policy with new file collaboration processes and technologies may also require re-assessing current data classification and protection mechanisms; essentially what types of information are considered to be sensitive, regulated and/or confidential and what methods of protection are required given the category of information and its use. This step is valuable in documenting how the policy and controls align to satisfy internal data protection and external data privacy compliance specifications.
When it comes to managing file data leakage risks, organizations can examine their existing portfolio of controls. While companies rely on legal instrumentation, technical controls would include firewall, cloud access security broker (CASB), gateway filtering, network access control (NAC), enterprise mobility management (EMM), data loss prevention (DLP) and enterprise content management system (CMS) technologies. IT professionals usually associate file protection with backup and encryption technologies within their network or at the gateway. But that conventional wisdom fails to protect file information throughout its lifecycle. To materially reduce the data leakage threat footprint, the last mile of defense is to protect the file itself.
Many first generation file security systems are encumbered by complex and restrictive information rights management capabilities – limited to certain user, system and application types. In today’s digitally collaborative business, file security must accommodate a broader set of applications, collaboration mechanisms and constituents. One approach to consider is next generation file encryption and usage control platforms that separate file security from file storage, distribution and management. These platforms deliver rapid implementation and flexibility since they are agnostic to a company’s existing and future infrastructure. Since they are not tied to a specific file distribution or management system, they can support a broad array of use cases, satisfy a range of security and compliance requisites and preserve end user productivity.
Since line of business leadership typically wants greater agility and information collaboration, security professionals now have the opportunity to be enablers while managing new file data leakage risks.
Scott Gordon
COO, FinalCode, Inc.
Scott Gordon, COO at FinalCode, Inc., is an accomplished leader who has helped evolve security and risk assessment technologies at both innovative startups and large organizations. An infosec authority, speaker and writer, he is the author of Operationalizing Information Security and the contributing author of the Definitive Guide to Next-Gen NAC. Scott holds CISSP-ISSMP certification.