Monday, May 5, 2014

[infosecinstitute] Cloud-Based File Sharing Websites: A Data Security Disaster Waiting to Happen?

Have you ever stopped to consider the sensitivity and potential value of the information you have distributed using the many widely available file sharing websites?
These types of sites have seen considerable uptake in recent years, as users struggle to share large files whilst battling standard email file size and gateway limits imposed by IT departments. Many users would argue that restrictions placed on them by central IT policies leave them with no choice but to look for alternative ways to send ‘must share’ data. However, although these sites may seem easy to use, they also pose a considerable data security and compliancy risk to corporate networks.

Understanding the Data Security Threats
While many file transfer sites claim to have invested heavily in security and authentication mechanisms designed to keep user data safe, recent stories in the press have caused many to question this:
Typically, security breaches can be routed back to one of the following causes – or in some cases, both.
Access control
By their very nature, consumer file transfer sites have been designed with ease of access in mind. Internal and external access to documents and information enables users to share content and work collectively on files, which in turn offers substantial efficiency and cost-saving potential. However, if insufficient access control mechanisms are put in place, the risks to data protection can be significant.
In many cases, once a user has gone through the initial authentication process steps, there is nothing to stop them from sharing personal or commercially sensitive data with an extended group of external third parties. Additionally, with no auditing or tracking capabilities, in many cases an organisation’s IT team will have little to no visibility over what information has left the corporate network.
This reduced control also extends to the types of devices and applications that are used to access the data. With links being forwarded to different email addresses, for instance, sensitive information can be downloaded onto personal laptops. This is not only a concern due to potential malware or viruses existing on these devices, but it also means that individuals can continue to access certain information after they have left a project, or even, the company.
The hacker / cyber security threat
The recent disclosure of the Heartbleed bug and the ease with which hackers have bypassed the security / authentication mechanisms of many websites that were previously perceived as secure raises a more fundamental security concern. As Dropbox found out when they were hacked two years ago, the consequences of unpermitted users gaining access to unencrypted data can be disastrous. An attentive reading of the security credential webpages of many file transfer service providers shows that although they may have taken steps to protect data in transit using TLS, very few have taken steps to encrypt information at rest.
A Secure Approach to File Transfer
These factors pose significant threats to data security – however, they shouldn’t be used as excuses to avoid effective file sharing through Cloud-based service providers. Organisations should be able to take advantage of the benefits offered by file transfer sites, such as time and cost efficiencies, without compromising their data security.
Investment must be made in suitably secure platforms. Sensitive data needs to be encrypted both in transit and at rest, and appropriate access control mechanisms need to be implemented so that organisations and central administrators have full visibility and control over who accesses information – including the ability to restrict the access rights of those no longer relevant to the project, such as ex-employees.
In addition, independent certification can provide further reassurance for users and their IT departments. CESG’s Foundation Grade CPA programme, for example, certifies commercial security products for use by government, the wider public sector and industry in lower threat environments. Products that are awarded this certification have to meet a detailed set of characteristics and security principles, and as such, demonstrate that the technology and supporting business processes behind them can be fully trusted to protect sensitive information during the data sharing lifecycle.
Managing File Tranfer Services
Aside from data security concerns, file transfer sites can also present service management and integration issues. For many, these sites are seen as separate from traditional email and online collaboration solutions, which means they are procured, developed and managed differently, with solutions kept in isolation from one another. The result is data silos, system complexity, unnecessary costs, additional ongoing management overhead, and low end-user take up.
In the absence of a centralised solution, various file transfer sites are often used on an ad-hoc basis, again making it difficult for IT staff and senior management to maintain visibility over what information is being shared where and with whom. Similarly, managing multiple sets of credentials for separate email and file transfer services can create problems for users, who may result to using unsecure websites as a solution to this. Not only does this risk a data breach but it also impacts efficiency – one of the reasons these services are used in the first place.
An Integrated Approach to File Transfer
To simplify this process and increase centralised control over the information that employees are sharing with external third parties, an integrated approach to data management needs to be taken. This involves procuring file transfer solutionsas part of a broad information sharing platform that also includes secure email and collaboration functionality. Moreover, it is also important that these services sit well within an organisation’s existing infrastructure to improve workflow and business processes.
Benefitting from Cloud Services
File transfers shouldn’t be an issue that makes senior management and IT departments uncomfortable. Visibility over personal and commercially sensitive information shared with third parties shouldn’t be sacrificed to benefit end-user ease of use, and similarly, workplace efficiency should only be impacted positively by file transfer solutions.
The benefits of Cloud services, data protection, and an integrated approach to secure communication shouldn’t be mutually exclusive.

No comments:

Post a Comment