Keeping Agency Information Secure in an Era of New Computing and Risks

Sept. 4, 2013

The cloud computing evolution is well entrenched, and has made significant changes to how organizations share, sync, edit, create and collaborate-on content. However, this computing revolution is a double-edged sword. There are benefits—increased computing power, ease-of-use, and new flexibility in the case of cloud computing. However, these new features and benefits also bring new difficulties and risks. The security risks alone are enough to make any government agency cringe.

For IT departments, these new risks typically emerge as security vulnerabilities. Attackers are quick to exploit design flaws or architectural weaknesses that can be used to steal data, sabotage networks, or siphon funds. Over time, vendors and customers discover these flaws and weaknesses—usually the hard way, by discovering that they have been exploited—and fix them.

For government agencies, the race to contain new threats is definitely on. New cloud risks are sweeping through departments as mobile devices emerge as the computing form factor of choice for federal workers. Employees are not just bringing a single device to work, either. A recent survey by iPass found that the typical mobile worker now carries 3.5 mobile devices, which might include any combination of smartphones, laptops, and tablets.

Recognizing that employees love their devices and won’t leave them home, a number of agencies have formally adopted BYOD policies, and the Federal CIO Council created a mobile computing decision framework, to support agencies who were looking to introduce this new technology into their workflow. Employees can now store business data and do work on their own mobile devices, rather than just on those officially provisioned by their company.

So what does this mean for the teams and administrators responsible for network security?

New Security Risks
To assess the risks of cloud computing, we need to consider everything from data contamination to user habits to the activities of criminal syndicates. The blurring of personal and business computing is creating special challenges for government agencies, such as:

Security as an Afterthought
Consumer devices like iPads were not designed with rigorous data security in mind. Many mobile devices either lack advanced security features or have them disabled by default. Even basic features such as screen locks are turned off, and most users leave them that way. And if a laptop is brought from home by an employee, it will also not have the rigorous security settings that an agency device would have, introducing the risk of data leakage or hacking into the agency network.

Data Contamination
Today, an employee’s vacation photos are likely to reside on a smartphone or tablet that the employee brings also uses for work. The photos, and other content, share storage space along with confidential business data when the employee logs into agency networks. Never before has personal data mixed so freely and casually with business information.

This combining of data introduces new risks to the enterprise. Through carelessly configured back-ups or file copies, personal content might accidentally end up on corporate file servers. Worse, personal files that contain malware might spread to business files and from the mobile device to internal file servers and other enterprise assets.

New Forms of Malware
New forms of malware targeting devices are on the rise, especially for mobile. IBM predicts that mobile malware will grow 15% annually for the next few years. Hackers and criminal syndicates realize that most mobile devices are less secure than more traditional devices like laptops. They have begun targeting mobile devices for attacks ranging from mischievous pranks to advanced persistent threats that stealthily copy internal data over many months, transmitting it to remote control centers on the world.

Phishing Attacks
Employees routinely catch up on email and work on evenings and weekends, and when they do, they typically use personal devices. Realizing that most of these devices lack AV software and that most email and Web traffic accessed remotely bypasses avoids inspection by firewalls and gateways, attackers are now designing phishing attacks and other email exploits to be triggered during non-business hours.

The attacks are working. Malware that would have been caught by network defenses in the office on Monday afternoon is able to install itself on the mobile device of an employee working remotely on Friday night. Once installed, keyloggers and other malware can feed attackers valuable information for launching more damaging attacks against file servers, email servers, and other internal assets.

Lost Devices
On average, a cell phone is lost in the U.S. every 3.5 seconds. Even if a lost smartphone, laptop or tablet does not contain confidential data, it still might include apps or cached credentials that make it easier for criminals to infiltrate an enterprise network. As workers begin carrying more devices, the likelihood of losing devices only increases.

Risky File Sharing
A device without data is of limited use. To ensure all their devices have the files they need, employees often try out one or more file-sharing services, including free but risky file-sharing services that run on public clouds. Unfortunately, these services, though popular, are usually not secure enough to be trusted with enterprise data. For example, the popular service Dropbox accidentally disabled all password protection on all its customers’ accounts for four hours last year. IBM went so far as to ban the service for employees entirely, as the company was concerned about data leakage and the risks associated with company information being readily available to hackers.

In addition, many public cloud file-sharing services also pose legal risks to a company’s claim to own and control its data. For example, the terms of use for Google Drive, Google’s free file-sharing service, begins by stating that users retain the intellectual copyright for the ideas in the content they store. But the terms of service go on to say that by using the service, customers grant Google and its partners the right to reproduce and modify any uploaded data in order to operate, promote, or improve Google services.

Having originally been designed for consumers, these services usually lack the centralized control and monitoring features that government agencies need for security and compliance.

