Author: Ramon Peypoch, Senior Vice President of Products, VERA

Since inception, cybersecurity has focused on bolting-on products to the IT infrastructure that runs the world - bolstering the network perimeter in an effort to prevent malicious attacks from getting in and company data from inappropriately getting out. With external collaboration platforms like Office 365, DropBox, Box, G Suite, Slack, and others now pumping the lifeblood of technical innovation, traditional cybersecurity approaches fall short.

Collaboration and innovation simply don't work when users are locked down; rather they're all about empowering freedom to be creative and productive across organizations, supply chains, and partner networks. But because security was not a primary design focus for many highly popular collaboration tools, that freedom also enables user behaviors that can put organizational data assets at risk. This new paradigm consequently demands a collaboration-centric security approach that protects the data itself, regardless of where it goes.

Although leading collaboration tools use encryption to secure communications and data between users, that doesn't mean that all data shared in collaboration efforts are secure. Collaborators who legitimately access a file then have full control to do whatever they want with it. Everything - including misuse - is "on the table." Of course, accidental and erroneous instances of data sharing are also prevalent, such as the recent news of First American Financial Corporation's website inadvertently leaking up to hundreds of millions of sensitive consumer documents related to mortgage transactions. In a post-cloud world, how do you control sensitive data that has gone out of your control?

Further compounding the risks are the many disparate privacy regimes being instituted around the world that creates new levels of liability, compelling the requirement for better data governance. Realistically, most organizations until now have largely ignored the governance issue except for mandated compliance purposes; it's been about staying out of trouble more than truly protecting customers and users. New regulations are focusing the discussion on the need for governance to be more ubiquitous - and for governance solutions to be more flexible and easily usable. Effective governance really should come down to the point of content creation, but should also be transparent to content creators and end users so they don't have to think about it.

Collaboration platforms, shadow IT and other non-organizationally sanctioned behaviors by business users trying to keep pace with market demands are posing ample challenges for IT teams in managing valuable data assets. In my experience, I've never seen the circumstance where IT is bent on having control of such tools for control's sake. They want to enable the business, but it's also their job to ensure that collaboration is done securely. A more productive approach will include all parties exploring the business requirement to be accommodated:

• Clarify the specific business requirement. Discuss if collaboration needs to happen internally or also involve third parties like customers and business partners. Is information flowing domestically or across borders? Into areas where strict privacy rules with serious penalties are in place? Is the business team aware of the full IT services catalog available to them which might include secure, vetted options?
  

• Audit the applications and tools in use. What controls are in place? How are users accessing the system? Is multi-factor authentication in use?
  

• Set a clear policy. Layout acceptable use policies and rules. For example, what platforms are/not acceptable? What must be the delineation between business and personal accounts? Where can files not/go after being accessed? Make sure everyone involved knows the current standards.
  

• Monitor behavior over time. Check in with the business team to see how things are working with their adopted platform(s); what works and what's lacking? How might IT close these gaps?
  

The Bottom Line

When protecting data in the cloud, it's important to have three core components-strong encryption, real-time access control, and hosted policy management. Ideally, the moment your documents are uploaded, whether that be a cloud collaboration tool or other location, you should be able to encrypt those files and assign rights that travel with each individual document. No matter where your content travels - to client sites as an email attachment, to a local desktop or elsewhere in the cloud - only users with the right credentials should be able to open files in and beyond your cloud collaboration vendor.

A data-centric approach solves this challenge. Instead of trying to control everything around the data, think about solutions that extend control to the data itself. That way, data and content can move, which helps keep workflows fast and productive - but IT and Security teams still remain in control and can adapt as situations change.

##

About the Author

Ramon J. Peypoch, SVP Products, Vera Security

A proven leader in the security industry, Ramon leads Vera's product strategy, management and market delivery. Prior to Vera, he was part of the founding team of ProtectWise, Inc. (acquired by Verizon). Earlier he was Vice President, Web Protection at McAfee. With a track record of creating category-leading security products and companies, he has held executive product and business development positions at Proofpoint, Websense and Symantec. He serves as a Board Member for Abusix, Inc. (network abuse and threat mitigation), a Trustee of the Keys School in Palo Alto, CA and serves on the board of Palo Alto Girls Softball. Ramon holds a M.B.A. in Finance & Entrepreneurial Management from The Wharton School and a B.A. in World Politics and Spanish from Hamilton College.