Author: Ramon Peypoch, Senior
Vice President of Products, VERA
Since inception, cybersecurity has focused on
bolting-on products to the IT infrastructure that runs the world - bolstering
the network perimeter in an effort to prevent malicious attacks from getting in
and company data from inappropriately getting out. With external collaboration
platforms like Office 365, DropBox, Box, G Suite, Slack, and others now pumping
the lifeblood of technical innovation, traditional cybersecurity approaches
fall short.
Collaboration and innovation simply don't work
when users are locked down; rather they're all about empowering freedom to be
creative and productive across organizations, supply chains, and partner
networks. But because security was not a primary design focus for many highly
popular collaboration tools, that freedom also enables user behaviors that can
put organizational data assets at risk. This new paradigm consequently demands
a collaboration-centric security approach that protects the data itself,
regardless of where it goes.
Although leading collaboration tools use
encryption to secure communications and data between users, that doesn't mean
that all data shared in collaboration efforts are secure. Collaborators who
legitimately access a file then have full control to do whatever they want with
it. Everything - including misuse - is "on the table." Of course, accidental
and erroneous instances of data sharing are also prevalent, such as the recent
news of First American Financial Corporation's website inadvertently leaking up
to hundreds of millions of sensitive consumer documents related to mortgage
transactions. In a post-cloud world, how do you control sensitive data that has
gone out of your control?
Further compounding the risks are the many
disparate privacy regimes being instituted around the world that creates new
levels of liability, compelling the requirement for better data governance.
Realistically, most organizations until now have largely ignored the governance
issue except for mandated compliance purposes; it's been about staying out of
trouble more than truly protecting customers and users. New regulations are
focusing the discussion on the need for governance to be more ubiquitous - and
for governance solutions to be more flexible and easily usable. Effective
governance really should come down to the point of content creation, but should
also be transparent to content creators and end users so they don't have to
think about it.
Collaboration platforms, shadow IT and other
non-organizationally sanctioned behaviors by business users trying to keep pace
with market demands are posing ample challenges for IT teams in managing
valuable data assets. In my experience, I've never seen the circumstance where
IT is bent on having control of such tools for control's sake. They want
to enable the business, but it's also their job to ensure that collaboration is
done securely. A more productive approach will include all parties exploring
the business requirement to be accommodated:
-
Clarify the specific business requirement. Discuss if collaboration needs to happen internally or also
involve third parties like customers and business partners. Is information
flowing domestically or across borders? Into areas where strict privacy rules
with serious penalties are in place? Is the business team aware of the full IT
services catalog available to them which might include secure, vetted options?
-
Audit the applications and tools in use. What controls are in place? How are users accessing the system?
Is multi-factor authentication in use?
-
Set a clear policy. Layout
acceptable use policies and rules. For example, what platforms are/not
acceptable? What must be the delineation between business and personal
accounts? Where can files not/go after being accessed? Make sure everyone
involved knows the current standards.
-
Monitor behavior over time.
Check in with the business team to see how things are working with their adopted
platform(s); what works and what's lacking? How might IT close these gaps?
The Bottom Line
When protecting data in the cloud, it's
important to have three core components-strong encryption, real-time access
control, and hosted policy management. Ideally, the moment your documents are
uploaded, whether that be a cloud collaboration tool or other location, you
should be able to encrypt those files and assign rights that travel with each
individual document. No matter where your content travels - to client sites as
an email attachment, to a local desktop or elsewhere in the cloud - only users
with the right credentials should be able to open files in and beyond your
cloud collaboration vendor.
A data-centric approach solves this challenge.
Instead of trying to control everything around the data, think about solutions
that extend control to the data itself. That way, data and content can move,
which helps keep workflows fast and productive - but IT and Security teams
still remain in control and can adapt as situations change.
##
About the Author
Ramon J. Peypoch, SVP Products, Vera Security
A proven leader in the security industry, Ramon leads Vera's product strategy, management and market delivery. Prior to Vera, he was part of the founding team of ProtectWise, Inc. (acquired by Verizon). Earlier he was Vice President, Web Protection at McAfee. With a track record of creating category-leading security products and companies, he has held executive product and business development positions at Proofpoint, Websense and Symantec. He serves as a Board Member for Abusix, Inc. (network abuse and threat mitigation), a Trustee of the Keys School in Palo Alto, CA and serves on the board of Palo Alto Girls Softball. Ramon holds a M.B.A. in Finance & Entrepreneurial Management from The Wharton School and a B.A. in World Politics and Spanish from Hamilton College.