Archive | Cloud RSS feed for this section

Records Management – Pie in the Sky (Or Should I Say Cloud)

You know, records management is not pie in the sky, or should I say cloud? Whether you are, or thinking about using Office 365, or a different cloud vendor, records management is certainly not advisable in the cloud. Why? The main reason why you may not want to use the Office 365 – is if you have to meet some Records Standards such as DoD 5015.2, ISO-15489. Although, it is possible to use SharePoint with a third party records management solution to meet those standards.

Another reason that you may not want to put records in Office 365 is that within the Microsoft cloud based approach your data is kept on one or many servers and the complete disposition of records – “true” delete is not possible within Office 365 as there are backups that have copies everywhere.

Having your records being sent to servers outside your home country may also be a deterrent and also not be an option for some organizations. For example, the Canadian government does not allow data to be placed on foreign/US servers.

Most of our Office 365 (not all), view the cloud as a venue for ‘non secure’ collaboration. Whatever that means. Maybe it’s only my gap to bridge, but if you have information communicated with colleagues, partners, vendors, and an array of third party individuals, how would you know if information that should be tagged as a record somehow got intermingled with your ‘non-secure’ collaboration? Most likely you wouldn’t. The same would apply for security breaches or data exposures.

I still think there are quite a few considerations using Office 365 or similar animal. Without a plan, records management and security are just two of the issues in the cloud. What do you think? How did or will you handle?

Comments { 0 }

Do we need a Hans Brinker for Office 365 Security or is the flood unstoppable?

As a matter of fact, the story of the little boy who stopped a leaking dyke and saved the town from a flood, wasn’t really named Hans Brinker. The poor little guy was never given a name in the story, and readers got confused and called him Hans Brinker (of the silver skate’s fame). After almost freezing to death as no one ever came to find him until the next day, he did end up saving the town.

And, you may ask, what does this have to do with cloud security? In mid-February, Microsoft made available to the masses multi-factor authentication for Office 365, including security enhancements for those using Yammer in SharePoint. Any vendor that adds additional security precautions gets a plus in my book. Unfortunately, cloud security, or even enterprise security still needs to evolve.

I think the security marketplace should being to turn towards security at the content asset level, as we do. We no longer need analysts to tell us of the burgeoning growth of unstructured content. We know it, most of us encounter it every day (which is why I can no longer find the files that I need). The issue is not in the security architecture or strategy, it is the inability to identify potential sensitive information exposures that are unknown. Sensitive information exists in documents, scanned items, faxed items, emails, and could be in any unstructured or semi-structured content. Many security applications provide the ability to recognize industry standard descriptors such as a social security number or credit card number, other sensitive and confidential information can exist that contains information the organization does not wish to share.

Most exposures are caused either intentionally or unintentionally by the organization’s own staff. They can prove costly, damage brand, and increase organizational risk.
Similar to our poor little nameless boy, the problem was miniscule as all he needed was an eight year old finger to avoid a devastating flood. The same with unstructured and semi-structured content, a small hole can also bring down an organization.

Comments are closed

eMail Security in the Cloud – are you afraid (I am)?

Social – the cure all to productivity, instant communication, effective collaboration. Are you on board yet? I still read conflicting accounts about the adoption rate of ‘social’ within an enterprise. I think the tide is changing but still caution exists from upper management, and studies have shown that business users are very reluctant to change.

eMail is beloved by all – or hated. But either way, I don’t think any of us would admit that we could totally live without it. In an article by David Roe in CMSWire, ‘4 Ways to Overcome Your Fear of Moving Email To The Cloud’ he cites a study by Dell that revealed some interesting results. The Dell sponsored research called ‘The State of Corporate Email‘, was based on a survey of 202 IT professionals that are responsible for corporate email systems in enterprises with more than 1000 employees.

There were two key insights that I found interesting. The first is that 81% of enterprise users consider eMail their most valuable collaboration tool. So much for social. Try prying email out of the hands of these business users.

The second insight showed that the principal obstacles to moving to the cloud remain the same: availability, security and data loss. In regards to security, 80% of organizations were not considering a move to Office 365 because of the security issue and vulnerability of eMail in the cloud.

What are your feelings about making the push away from email, or putting eMail in the cloud? Agree with the findings?

Comments { 0 }

What do Barclay’s Bank, Target, Drupal, the Federal Reserve, Disney, and Apple all have in common?

