Did You Know?
Last year
Dropbox one of the most popular file-sharing, Cloud-based services suffered a
major security breach that allowed user’s user names and passwords to be
stolen. This lead to thousands of it’s European customers being subjected to a
spam attack which contained ads for gambling web sites.
In response to
reports of this security breach Dropbox confirmed that a stolen employee
password had led to a “project document” containing user email addresses being
accessed. My immediate response to this news was matched by at least one user
on their blog; “What was a staff member doing with user’s email addresses in
such a way?”
This incident
raises questions about the acceptability or otherwise of allowing Cloud-based
services to store your files and personal data.
Cloud-Based Security
Security in
the Cloud is no different to security in any form of
software application, it should be built-in from day one not bolted-on as an
after thought. I’m amazed at how often we see companies that offer online
services of one kind or anotherbeing forced to add layers of security to their
offering after suffering from such type of attack. Clearly they have no real
deep understanding of what is required to implement a secure service. It seems
to me that Dropbox are just one of those who need to re-think their security
model from the bottom up. They don’t even seem to be sure about their solution
to this embarrassing attack since one of their follow-up remedies was to provide
a page allowing users to examine earlier log-ins to their account, sort of a;
“you tell us if we still aren’t secure” option.
Securing
the Cloud
Services that make use of the Cloud need
to be very sure they have implemented at their very core robust security
measures to avoid the type of embarrassment we have already spoken about here.
Remember the Cloud is just another server it might be remote or it could be
located within your network, but what makes it a Cloud server is it’s openness
to the internet. By the very nature of it being a Cloud server anyone who knows
it’s address can have access to it. However the authentication of the access
granted at that point needs to be thorough.
For businesses to consider using such a
service for sharing large files for instance they should be concerned at the
very least about;
- the ability to centrally control who they might want to make such shares with,
- the ability to audit authorised access and unauthorised attempts to access the files,
- the ability to revoke access to the files at a later date,
- the product having some form of government certified assurance level.
In some circles this type of product is
being referred to as managed file transfer technology MFT. Earlier this year
Gartner estimated that 50% of midsize and large organisations will deploy
products of this type by 2016.
Finding
the Answer
If you are being tasked by your masters
to find an answer to this little problem I can shine light on one possible
solution. Yes I have used Dropbox and
the like in the past. That was before I became enlightened. Robust, affordable
security does not have to be difficult to use or require a major change in your
business processes. Take a look at Egress Switch,
it has all of the benefits I’ve discussed above and then some. You can add to
the list; encrypted email and the ability to produce encrypted memory sticks,
CD-ROMs even DVDs. I have found this a very useful product and with their
mobile app and web interface you can even get access to secure mail and files on
the move!
0 comments:
Post a Comment