Keeping Agency Information Secure in an Era of New Computing and Risks

The cloud computing evolution is well entrenched, and has made significant changes to how organizations share, sync, edit, create and collaborate-on content. However, this computing revolution is a double-edged sword. There are benefits—increased...

Finally, the key benefit of private clouds is that they provide the flexibility and mobile connectivity to help employees access the information they need from anywhere, at any time, while hosting data within a company’s firewall so all regulatory and security parameters are set and managed by the organization.

Block Risky Services: Even with a secure sharing solution in place, employees may be tempted to try the free services that their friends are using. By blocking these services, enterprises can ensure that mobile workers don’t jeopardize the confidentiality and integrity of the confidential data.

Educating users about the risks of these public-cloud services is another important way to “nudge” them into following best practices for data security. Many agencies have policies in place to secure data against risk, but if employees don’t understand the ‘why’ behind such rules they are more likely to work around company restrictions, thus introducing risk to the network. Education around the ‘why’ will help employees understand the importance of security practices for sensitive organizational information.

Meet Stringent Third-party Security Requirements: Organizations should only select software solutions that have been certified to meet stringent security requirements, such as FIPS 140-2 requirements for U.S. federal agencies.

FIPS stands for Federal Information Processing Standard. The U.S. National Institute of Standards and Technology (NIST) developed the FIPS specification to ensure that government agencies use sufficiently strong cryptographic services, including authentication and encryption, for protecting agency data. If a platform has received FIPS 140-2 certification, organizations can be sure that the platform’s authentication and encryption technology has passed inspection by the U.S. federal government and been approved for use by government agencies. It also means the software has been tested and proven to securely protect data at rest and in transit on mobile devices.

Centralize Access Control and Monitoring: Centralized monitoring allows network administrators and security officers to monitor the distribution of files and to detect anomalous behavior before it leads to data breaches.

Centralized monitoring and logging are essential capabilities for agencies that need to comply with industry IT regulations such as Sarbanes-Oxley (SOX) or the Health Insurance Portability and Availability Act of 1996 (HIPAA).

To comply with HIPAA, for example, healthcare organizations (HCOs) in the U.S. must be able to demonstrate that they can monitor and control the distribution of all files containing Patient Health Information (PHI)—healthcare records that could be used to identify specific patients. If files are distributed over a public-cloud service like Dropbox, the HCO’s IT and security teams will lack any way to monitor the distribution of files. On the contrary, confidential patient data could be easily replicated or distributed broadly, and the HCO would never know until the data breach was exposed, probably resulting in regulatory censure and other penalties.

By using a private cloud solution, rather than a public-cloud service, the HCO’s IT and security teams can ensure that the distribution and storage of PHI adheres to industry regulations and policies.

Connect to SharePoint and Other Important Services: Most enterprises and government agencies have invested in ECM systems like SharePoint. These systems provide advanced role-based controls for file storage and powerful search capabilities to help employees find information quickly.

Unfortunately, accessing these systems remotely can be cumbersome or outright impossible, depending on the configuration of the mobile devices and the ECM system. When access proves difficult, employees sometimes begin keeping local copies of files and copying them from device to device, thereby undermining the security and version-control features of the ECM system.

Organizations should select a sharing and syncing solution that provides access to content stored in these existing systems. This way secure file sharing becomes a natural part of the workflow, and workers in remote locations always have access to the critical files they need, from the device of their choosing.