4 Reasons Why IT Supervision is a Must in Content Collaboration

By István Molnár, Compliance Specialist, Tresorit

For many organizations, workflow supervision is one of the biggest challenges to solve. Ideally users should be properly managed and monitored but sadly, countless organizations suffer from a lack of IT supervision. As a result, there is no telling what users are capable of doing. One of the main fields where a lack of IT supervision can become a major issue is content collaboration.

Content collaboration is the process of securely sharing, synchronizing and storing content files in a structured and transparent manner. It is one of the most frequently applied methods of user interaction and the default portal for exchanging business-critical information both internally and externally. This makes it an area where serious IT involvement is needed to ensure data security, user efficiency and business continuity.

What are the main causes and how to solve unsupervised content collaboration?

In a number of instances, IT departments are completely out of the loop when it comes to managing and monitoring internal and third-party content collaboration. This boils down to having no transparency and traceability in regard to user and file related activities. By isolating the main causes creating an unsupervised infrastructure, we can also identify how to solve them.

 1) Not knowing what rights users have

Although IT departments have some form of user directory in place, like an Active Directory or LDAP, they still struggle when it comes to individual file associated rights. That is because all these tools do is decide whether the user falls under the category in order to access a collaboration platform or not. Even though a user is authorized to collaborate, that doesn’t mean they should have full access and editorial rights over all given files.

Without properly managing user rights, organizations can’t guarantee data confidentiality as users may accidentally or intentionally cause harm by managing files that should be limited or inaccessible to them. In addition to internal users, third-party management should receive the same level of attention; it is crucial to identify who should access files from outside of the organization’s secure perimeter, as well as for what purpose.

What is the solution?

Implementing functions such as access rights management is essential in supervising internal users and externally collaborating parties. Supervising the entirety of the user lifecycle from the point they join the organization till their last day as an employee allows total control over their rights and level of privileges. By identifying and providing the necessary minimum amount of rights to users, organizations can enforce the least privileges principle. This helps mitigate the probability of unauthorized access and disclosure of business-critical information. It is possible to support both the top-down and bottom-up attribution of rights by isolating larger group-based rights yet also allowing flexibility to individual users with custom rights attribution when needed.

2) Not having a clear inventory on files

User and group management is one thing, but data itself is also a vital segment in an organization’s life. Not knowing what files are actually being produced and where are they stored is a common symptom of a decentralized infrastructure. It occurs most commonly when each department operates in silos and stores files on separate standalone systems and devices instead of in one central repository. The drawback of this is that IT simply cannot keep visibility over the most crucial information produced and managed it within the organization. As a result, there is no telling what files already exist, if there is any work flow conflict and simply who has access to what and to what degree.

What is the solution?

Establishing a central file repository completely owned and managed by IT. Users may assume ownership over the folders and files stored within, but overall management should fall in the hands of IT professionals. This allows organizations to enforce company wide policies on data storage location and prohibit any attempts to store data outside the collaboration platform.

3) Not knowing what tools are used for collaboration

Many times, employees take an alternative route and start using consumer-grade tools for business collaboration. The reason behind this is mainly that the in-place Content Collaboration Platform turned out to be way too cumbersome to use, making every-day work almost impossible due to excessive security precautions.

What is the solution?

To solve the issue, a balance must be struck between efficiency and security. If the organization solely focuses on one aspect it will severely hinder the other. Lack of security may make it more convenient for users but also creates a number of potential attack surfaces. This goes for the other way around as well. Too much security might be appealing from an administrative perspective, but it also can easily make any form of collaboration almost impossible for users.

4) Not being able to log events and activities

Not possessing reliable evidence on user and file related activities can cause serious ramifications during forensic investigations and compliance audits. During a data breach, every second can count. As a first step once a breach is identified, the security team will try to accumulate as much evidence as possible to identify: What data and which users are affected? What or who could have caused the breach? What is the magnitude and scale of the breach? If the security team lacks the tools to pinpoint these factors, then it is a guarantee that similar breaches will soon follow leaving the organization in a desperate financial and reputational situation.