Not exactly a brain teaser. I think we all know, it’s the insidious data breach. Cyber security, data breaches (either internal or external) should be a top priority in every CTO’s playbook. Surprisingly, they are not. There is probably not one organization that is immune. Although each of us could easily add to the above list, what’s the point? The point is that many organizations need to step up to the plate, sooner rather than later.

The cross-industry average for organizations that have a documented and approved information security strategy in place is 58.7% (IDC Energy Insights). Not too bad, right? Look at our list again. I would assume that most of them did have an information security plan. What went wrong? Obviously for each organization something did go wrong, some breaches may be anticipated and within your immediate control, others take you by surprise. One would not typically assume that a 17 year old from Russia could wreak havoc on Target and Neiman Marcus.

We only focus on security at the content asset level for unstructured and semi-structured content. I am wondering though, if as an organization, you routinely identify specific security risks, quantify them, and the probable impact at the ‘content’ level? Meaning, emails, scanned content, faxes, third party information, confidential business information, etc. How do you handle? Are they automatically removed from unauthorized access during a search and protected against portability?

Thanks for any insight.

Comments { 0 }

Is your organization a digital hoarder?

I am always appalled when I somehow get roped into watching a show on a hoarder. I do realize it is a sickness, but it always amazes me that people can live like that. But, on the other hand, I think my husband has the beginning of the disease as he saves everything ‘just in case’ he will need it (think a street sewer cover!).

Now think about your organization. There are the organizations that keep and those that delete. Both can cause organizational risk in regards to compliance, potential litigation, eDiscovery, and security breaches. According to the 2012 Compliance, Governance and Oversight Counsel (CGOC) Summit, 69% of corporate information can and should be deleted.

Interestingly, based on an article about the recent Barclay’s Bank data exposure, it appears about 1K customers were scammed into investing in rare earth metals that did not exist. The files reportedly came from the now-defunct Barclays Financial Planning business. They contained the names, addresses, phone numbers, passport numbers, national insurance (NI) numbers and savings details of customers, and information about their dependents. Quoted in the article, Steve Smith, managing director of data security firm Pentura, said: “This shows that even older customer data from closed businesses or subsidiaries can have real value if it should fall into the wrong hands.

From the operational costs perspective, reducing storage, energy, and manpower is easily justified through an enforceable retention policy. It’s the picking and choosing what to save and what to delete. The new buzzword of the day, Information Governance plan is being touted as the solution to solve all your challenges. Ok, I’m all for that and a big proponent of information governance, but I don’t see our client base embracing enterprise information governance as a ‘must’ have. My boss always tells me I am down in the ‘weeds’. Well, that’s where most of our clients are, solving day-to-day challenges.

My question, does your organization have an Information Governance plan? Is your organization a keeper or a deleter? What are some other approaches that you feel would work, or have tried?

Comments { 0 }

Bloomberg was wrong. Encryption would not have stopped Snowden.

CipherPoint is a partner of Concept Searching. This blog is well worth the read and provides value to any organization concerned with security.

The following blog was posted on the CipherPoint web site. CipherPoint identifies, encrypts, controls and audits access to sensitive and regulated data on-premises and in cloud file sharing and collaboration systems. CipherPoint’s patented technology is unique in preventing privileged IT administrators and outside attackers that target IT-level access from accessing sensitive information. The CipherPoint Eclipse solution suite secures data across file servers, on-premises Microsoft SharePoint, Microsoft SharePoint Online, Microsoft Office 365 and other cloud collaboration systems from a central data security console. A winner of the SINET 16 award as a top security company in 2012 and Cyber Defense Magazine’s Most Innovative Cloud Security Solution for 2014, CipherPoint is headquartered in Denver, Colorado.

The author, Coby Royer serves as CipherPoint’s Director of Product Management where he sets product strategy and requirements, as well as supporting customer needs. He is a seasoned veteran in cyber security, having broad and deep experience in product development and enterprise security. Coby’s experience includes entrepreneurial ventures, consulting, and work with several Fortune 1000 companies. Projects have spanned many fields, including Cloud Computing, Internet security products, financial services, social networking, intellectual property, open source, and software development tools. Coby’s previous roles include CTO, Senior Manager, Enterprise Architect, Product Manager, QA Specialist, and Software Developer. Coby holds over a dozen US patents for security and financial instruments, many as primary or sole inventor.


