Your penance: In a business setting, IT should enforce such policies. At the very least you should control your encryption keys and enforce strong password policies.
Be prepared to incur the wrath of your CFO: Enterprise users that use unsanctioned FSS services may cost the enterprise more money than was previously estimated. A recent study found that the use of such services is multiplying the cost of data breaches due to the lack of IT control. Whereas previously a leaky application or server could just be shut down, now this involves many (sometimes unknown) services providers. It puts a big dollar sign on the cloud services sprawl issue.
Your penance: Simply put – don't use cloud services that don't have the stamp of approval from IT for business use, tempting as it may be.
What do we do? We covet – your files: Microsoft OneDrive for Business, as it turns out, inserts code into synchronised files, thus altering them (note – this is not metadata enveloping the file, it's inside the file). The issue was discovered when compatibility issues arose with Office files.
On principle, it is unacceptable to have your entrusted files tampered with. It can also cause major problems for businesses that need to comply with Sarbanes-Oxley, HIPAA or any regulation that demands proof of data integrity and no tampering.
Your penance: Ensure that the solution you're using guarantees zero tampering, and provides data integrity checks.
Oh, the hubris: File sync and share providers constantly pretend that they can replace backup. FSS is very useful, but it is no substitute backup for a variety of reasons. It is bi-directional sync, so a file deleted locally is also deleted in the cloud; versioning is limited.
Your penance: If you're planning to use FSS as backup – don't. Use a backup solution for backup, and better yet, find a solution that offers both functions from a single client.
Steer clear of the cloud?
So with all this happening, does that mean that the cloud is inherently unsafe for business?
No. Nothing is 100% safe, but cloud services can be (and many are) just as safe as in-house enterprise IT services, and in the case of smaller companies sometimes safer – because tier 1 cloud providers abide by the strictest practices demanded by their blue-chip clients.
Keep this in mind – very few companies can manage both consumer-grade services and enterprise-grade services and do justice to both. In such cases I would expect such solutions to be completely separate from each other – run by different divisions, in different data centres, with different admins and support staff.
The requirements and economic incentive for consumer versus enterprise solutions are diametrically opposed, and reconciling them is improbable to the extreme. If you plan to use a service that caters to both types of audiences, verify the measures they are taking to keep them apart.
What else can you do? Dig one level deeper than the security slogans, and ensure that the services or software you are using has these features:
- Source-based encryption: Encrypting your files before they are sent to the cloud. This in addition to TLS/SSL in-transit encryption
- Private encryption key management: The ability to control your encryption keys exclusively, preventing service provider staff and other third-parties from accessing your files when stored in the cloud
- Password policy enforcement: Ability to enforce use of strong passwords and password expiration period on users
- Two-factor authentication: Ability to require two-factor authentication (via email or SMS) for account/device activation as well as shared link access
- Data integrity checks: Preventing 'man in the middle' attacks and tampering with your files by ensuring that the data which arrived in the cloud is the same data that left your device. This is typically done using hashes or fingerprinting such as the SHA-1 standard
- Jeff Denworth is SVP of Marketing at CTERA