​Cloudy File Security: The New Data Leakage Frontier

Author: Scott Gordon, COO, FinalCode

We have all witnessed the heavily publicized Snowden, Anthem and Sony incidents. And in the wake of potentially 25.7 million individuals who were affected by the Office of Personnel Management (OPM) data breach and, more recently, the Experian data breach affecting 15 million T-Mobile users, it is clear that organizations need to rethink data protection. One distinctly cloudy area is file security— which has become the new data leakage frontier.

The growth of cloud and mobile computing, the ease at which files can be shared and the diversity of collaboration methods have all contributed to file data leakage incidents. In a recent report by Enterprise Management Associates (EMA), 2015 State of File Collaboration Security, more than 80 percent of information security decision makers polled had experienced file data leakage incidents, yet 84 percent expressed moderate to no confidence in their capacity to secure confidential files. That’s like asking a mechanic, “Are you sure you fixed the oil leak in my car?” And getting the response, “I have moderate to no confidence…here are your keys.”

According to Skyhigh Networks’ Cloud Adoption and Risk Report earlier this year, 22 percent of files uploaded to a file-sharing service contained sensitive or confidential data, and 8 percent of external collaboration requests went to third party email addresses. That’s a lot of confidential files floating in cyberspace. As companies re-examine their enterprise content manager (ECM) systems and determine investments in cloud-based ECM and enterprise file sync and share (EFSS) platforms, security needs to take a front seat with usability and accessibility.

Moving to cloud-based enterprise content management systems, such as Dropbox and others, offers great benefits but also has inherent security risks. Gartner’s Cool Vendors in Printing and Imaging, 2015 report noted that: “Digital documents are very easy to share, but once you share them, you lose all control over who else might receive them, which is a big problem. With the right cloud-based tools, you can both distribute documents easily and control their distribution.” This insight was also reiterated in the EMA research report, where more than 90 percent of respondents cited the lack of protection of files leaving cloud-based platforms or device containers as the highest risk to adopting cloud-based file storage and collaboration services.

When employees place a file in a sanctioned, reputable cloud-based file storage program such as Dropbox or collaboration application such as Microsoft OneDrive, organizations can have reasonable confidence that communications and storage are secure. These systems also rely on the use of secure containers on the endpoint. While the files are in the ECM or EFSS domain, organizations have comprehensive security controls including provisioning, rights management, audit logging and file retention. ECM and EFSS vendors are investing in security. For example, Box has its Box Trust security ecosystem and recently added significant key management, file governance and watermarking capabilities. Microsoft has their Trust Center and Customer Lockbox features within Office 365. When files are in a repository, online or in an endpoint container, file owners and enterprises can readily update, recall, update and wipe files and gain insight into file use within the container.

But what happens to the file once it leaves the cloud application container on the authorized recipient’s computer? What if an employee or contractor forwards the file or loses his device? What if the shared file contains PII or information on a sensitive project? When that file leaves the network perimeter, by way of a share drive or email, or is pulled from a protected EFSS container, security provisions denigrate. We’ve all shared files with others in these systems and then copied the file onto our device, forwarded to another device or possibly shared it with another user we trust that may just be outside the scope of intended recipients. Once this occurs, the rights and controls associated with the users and the document are no longer there to prevent saving, copying, pasting, printing or even screenshots. In a digital world, security controls must be persistent for those files containing sensitive, confidential and regulated data – no matter if the file is shared internally or externally and regardless of storage, delivery and collaboration method.

This persistent file security must also provide a balance between control and usability. The majority of organizations publish policies on how to classify information and protect data. Available controls are often invoked by employees who are trusted to follow the policy. The question is how to further align technology controls with business needs and user workflows. In the aforementioned EMA survey, 70 percent of respondents believed that end users would invoke stronger security controls on files they share if empowered to do so. The key is to enable both transparent and user-directed data protection controls in a way that does not add material friction towards how users do their jobs, nor place a significant administrative burden on the IT organization.

Wondering where to start? Companies must first understand respective use cases and exposures that may exist with regards to information being accessed internally, and more importantly, shared with third parties; application hosting providers, contractors, partners, customers and even prospective customers. Aligning data protection policy with new file collaboration processes and technologies may also require re-assessing current data classification and protection mechanisms; essentially what types of information are considered to be sensitive, regulated and/or confidential and what methods of protection are required given the category of information and its use. This step is valuable in documenting how the policy and controls align to satisfy internal data protection and external data privacy compliance specifications.

When it comes to managing file data leakage risks, organizations can examine their existing portfolio of controls. While companies rely on legal instrumentation, technical controls would include firewall, cloud access security broker (CASB), gateway filtering, network access control (NAC), enterprise mobility management (EMM), data loss prevention (DLP) and enterprise content management system (CMS) technologies. IT professionals usually associate file protection with backup and encryption technologies within their network or at the gateway. But that conventional wisdom fails to protect file information throughout its lifecycle. To materially reduce the data leakage threat footprint, the last mile of defense is to protect the file itself.

Many first generation file security systems are encumbered by complex and restrictive information rights management capabilities – limited to certain user, system and application types. In today’s digitally collaborative business, file security must accommodate a broader set of applications, collaboration mechanisms and constituents. One approach to consider is next generation file encryption and usage control platforms that separate file security from file storage, distribution and management. These platforms deliver rapid implementation and flexibility since they are agnostic to a company’s existing and future infrastructure. Since they are not tied to a specific file distribution or management system, they can support a broad array of use cases, satisfy a range of security and compliance requisites and preserve end user productivity.

Since line of business leadership typically wants greater agility and information collaboration, security professionals now have the opportunity to be enablers while managing new file data leakage risks.

Scott Gordon

COO, FinalCode, Inc.

Scott Gordon, COO at FinalCode, Inc., is an accomplished leader who has helped evolve security and risk assessment technologies at both innovative startups and large organizations. An infosec authority, speaker and writer, he is the author of Operationalizing Information Security and the contributing author of the Definitive Guide to Next-Gen NAC. Scott holds CISSP-ISSMP certification.

Join the CSO newsletter!

Error: Please check your email address.

Tags FinalCodeAnthemmobile computingdata leakageSnowdensony​Cloudy File SecurityCSO Australia

More about CMSDLPDropboxEnterprise Management AssociatesGartnerInc.MicrosoftSonyT-Mobile

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott Gordon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place