In an effort to stay connected while on-the-go, employees are using cloud services as part of their productivity suite – unfortunately, these services can be implemented without enterprise permission. Although these cloud-based collaborative tools are enabling workers to gain access to files when outside of the office, there is a layer of risk being added to the enterprise. As such, IT decision-makers must understand the potential security pitfalls of these technologies, while also learning about solutions.
Tech companies such as DropBox and Box, also known as enterprise file sync share (EFSS) vendors, have created services that allow mobile workers to access corporate documents from anywhere in the world. Although they were once closely associated with Shadow IT, today EFSS vendors offer solutions that are nearing universal adoption as part of enterprise computing. In response to this rapid adoption, the EFSS market has ramped up its security strategy considerably. While these changes are helping to make the lives of IT pros across the world stress less about security, it’s important that users be educated on the efficient central management and oversight of these solutions, particularly as it relates to security.
This byline will outline three ways in which an intelligent key management solution addresses data encryption concerns without disrupting the end user experience: (1) control and management of multiple services, (2) security of data wherever it resides, and (3) protection against issues related to compliance and data governance.
Controlling & Managing Multiple Services:
Security best practices dictate adopting one EFSS solution and standardizing its use across a company. In reality, employees at most organizations use a patchwork of EFSS products, including consumer-turned-enterprise brands and even homegrown solutions. It’s almost impossible to rely solely on the security controls inherent to the EFSS products. In turn, organizations should consider a security approach that protects the data in both local storage and cloud environments. In these cases, the best approach is a centrally located and enterprise controlled security and policy management product that secures the data regardless of where it resides.
Data Security and Policy Control:
Most EFSS vendors provide data-at-rest encryption, and some even offer ways to assist customers in managing encryption keys. Intelligent key management, or enabling the end-user organization to store and manage encryption keys from the endpoint, adds an additional layer of advanced security. Important to encryption is enterprise control, and intelligent key management is a way of securing the data that is entirely controlled by the enterprise.
One way to boast intelligent key management is through client-side encryption. Client-side encryption enables enterprise control of encryption, access and other policies to automatically control the flow of sensitive data into an EFSS solution with the desired precautions applied prior to the file departing the endpoint. Coupled with intelligent key management, client-side encryption answers enterprise concerns about protecting corporate information viewed by third-party contractors, accessing files from unauthorized devices and sharing sensitive data outside enterprise policy.
Compliance and Data Governance:
For companies governed by certain industry or governmental regulations that require close control of sensitive or personally identifiable data, EFSS is not only a source of potential data leakage—it can also drive them out of compliance of those regulations. In these situations, companies must absolutely implement effective and flexible encryption solutions that will secure the data and provide an audit trail or reporting method to prove the data is closely controlled. By controlling the centralized key management, enterprises can help ensure compliance and security of their centralized data.
Intelligent key management is also important in instances where EFSS vendors are storing a company’s sensitive data are subjects of government inspection. Without intelligent key management, the company is at risk of exposing data without even knowing because their encryption key resides with the EFSS vendor. By leveraging intelligent key management, end user organizations are always in control of encrypting and decrypting their own data. If an EFSS vendor that owns the encryption keys were approached and asked to hand over access to certain data, the actual customer whose data was in question may have no idea of this request. Intelligent key management enables end user organizations to take back control of their data.
Getting off the Blacklist:
In 2015, a study by MobileIron identified the top 10 most blacklisted apps in the enterprise, and 5 of the 10 were EFSS vendors. The perception that these services don’t belong within the enterprise is unfortunate. Not only are their benefits to sharing data in today’s workforce indispensable, but the process to securing and managing that data is not the scary and complex beast it is made out to be. IT departments can embrace employee adoption of these solutions by incorporating intelligent key management as part of a security strategy. As a transformational concept for encryption, intelligent key management enables the central encryption management of cloud data and data accessed via a variety of devices and machines, all from a single management console. Most importantly, it allows the owners of the data to apply the encryption and manage the encryption keys. Key creation, distribution and revocation is managed entirely by the organization – there is no involvement from other third-party providers, such as EFSS vendors.
[su_box title=”About Garry L. McCracken” style=”noise” box_color=”#336588″][short_info id=’73414′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.