Best Practices for Protecting Enterprise Data on Mobile Devices
Fortunately, new security solutions are available to help organizations protect their mobile content and networks. To make the most of these solutions, it’s important for security teams to focus their attention on just what it is they are securing. Ultimately, what is more important for enterprise security: protecting an ever-changing collection of mobile devices, or protecting enterprise data itself, regardless of the device?

In order to reduce risk within government agencies, here are six best practices for protecting confidential in an era of information sharing, syncing and collaborating:

Increase Trust and Control with Private Clouds: Private cloud solutions—cloud services that enterprises run in internal data centers—can provide the scalability and cost-effectiveness of cloud computing without the security and availability risks of public clouds.

Whenever possible, organizations should deploy their software solutions on private clouds, giving their own IT organizations complete control over the location and availability of data.

All agencies have sensitive business information that they want to keep private – whether its customer data, budget plans, or HR’s personnel files. Using a private cloud to host this sensitive information provides a much higher level of control and security over this organizational information. Private cloud solutions enable IT departments to restrict access to certain files based on an employee’s role, track documents as they are shared with internal and external recipients, and can wipe a device of all information if it is exposed to a security risk such as loss or hacking.

Finally, the key benefit of private clouds is that they provide the flexibility and mobile connectivity to help employees access the information they need from anywhere, at any time, while hosting data within a company’s firewall so all regulatory and security parameters are set and managed by the organization.

Block Risky Services: Even with a secure sharing solution in place, employees may be tempted to try the free services that their friends are using. By blocking these services, enterprises can ensure that mobile workers don’t jeopardize the confidentiality and integrity of the confidential data.

Educating users about the risks of these public-cloud services is another important way to “nudge” them into following best practices for data security. Many agencies have policies in place to secure data against risk, but if employees don’t understand the ‘why’ behind such rules they are more likely to work around company restrictions, thus introducing risk to the network. Education around the ‘why’ will help employees understand the importance of security practices for sensitive organizational information.

Meet Stringent Third-party Security Requirements: Organizations should only select software solutions that have been certified to meet stringent security requirements, such as FIPS 140-2 requirements for U.S. federal agencies.

FIPS stands for Federal Information Processing Standard. The U.S. National Institute of Standards and Technology (NIST) developed the FIPS specification to ensure that government agencies use sufficiently strong cryptographic services, including authentication and encryption, for protecting agency data. If a platform has received FIPS 140-2 certification, organizations can be sure that the platform’s authentication and encryption technology has passed inspection by the U.S. federal government and been approved for use by government agencies. It also means the software has been tested and proven to securely protect data at rest and in transit on mobile devices.

Centralize Access Control and Monitoring: Centralized monitoring allows network administrators and security officers to monitor the distribution of files and to detect anomalous behavior before it leads to data breaches.

Centralized monitoring and logging are essential capabilities for agencies that need to comply with industry IT regulations such as Sarbanes-Oxley (SOX) or the Health Insurance Portability and Availability Act of 1996 (HIPAA).

To comply with HIPAA, for example, healthcare organizations (HCOs) in the U.S. must be able to demonstrate that they can monitor and control the distribution of all files containing Patient Health Information (PHI)—healthcare records that could be used to identify specific patients. If files are distributed over a public-cloud service like Dropbox, the HCO’s IT and security teams will lack any way to monitor the distribution of files. On the contrary, confidential patient data could be easily replicated or distributed broadly, and the HCO would never know until the data breach was exposed, probably resulting in regulatory censure and other penalties.

By using a private cloud solution, rather than a public-cloud service, the HCO’s IT and security teams can ensure that the distribution and storage of PHI adheres to industry regulations and policies.

Connect to SharePoint and Other Important Services: Most enterprises and government agencies have invested in ECM systems like SharePoint. These systems provide advanced role-based controls for file storage and powerful search capabilities to help employees find information quickly.

Unfortunately, accessing these systems remotely can be cumbersome or outright impossible, depending on the configuration of the mobile devices and the ECM system. When access proves difficult, employees sometimes begin keeping local copies of files and copying them from device to device, thereby undermining the security and version-control features of the ECM system.

Organizations should select a sharing and syncing solution that provides access to content stored in these existing systems. This way secure file sharing becomes a natural part of the workflow, and workers in remote locations always have access to the critical files they need, from the device of their choosing.

By following these best practices, enterprises can enjoy the benefits enabled by cloud computing technologies, such as increased productivity and collaboration, while avoiding the security risks that come along with these new capabilities. Rigorously secure software solutions that support a broad range of devices gives network administrators and security teams the controls and monitoring features they need to protect that data that employees need to work, on the device of their choice.

Hormazd Romer is the Senior Director of Product Marketing at Accellion