Data dissemination and file collaboration are natural parts of most business and operational workflows; thus, security must be an integral part of modern corporate workflow to protect sensitive information. While structured data, information contained in databases, is well protected in the confines of secure backend systems, unstructured data is a wholly different story. Files are presumed to be secure within the domain of access control network drives and folders controlled by enterprise content manager systems. Most IT professionals associate data and even file protection with backup and encryption technologies within their network or at the gateway. Unfortunately, the protection of sensitive, and often regulated, data within files being shared both internally and externally remains a significant source of exposure within many organizations.
The broad adoption of BYOD, enterprise mobility, cloud-based apps and next-generation content manager systems yields greater diversity of devices and mechanisms to share files. At the same time, targeted attacks and advanced malware have made the likelihood of unauthorized data access and distribution almost a forgone conclusion. With the publicity of the Office of Personnel Management (OPM) and, more recently, the Experian data breach, the public and government are voicing the need to strengthen government and industry data privacy compliance requirements, specifically safeguarding personally identifiable information (PII). These trends have increased pressure at the board level and down to IT and information security professionals to re-examine their organizations’ data leakage/loss programs.
A recent 2015 State of File Collaboration Security report by Enterprise Management Associates (EMA) found a significant gap between file security policies and operations and the capabilities of technical controls in place at large and mid-tier enterprise organizations to monitor and enforce the policies. While the majority of these organizations have enhanced technical controls and auditing, only 16 percent of the survey respondents felt highly confident in their file security investments. The report revealed that more than 80 percent of mid-tier and large enterprise survey participants were aware of data leakage incidents in their organizations, and 50 percent experienced frequent incidents.
Other results include:
- Inappropriate file sharing with others inside the organization, with those outside the organization and through malware and hackers were cited as the most likely causes of data leakage
- While policy development and legal enforcement are foundational file security defenses, organizations plan to increase user awareness training and purchase additional security technology
- Email Gateway/Proxy and Data Loss Prevention (DLP) technologies were the top mature controls, while file encryption and usage control software was cited as the top upcoming control investment
- 70 percent of respondents believed that end users would invoke stronger security controls on files they share if empowered to do so
Organizations should be confident that distribution, storage and access to files within repositories of their network and even reputable cloud-based file storage and collaboration vendors are secure. The issue is the risk of data leakage after a file is appropriately accessed or delivered. When that file leaves the network perimeter on an employee laptop, by way of a share drive, peripheral or email, or is taken out of a protected cloud container or application, the file and respective security safeguards disappear. In the EMA report, more than 90 percent of respondents stated the lack of protection of files leaving cloud-based platforms or device containers as the highest risk to adopting cloud-based file storage and collaboration services. In today’s digital world, file security must support a wide set of users, applications, use cases and collaboration tools including that of cloud-based storage and sharing platforms. More so, file security controls must be persistent for those files containing sensitive data regardless of how the file is shared, internally or externally, and irrespective of storage, delivery and collaboration method.
Organizations should consider enhancing file security control as part of fortifying their data leakage prevention program. Two common solutions are the use of information rights management (IRM) and persistent file security (PFS) platforms. Most IRM platforms are operating system, application or storage specific and are encumbered by complex administration, deployment and support. While more easily used within an organization and its directory services, attempting to scale outside an organization has a hefty cost, usability and deployment impact for both the enterprise and external recipient. However, PFS platforms by nature separate file security from file storage, distribution and content management. This enables them to work with an existing workflow, as well as evolving infrastructure and user constituents. Better yet, they can be flexibly applied by use case application, risk, department, recipient type and business need – aka enterprises can pay, deploy and expand as needed.
File insecurity has become the new data leakage frontier. Organizations of all sizes and across industry and government require data sharing and collaboration to be productive and agile. As sensitive file access incidents and public breach notifications increase, so too will the need for data leakage programs to extend down to the last mile of defense – protecting the file persistently where ever it may go.[su_box title=”About Scott Gordon” style=”noise” box_color=”#0e0d0d”]
Scott Gordon, COO at FinalCode, Inc., is an accomplished leader who has helped evolve security and risk assessment technologies at both innovative startups and large organizations. An infosec authority, speaker and writer, he is the author of Operationalizing Information Security and the contributing author of the Definitive Guide to Next-Gen NAC. Scott holds CISSP-ISSMP certification.[/su_box]
CMO
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.