Bloomberg published a story last week, Encryption Would Have Stopped Snowden From Using Secrets. Bloomberg describes that encryption is key to preventing insiders from accessing and using classified data. In our view, we think they only got the story part right. Encryption is a great security control but to stop a determined system administrator you also need trustworthy key management and intelligent decryption (aka access control).

Encryption is a critical security control in these situations. Data that is encrypted using standard (i.e. not proprietary) encryption algorithms, and where the keys are properly protected, is highly secure. But there are a couple of other considerations here. First, the encryption should be applied high enough up in the technology stack so as to prevent the sysadmins from being able to view data using their application, database, or operating system administrator privilege. Low-level encryption mechanisms (such as encrypting drives, TDE, EFS and Bitlocker) are aimed at mitigating risks of lost or stolen computers or disks, and they use rudimentary key management. Also, we frequently see these implemented such that systems admins know the key since the administrator are responsible for encryption key backups and other tasks. Implementing encryption at a higher level, for example at the web application layer, and using encryption keys on a per file/directory/user basis makes for much more robust security, including from systems administrators.

Second, it’s also critical to apply an integrated access control mechanism to make sure information is decrypted only under the expected circumstances. This too needs to be done at the application level, with awareness of the application context, user role, etc.

Done right, encryption coupled with access control can effectively mitigate insider threats (including malicious systems administrators). One final point, at CipherPoint, we pride ourselves on making this sort of security technology highly usable. Meaning, even though our product supports highly sophisticated environments, with hundreds or thousands of encryption keys, we make the technology simple to manage. And, as you might expect, our CipherPoint Eclipse products do insert at a higher layer, as suggested above, and they do couple AES-256 standards-based encryption, with FIPS validated cryptographic modules, and a robust access control capability.

If you are worried about the potential Snowdens in your organization or your Cloud providers’, give us a call, we have a solution!

Comments { 0 }

The Three Monthly Questions to Ask, and Answer, About Your SharePoint Data Security

CipherPoint is a partner of Concept Searching. This blog is well worth the read and provides value to any SharePoint organization concerned with security.

The following blog was posted on the CipherPoint web site. CipherPoint identifies, encrypts, controls and audits access to sensitive and regulated data on-premises and in cloud file sharing and collaboration systems. CipherPoint’s patented technology is unique in preventing privileged IT administrators and outside attackers that target IT-level access from accessing sensitive information. The CipherPoint Eclipse solution suite secures data across file servers, on-premises Microsoft SharePoint, Microsoft SharePoint Online, Microsoft Office 365 and other cloud collaboration systems from a central data security console. A winner of the SINET 16 award as a top security company in 2012 and Cyber Defense Magazine’s Most Innovative Cloud Security Solution for 2014, CipherPoint is headquartered in Denver, Colorado.

The author, Coby Royer serves as CipherPoint’s Director of Product Management where he sets product strategy and requirements, as well as supporting customer needs. He is a seasoned veteran in cyber security, having broad and deep experience in product development and enterprise security. Coby’s experience includes entrepreneurial ventures, consulting, and work with several Fortune 1000 companies. Projects have spanned many fields, including Cloud Computing, Internet security products, financial services, social networking, intellectual property, open source, and software development tools. Coby’s previous roles include CTO, Senior Manager, Enterprise Architect, Product Manager, QA Specialist, and Software Developer. Coby holds over a dozen US patents for security and financial instruments, many as primary or sole inventor.

This is meant to be a quick guide, a starting place, to get you thinking about regularly checking up on the state of your data. A good time to work on these questions may be whenever you’ve annoyed your loved one and you need something to do while hiding out, or if you just need a bit of time alone. No matter what the trigger, about once a month, grab a keyboard, pull up a chair, and see what you can find.

What type of data do I have in SharePoint, and where is it?
This is a straightforward question, but sometimes a hard one to answer. Because SharePoint is specifically designed for simple collaboration, data can and will easily flows into, and around, the system. Regular monitoring is essential to ensure that your data security policies are being followed.

Once you have located sensitive or restricted data, you need to ensure that it is where you expect it to be. Probably on an internal-only site. In my research, approximately 40% of the data that appeared to be a breach of some sort (often marked something like ‘internal-use only’) was either miss-filed or copied to an external site. The other 60% consists of the accidental exposure of entire libraries which should not have been open to the public.