Failing a compliance audit can also result in the same ramifications. One of the first things required during an audit is clear documentation on every user and activity. If the organization is incapable of producing reliable information on its infrastructure and all events occurring in it then the audit will surely fail.

What is the solution?

The solution lies in reporting capabilities. The more customizable and detailed they are, the better. In terms of content collaboration having clear reports on who accessed, shared or deleted files is the most important question to answer.

In conclusion

All-in-all, content collaboration is a vital part of an organization’s life and requires serious monitoring and control effort to ensure data confidentiality, user efficiency and business continuity.

The Many Benefits of a Cloud Access Security Broker

By Will Houcheime, Product Marketing Manager, Bitglass

server hallway leading to blue sky with clouds

Today, organizations are finding that storing and processing their data in the cloud brings countless benefits. However, without the right tools (such as cloud access security brokers (CASBs), they can put themselves at risk. Organizations’ IT departments understand how vital cybersecurity is, but must be equipped with modern tools in order to secure their data. CASBs protect against a wide range of security concerns that enterprises face when migrating to the cloud. Consequently, they have quickly increased in popularity and have become a one-stop-shop for countless enterprise security needs.   

BYOD, SaaS or IaaS

Depending on the industry in which an organization operates, it may need to focus on security for managed devices, or perhaps it might need more of a bring your own device (BYOD) solution. While major SaaS applications improve organizational productivity and flexibility, they can serve as entry points for malicious threats such as malware or be used to share sensitive data with unauthorized parties. In infrastructure-as-a-service platforms, even a simple misconfiguration can cause data leakage and jeopardize an organization’s wellbeing. Without a solution designed to address these modern security concerns, organizations can fall victim to these and other threats.

In recent years, cloud access security brokers have been used to prevent these types of unfortunate scenarios from happening to organizations. Whether it’s securing data on personal devices, limiting external sharing, stopping cloud malware, or other security needs, CASBs have been stepping in and protecting data whether it is in transit or at rest. In our latest white paper, Top CASB Use Cases, we go into detail about how organizations have used cloud access security brokers to embrace both the cloud and BYOD without compromising on security.

For information about how CASBs help secure data, download the Top CASB Use Cases.

Microsoft Workplace Join Part 2: Defusing the Security Timebomb

By Chris Higgins, Technical Support Engineer, Bitglass

timebomb countdown to Workplace Join infosecurity riskIn my last post, I introduced Microsoft Workplace Join. It’s a really convenient feature that can automatically log users in to corporate accounts from any devices of their choosing. However, this approach essentially eliminates all sense of security.

So, if you’re a sane and rational security professional (or even if you’re not), you clearly want to disable this feature immediately. Your options?

Option #1 (Most Secure, Most Convenient): Completely disable InTune Mobile Device Management for O365 and then disable Workplace Join

As Workplace Join can create serious security headaches, one of the most secure and most convenient options is to disable the InTune MDM for Office 365 and then disable Workplace Join completely. Obviously, these should quickly be replaced by other, less invasive security tools. In particular, organizations should consider agentless security for BYOD and mobile in order to protect data and preserve user privacy.

Option #2 (Least Convenient): Use InTune policies to block all personal devices

Microsoft does not provide a method of limiting this feature that does not utilize InTune policies. Effectively, you must either not use InTune at all, or pay to block unwanted access. However, the latter approach means blocking all BYO devices (reducing employee flexibility and efficiency) and introduces the complexity of downloading software to every device, raising additional costs.

Option #3 (Least Convenient and Least Secure): Whack-a-mole manual policing of new device registrations

As an administrator in Azure AD, deleting or disabling an account only prevents automated logins on each of that account’s registered devices—this has to be done manually every time a user links a new endpoint. Unfortunately, deactivation and deletion in Azure do not remove the “Join Workplace or School” link from the control panel of the machine in question. Additionally, deactivation still allows the user to manually log in, as does deletion—neither action prevents the user from re-enrolling the same device. In other words, pursuing this route means playing an endless game of deactivation and deletion whack-a-mole.

