IT lessons from iCloud: the increasing need for file-centric security

Protect your precious data
Protect your precious data

I don't need to tell you about the Apple iCloud hack which happened late last year, of course – plenty enough has been said about that since it occurred. However, I do want to tell you what your organisation should take away from this infamous incident: it is critical to think about the security of your information at the file-level, rather than the device-level.

Data-centric protection is critically important, particularly in business, and particularly for files, whether they are selfies or strategy PowerPoints. With the relentless growth of Dropbox and iCloud, the walls around the typical organisation have disappeared. The only solution is to build new walls around the data itself.

Zero control

For a long time, information security groups like the Jericho Forum have worked to help organisations understand that their firewalls were no longer protecting their data in any meaningful way. As the iCloud attacks made abundantly clear, files are now moving between clouds and devices in both automated and manual ways, most of which involve exactly zero choke points for IT to control that data flow.

In last year's iCloud attack, for instance, the prevailing theory is that celebrities' iCloud accounts were compromised via what amounted to elaborate social engineering, and the backups of their personal photos were synced not to their own devices, but to devices belonging to the attackers.

This type of compromise is exceedingly difficult to defend against. An IT organisation considering the security of the files that nearly all its users work with will find few good options. Using mobile device management software to turn off iCloud may be an option, but that will push users (who are, after all, chiefly interested in getting their work done) into the arms of free or freemium file sync and share services.

Ignorant bliss

The simple truth is that many businesses suffer from a false sense of security when it comes to popular box storage services. Right now employees are using these services to access sensitive company data without really being aware of the vulnerabilities inherent in these freemium services. The content stored in them is only as secure as the people accessing it, with access controls disappearing the moment a user syncs files to an unmanaged device or opens a file in a third-party app. Additionally, these services create a lot of confusion around who owns what, especially when an employee leaves.

File sync and share technologies have evolved significantly as enterprises have begun using them en masse. The critical feature to ensure is that they can be safely used by organisations with sensitive data to protect. Keeping files encrypted until an authorised user authenticates to work with them, enabling organisations to control functions like sharing and printing, as well as establishing an audit trail of actions taken with the files on any authenticated device are critical considerations.

Additionally, these technologies (also known as information rights management, or IRM) enable organisations to revoke access to the sensitive files whenever they choose, leaving attackers, former employees, or disgruntled insiders in possession of a lump of encrypted data and not the corporate crown jewels, regardless of where the file has been copied, synced or sent.

Security and usability

Critically, though, IRM cannot be a hindrance to users if this is all to work as designed – there are simply too many workarounds in every app store. IRM must work across all devices (and the web), and technologies that use it must meet the twin challenges of making files both secure and usable everywhere they need to go in the course of a business workflow.

That means the following must be possible:

  • Enabling work wherever you are and with whomever you are working
  • Using any device suitable or available to read, or annotate a document
  • Sharing work-in-progress with a few, and publishing authoritative content to the many
  • Protecting intellectual property and sensitive information (whether at rest or in transit) on-premises, in the cloud, or on a device
  • Satisfying the different needs of the casual user and the power user
  • Being as useful on a mobile device as on a traditional computer
  • Working with line-of-business and collaboration systems that the business already owns, as well as those that it is thinking of getting

Business efficacy, regulatory compliance, information security, and employee productivity are all affected by the way employees create, edit, process, and share documents, so the selection of enterprise file sync and share products is very much on the critical path of IT-related business investments.

Let's face it: one of the key challenges facing CIOs and IT managers today is managing BYOD and how they try to regain control of enterprise content without impacting on productivity and creating mass user disenchantment.

The basics

Considering how digitally advanced we have become, we are still remarkably naïve about basic internet security. The most common techniques used by hackers have been the same for years: social engineering, phishing attacks, remote access tools (RATs), and password recovery and reset prompts. While these aren't overly sophisticated methods, users fall victim to them time and again.

Enterprises need to make secure mobile and online practices a priority. They also need to consider a more file-centric security approach – especially if content is going to be accessed by employees from personal mobile devices or shared with external business partners.

Phishing attacks may be more sophisticated – poorly written emails from foreign princes giving away their fortunes are increasingly rare – but these attempts are still fairly obvious if you know what to watch for. Therefore frequent security training should also be a requirement to ensure employees know how to identify and avoid these ploys.

While most enterprises aren't concerned that their own privacy will become fodder for public consumption in the way that celebrities' selfies did, the iCloud affair should still serve as a cautionary tale about consumer-based cloud services that every enterprise employee and employer should consider.

  • Ryan Kalember is Chief Product Officer at WatchDox