Working together. Keeping business data safe in the cloud.
Part 3: Keeping business data safe in the cloud
Part three of our four-part blog series continuing our look at how workers and companies can work more effectively together.
Missed the second part? Read it here - Part 2: The problems of local file storage
Cloud security: An issue for our time
In computing, one of the biggest conversations of recent times has centered on the security of cloud services. Security breaches are a frequent occurrence, indeed barely a week seems to pass without some sort of data scandal news making the headlines.
Apple iCloud, SONY gaming and the notorious Ashley Madison data breaches have all raised questions over the security practices of these businesses and of the cloud in general. The overarching takeaway for everyone is to be wary.
It seems if even the biggest company by market capitalization (Apple), and the smartest organization with probably the most rocket scientists (NASA) cannot prevent network intrusion and/or data theft, then any organization or individual could fall victim…
This is not just about the security of the account information that we use to login and access cloud resident services. It’s about the access hacking provides to our personal information, including our social profiles.
And of course, it is part of the wider conversation about the misuse of personal data by organizations to either sell us goods and services or fake news and influence democratic process. However, perhaps most critically, it’s about our business information, the data that determines how our companies make money.
Data in motion and at rest
Data being processed through systems or transferred across the Internet, is in motion; when it resides in a storage repository it’s at rest. In either state it can be vulnerable. However, frequently it is encrypted to various levels of algorithmic bits, which determine how difficult it is to decrypt. 256-bit is now seen as the minimum acceptable standard.
A ‘brute force attack’ is the process of trying all the possible combinations to unlock an encrypted file. There’s a lot of calculations and technical jargon to take into account, so let’s cut to the chase: For a file encrypted with a 256-bit key, the math theory implies that it would take fifty supercomputers about 3×1051 years to go through every single possible combination. That’s pretty secure, unless a hacker gets 3×1051 lucky!
256-bit encryption makes any attempt at a brute force attack computationally demanding and time-consuming, and it likely take a lot longer than a human lifetime to crack an algorithm. So, most of the efforts of overcoming encryption usually involve doing something that is much simpler than breaking an algorithm: stealing the keys!
This is the tactic that national security organizations such as the US’ NSA, the UK’s GCHQ and Russia’s FSB employ. Success is achieved through a mix of technical prowess, computing power, legal maneuvering and skullduggery.
Despite this, the US government NSA has developed the technology to hack VPNs (encrypted internet connections) of up to 1024-bits. Other cyber weapons developed by US cyberspooks have fallen into the hands of the hacker community after being stolen and posted on websites. So, if someone out there really wants to hack and has sufficient knowledge and resources, they may well be able to do it, given enough time and sufficient motivation.
The human condition and security breaches
That said, we shouldn’t make it easy for hackers. Generally, hackers are criminal opportunists that want easy pickings and access to cash. When it comes to security breaches, it’s rather inevitable that human beings are significant points of weakness.
Poor security practice such as creating weak passwords is all too common. It has been shown that 99.8 percent of all users select passwords from a pool of 10,000 commonly used words. This is an absolute dream for a hacker using brute force techniques to gain unauthorized access to an online account or to a network.
Hackers love exploiting the human condition and our behavioral attributes, such as laziness (weak or obvious passwords), gullibility (phishing) and lock out (fear of being unable to access accounts).
The desire to get work done quickly motivates many users to resort to ‘grey’ practises like ‘shadow IT’. The most prominent example of this is where users share company data using services such as WeTransfer or Dropbox, without the knowledge of internal IT admins and where it may be against company IT policy.
Employees using free accounts on public cloud sharing platforms which follow the ‘Freemium’ business model raises issues such as:
- Not knowing where confidential data or IP is and who has access
- Data sovereignty – in which countries the data is physically stored
- Wasted time resulting from low download and upload speeds
- Exploitation of user behavior through tracking when using Freemium services for marketing (or any other) purposes
How to keep business data safe in the cloud
Sure, not all public cloud is bad! Many paid for services are hosted from shared (multi-tenanted) infrastructure platforms. But, you have to pick the right one. The sharing platform has to realize value in one way or another. If it is not raising revenue through paid subscription, then how is it making money?
To remove doubts about quality of service and keep business data safe in the cloud, it is wise to opt for a paid subscription from a reputable service provider. The aim should be to look beyond pure ‘storage’ and select a platform that adds value by layering file storage with additional capabilities. Collaboration platforms often bundle in storage and are suited to project-based workflows.
Migration to collaboration in the cloud is a strong trend that makes good sense for many businesses and organizations. When we are talking about the security advantages of collaboration platforms it is well worth considering:
Customization options provide comprehensive control and help to overcome organizational barriers, physical as well as virtual. to secure information sharing,
- Set up and configure registered user accounts to control access to data and messaging related to productivity
- Only let users have access to the data and messaging that they need to perform their roles effectively
- Easily accommodate ad-hoc sharing to occasional and one-time collaborators as well as activity with long-term external people, such as clients and delivery partners
Data and communication in one place
End disconnected silos of email and productivity files. Collaboration platforms provide a centralized point, where files and communication are in one place. The platform is in effect a hub technology, and it reduces the potential for data leakage to people that are not authorized.
Encrypted links are often used and distributed by the system to provide secure links to stored files. Sometimes these are set to expire after a time limit set by the user or admin responsible for sharing the files.
Know who has done what
Collaboration platforms often include the capability of tracking downloads and user activity. Logs of user activity enable every action to be tracked. Full audit reporting may enable productivity tracking, identifying top performing employees.
Certainty over sovereignty
Select a cloud service provider that stores data in countries or regions acceptable to your business. For EU companies GDPR compliance is a major factor. However, businesses outside the EU may prefer data to be under GDPR control because of the level of oversight by regulators.
Improved physical security
Very few conventional business premises are as secure as a purpose-built data center that conforms to recognized information security standards, such as ISO 27001. Many collaboration and storage platforms are hosted on behalf of the service provider. Amazon AWS and Microsoft Azure are just two of the major tech giants providing ‘-as-a-service’ hosting for cloud applications.
Data center’s owned and operated to the highest standards make considerations for managing a wide range of risks, including:
- Natural disasters - floods, earthquakes, adverse weather events, etc.
- Redundancy - redundant equipment ready to kick-in automatically should hardware fail
- Availability - resilience to avoid data loss and restore services quickly after an outage
- Capacity - continual assessment that resources are appropriate for supporting QoS
- Business continuity - detailed planning for return to operational status after a disaster
- Disease outbreaks - response planning should pandemic disease threaten operations
- Data center access - strong policies for employee and 3rd party access to data halls
- Access control - integrated systems for controlling, monitoring and logging site access
Legislating to make data in the cloud safer
When you are making the move over to a collaborative platform it’s a really good opportunity to review and revise internal IT policy.
At a policy level, to support making data safer in the cloud, best practice should set out that:
- All productivity files are stored and shared only on the collaboration platform
- Strong passwords are required, and lax security behaviors are unacceptable
- The business embraces cultural change - collaboration is a social business activity
The final blog of this short series is working together better with collaboration best practices Part 4: The power of automation and directed workflows.