Bitglass Security Spotlight: LinkedIn, Vector, and AWS

By Jacob Serpa, Product Marketing Manager, Bitglass

man reading cybersecurity headlines while eating breakfastHere are the top cybersecurity stories of recent weeks:

—LinkedIn security gap exposes users’ data
—Vector app reveals customers’ information
—AWS misconfiguration makes LocalBlox user information public
—New malware steals data via power lines
—Banking apps deemed the most unsecured

LinkedIn security gap exposes users’ data
LinkedIn’s AutoFill functionality was recently discovered to be easily exploitable. The feature allows users to have fields on other websites automatically populated with information from their LinkedIn accounts (for rapid registrations and logins, for example). Researchers quickly realized that this could be exploited by malicious websites that initiate AutoFill, regardless of where visitors click, in order to steal information.

Vector app reveals customers’ information
New Zealand energy company, Vector, developed an application designed to update users on the status of their power; for example, by providing estimates on when power might return during outages. Unfortunately, the app didn’t provide the functionality that the company originally intended. Additionally, it made all of its users’ information (including home address) accessible to anyone who downloaded the app.

AWS misconfiguration makes LocalBlox user information public
Another AWS misconfiguration has exposed the personal information of various individuals – 48 million of them. LocalBlox, which gathers information from public online profiles, was recently found to be leaking Twitter, Facebook, and LinkedIn information through an unsecured AWS S3 bucket. Leaked information included email addresses, job histories, and even IP addresses in some cases.

New malware steals data via powerlines
PowerHammer, a new type of malware, can steal data in a variety of complex, frightening ways. For example, through computers’ power cables. To learn more about the ins and outs of PowerHammer, click here.

Banking apps deemed the most unsecured
A recent study found that banking applications are typically the most vulnerable type of cloud app. Despite the fact that these services are used by hundreds of millions of people, they consistently hold security flaws that leave them open to the advances of hackers.

Learn more about cloud access security brokers (CASBs) and how they can help you secure data in our cloud-first world with the Definitive Guide to CASBs.

Just What the Doctor Ordered: A Prescription for Cloud Data Security for Healthcare Service Providers

by Kamal Shah, VP, Products and Marketing at Skyhigh Networks

Cloud services are here to stay, and practically everybody is embracing them. In fact, the cloud computing industry is growing at the torrid pace of nearly 30% per year right now, according to Pike Research.

Certainly healthcare service providers are getting on the cloud services bandwagon, either by choice or by decree. As reported in Forbes, the Health Insurance Portability and Accountability Act (HIPAA) omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate that everyone in the healthcare industry must migrate their patient records and other data to the cloud. This is to facilitate medical professionals’ authorized access to electronic health records (EHRs) to improve patient care and reduce costs.

At the same time, healthcare organizations have an obligation to make sure that their use of cloud services is secure and that personal health information (PHI) is fully protected. The risks are huge if they don’t get this right. Any exposure of PHI is deemed a violation of HIPAA compliance, which can lead to steep fines and other costs for the healthcare service provider, not to mention the loss of trust and confidence of its patients.

Even the best of intentions can backfire on healthcare organizations. PHI doesn’t necessarily have to be lost or stolen in order to violate HIPAA’s letter of the law. The Oregon Health & Science University was recently cited for using an unsecured cloud platform to maintain a spreadsheet containingsensitive patient data. The intent was to make it easier to share accurate information about patients among the healthcare professionals involved in their care.

Unfortunately the university didn’t have a contractual agreement to use the cloud service and the privacy and security of the patient data could not be absolutely assured. Although officials don’t believe the incident will lead to identity theft or financial harm, the university is notifying affected patients as a matter of caution.

So, what’s the prescription for hospitals and other providers to reduce their risk when using cloud services? Security experts recommend a three-step process to facilitate cloud data protection:

  • First, get an understanding of all the cloud services already in use by the organization. There’s probably a lot of unofficial “shadow use” of services that company officials aren’t aware of and that may put the organization at risk.
  • Next, leverage all the innovation in big data analytics to understand this usage and to ensure that the organization’s policies are consistently enforced.
  • And finally, for the recommended cloud services, secure the data in the cloud through contextual access controls based on user, device and location, encryption, and data loss prevention.

Read how one leading hospital put this framework to use and successfully reduced the risk of cloud services.