Your customers' data is more at risk of being stolen or tampered with by those inside the company, rather than by outsiders. It's the IT solution provider's job to get customers first to wrap their heads around that disturbing fact, and then to help them prevent catastrophe. Here, the CEO of Egnyte, a vendor of cloud file server solutions, discusses how IT solution providers can help their customers protect their more valuable asset: their data.— Jennifer Bosavage, editor
“Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis.”
That’s how U.S. Army intelligence analyst Brad Manning described the IT system of the United States Army in 2010. Manning, if you recall, also downloaded the 260,000 diplomatic cables and other classified data later made public by Wikileaks.
The Manning incident embodies some important trends in information security. For one, most data is stolen from inside of servers, not from the outside, according to the Verizon 2011 Data Breach Investigations Report. More than 80 percent (83 percent) of victims were “targets of opportunity,” and 92 percent of attacks were “not highly difficult.” Simple or intermediate controls would have prevented 96 percent of breaches.
The U.S. Army and its rogue former analyst are Hollywood-grade examples of some very common security threats. You don’t have to be high profile to make the grade for hackers. Indeed, “Small companies, which are making the leap to computerized systems and digital records, have now become hackers' main target,” according to a recent Wall St. Journal article. Small businesses lacking the big bucks or know-how of their Corporate America compatriots become easy bait for those “not highly difficult” attacks.
How Being a Cloud Services Provider Can Help
In the world of IT security, cloud computing comes with built-in protections, a real boon for the small and medium-sized businesses (SMBs) that can’t afford to build these systems in-house. When promoting a cloud-based solution, highlight key standard protections, including:
• Multi-factor authentication. Your server should authenticate every user for their username, password and the company-specific domain customers are logging into.
• Protection against cross-site request forgery and cross-site scripting. Your server should scramble passwords, so that if a hacker opens your password database, the passwords would be indecipherable.
• High-end firewalls and routers.
• Good encryption. Web browser and desktop access should be encrypted over SSL to protect from sniffers. Data at rest should also be encrypted.
• Good physical security. That includes locked, guarded colocation facilities with strong physical access controls and video surveillance.
• Segregation of customer data by accompanying every request with tamper-proof user identity credentials, even for offline sessions.
• Proactive security measures. The system should detect and log unsuccessful login attempts for monitoring by the administrator. The cloud provider should be proactive about monitoring network activity, retaining all log files and analyzing them in real-time.
Bulletproof Your Business Processes
A cloud vendor provides the underlying security technology, but IT solution providers can work with customers to provide the business processes guiding usage. Business-class cloud solutions give you a high level of granularity in your controls. You want the ability to choose access rights by user, specifying read/write/delete. That is especially important with mobile access, where users can log in anytime, anywhere, via any network.
Let’s say all of a company’s employees have been given iPads. Do all of their files always remain in the cloud in case the iPad is stolen? Are employees allowed to download company information to their iPads? IT solution providers must guide their clients through the decision-making process: Determine what level of risk is acceptable, vs. the level of flexibility given to employees. A good cloud file server will let you decide by user and by session. For example, a company’s C-level executives may be allowed to have their iPad files offline, but part-time remote engineers cannot.
Customers must be proactive about auditing. Logs should be audited for operations against sensitive data, such as changes to permissions, passwords and login attempts. Periodically review the audit reports for non-authorized activity. Look for patterns—and pay attention to exceptions to those patterns. Here are some things to note:
• How often do you make people change their passwords?
• How often do they have to use their passwords?
• Is there a peak in download activity by an employee?
• How often are clients connecting to your customer's account? Which ones are connecting?
• Is your customer aware of every new client that joins the account? If not, there’s a problem.
Don’t Be a Dead Fish in the Cloud
Can you imagine how Bradley Manning might have described a failed attempt to breach the systems of the U.S. Army? “Strong servers, strong physical security, attentive audits, encryption, clear and consistent business rules.” With the right kind of cloud server, lip-synching Lady GaGa songs would have been insufficient to cover up Manning’s download of classified files. By using the right server and abiding by the right tips, you, too, can keep your data where it belongs. (Ed. note: For more on selling cloud solutions, see: 8 Questions You Need To Answer When Selling a Cloud Solution.)