While finding and locating sensitive data can be done in a number of ways, including SharePoint’s native search functionality, I recommend a tool like the content scanner found at http://sharepointdefenseindepth.com. This is a free-to-use / add-free tool specifically designed for the SharePoint community to address this very question. It will find data based on regular expressions, and it produces a report on where the files were found. It has canned searches for various credit card types, US social security numbers, and an easy to use mechanism for building your own plain-text or regular expression searches.

How much of my data is exposed?
This is one of the easiest to answer. Google is a great tool for this. The fastest way to get an idea of what you are facing to the outside world is to simply type ‘site:.com’ (without the quotes, and replacing the bracketed text with your own domain) into a Google search. An example might be; ‘site:cipherpoint.com’. This will give you a good idea of the pages potentially exposed to the public. From there you can add search terms to narrow in on the interesting data. Maybe add the term “visa”, “master card”, “social security”, or “top secret”; whatever makes sense for your organization.

Please not that I said, “Potentially exposed to the public.” Just because you see the document name in the search results does not mean that the data in the file is exposed. It does, however, mean that one layer of protection (your firewall) has been bypassed. If you find a file you believe has sensitive data please try to open it. If you get a user ID/password prompt, the data may still be protected by the SharePoint ACLs. For each file like this, be sure to try to access the file, but click ‘Cancel’ without entering any login information. In my research for this paper, I found that just under 20% of the sites that prompted for a user ID and password would give access to the file after I clicked ‘Cancel’. This segues well into the next question, “Are the exposed sites configured properly?”

Are the exposed sites appropriate, and configured properly?
By default SharePoint is configured to be pretty secure. Unfortunately the ACL controls can be a bit confusing, potentially leading to configurations that are less than optimal from a security point of view. From here, you should have a small list of sites that are exposed to the public, and a good idea of what sort of data exists on said sites. Now would be a good time to correct any inappropriate content, notify the correct authorities (if confidential data was found to be exposed to the public), and pay any necessary fines.

Don’t worry, I’ll wait…

Right, now that the checks are written, let’s look at what is actually exposed to the public. The following is a list of sites that should never be exposed. If you do find these titles coming up in your Google search, you need to take action. Either make sure they are nicely tucked away behind your firewall or, if you find one that is just a regular list or library that should be open to the public, please consider re-naming it to something else. Ok, now, here’s the list of names you should not see on your Google search:

“view all site content” “sign in” and “people and group”

Try the following Google search:
site:.com “view all site content” “sign in” and “people and group”

Make sure nothing shows up, or that they are no longer reachable.
Now, run a content scanner and/or the ‘site:.com’ Google search one more time, and ensure there is no sensitive data hanging out where you don’t expect it.

Conclusion
Regularly scanning your data for any anomalies in the exposed content is an important part of maintaining the overall health of your SharePoint installation. Mistakes will happen, and files will get moved to libraries where they do not belong. That is simply the nature of collaboration systems like SharePoint.
In many cases I would recommend an additional layer of protection, like transparent file encryption, to help safeguard against such mistakes. In this case, if a file containing sensitive data is accidentally moved or copied to an open site, or if a protected library is exposed to the public, any unauthorized access would only reveal encrypted file(s), not the important data inside.

Comments { 0 }

Interesting Web Seminar – How the Cloud is Disrupting SharePoint

Metalogix is hosting an informative panel discussion on Office 365 and what it means to you as a SharePoint customer. This web seminar will be held on Wednesday February 12th at 1:00pm EST. You can register here. If this is of interest to you and you can’t attend, register anyway and you will be provided with a link to the web seminar. Christian Buckley, MVP and Chief Evangelist, Metalogix will be the host and panelists include a variety of industry experts.  Gain an industry perspective of changes in the technology landscape and what this means from a business perspective.

With Microsoft’s cloud-first strategy underway, SharePoint Online and the Office 365 platform are at the epicenter of the company’s innovation strategy. But for many SharePoint on-premise customers, this shift toward Software as a Service is more than just moving infrastructure to the cloud – it is forcing them to rethink their business requirements, re-architect their customizations and solutions, and re-examine SharePoint’s very role within the organization.

In this panel discussion with experts from some of the SharePoint ecosystems’ Best of Breed vendors, we’ll discuss the disruption happening within the community, and how their customers are planning to move forward with SharePoint on-premise, cloud, or hybrid solutions.

 

Comments are closed