02/25/2015 / 0 Comments
If your company is like most, your employees are probably using cloud services to share and store files internally and to share them with external vendors and business partners. Even if you have moved to block or discourage the use of certain cloud services, there may still be applications in use by employees without IT’s knowledge.
In a recent study published by the Ponemon Institute, a privacy and data security research organization, IT and IT security professionals estimated that 36% of business-critical applications are running in the cloud, and 30% of business information is now stored in the cloud. But 15% of those applications and 35% of that information is not visible to IT.
This is a clear indicator of the potential risks that companies face when considering the volume of business information that may be stored or that may pass through the cloud, along with how much of this is unknown or invisible to IT.
Worse yet, even with approved cloud services, IT and data security professionals have expressed a significant lack in confidence in the security of cloud-based services.
More than half of respondents said that the use of cloud-based services increases or significantly increases the likelihood of a data breach, and 69% did not agree that their organization’s cloud service providers use enabling security technologies to protect and secure sensitive and/or confidential information.
When it comes to file sync and share (FSS) solutions specifically, IT decision makers shared similar concerns, as summarized in a recent Harris poll and survey report published by Intralinks.
In the poll, 84% of IT decision-makers agreed that “the adoption of free FSS products by employees creates a potential security problem,” and 46% agreed that “data is leaking from my company due to unmanaged use of file-sharing products.”
At the opposite end of the spectrum, however, the amount of trust that some IT decision-makers continue to place in cloud file sharing solutions is alarming. 38% of IT decision-makers say that they would trust file sharing apps like Dropbox or Box to share work files outside their firewall, and 31% said that they would trust these apps for sharing personal financial information such as bank files or tax returns.
This is a remarkably dangerous mindset, and, due to potential vulnerabilities in encryption and user authentication, this trust in popular cloud sharing solutions like Dropbox or Box could potentially put confidential business, personal, and customer information at risk. In fact, the recent hacking of over 7 million Dropbox passwords from external services points to the clear threat that is posed to any business that allows the use of file sharing services without proper cryptography and data protections.
Here are five critical points to consider in ensuring that your cloud file sharing solution has the right security to protect your sensitive business data and prevent a costly data breach.
1. Next-generation User Authentication
The security of a file sharing solution for business is only as good as the security of its user access. The use of ID and password combinations for authentication no longer provides a sufficient level of security to protect user accounts, yet virtually every file sharing and storage solution continues to use this outdated and dangerous approach to login security.
They are all prone to have their user accounts compromised by hacking, phishing, and malware.
Although Dropbox and other cloud file sharing services have attempted to address this issue by offering advanced login security with two-step verification, this feature is merely optional for users. It means that account access is not necessarily secured by a second verification step.
More importantly, however, two-step verification typically involves the use of passwords during the login process, along with a one-time code (OTC) or one-time password (OTP) that the user must receive via SMS text message or a mobile app and then enter through the login. This improves security by requiring access to the mobile device that is registered to the account holder, but it creates several vulnerabilities that are easily exploited.
Just as we have already seen for many years in the case of passwords, any credential entered or transmitted through the user login can be intercepted or redirected, including OTCs or OTPs, which have already been exploited via man-in-the-middle attacks.
Other threats to two-step verification include SIM card cloning, which allows attackers to receive copies of SMS text codes on second devices, and phone number porting, which allows attackers to hijack an existing mobile account and assign it to another mobile device.
The most glaring vulnerability of all, however, is the continued use of the password as an authentication factor in the login process. As we already examined, a password can be stolen during entry into the login or during transmission to the server for verification.
However, the use of passwords also requires the storage of passwords on the authenticating server in order to verify identity and grant access to accounts. This makes the login server an obvious target for attacks because it offers hackers the prospect of potentially obtaining entire databases of passwords and sensitive credentials.
Also, even if a file sharing service’s login process and servers are not compromised through hacking, phishing, malware, or other attacks, the use of passwords means that their customers may be using the same IDs and passwords for other services. So, if those credentials can be stolen from elsewhere, they could be used to access file sharing accounts or servers that use the same credentials. This is exactly the threat that faced Dropbox earlier this year when its user accounts were compromised through the hacking of other services.
The real solution to login security for any cloud sharing service is next-generation authentication with public key infrastructure (PKI), which eliminates all of these vulnerabilities and delivers the strongest possible authentication security to protect access to cloud file sharing services.
Similar to the requirements of ATM and smart card security, PKI authentication provides true two-factor authentication using at least two distinct factors, including knowledge, possession, and/or biometrics.
Instead of using passwords or other vulnerable credentials that can be compromised by attackers, PKI authentication uses encrypted asymmetric software keys, with one generated and used by the authentication server and the other generated and used on the user’s mobile device.
No password or sensitive credential is ever entered through the login interface, transmitted to a server, or stored on a server for the purposes of authentication. This physically eliminates the possibility that hacking, phishing, or malware can compromise file sharing user logins, and it removes the incentive for hackers to target the service’s authentication server in the interest of stealing entire databases of IDs and passwords.
Identify verification is completed with a mobile app using a simple 4-digit PIN, a passcode, or a fingerprint scan, and none of these factors is ever transmitted or shared with the login server. Even the encrypted software keys are generated and stored separately, and they are never transmitted or left vulnerable.
Simply stated, public key cryptography makes it physically impossible for attackers to compromise file sharing accounts.
Best of all, the speed and simplicity of PKI authentication means that login and authentication can be completed in a few seconds, and it can used to protect every instance of file sharing account logins without creating an inconvenience for the user. There are no complex passwords for users to remember or manage, so logging in and authenticating is simple and easy.
As an added benefit, since a file sharing service secured by PKI authentication does not use vulnerable ID and password combinations, it faces no risks of its user logins being compromised when IDs and passwords are stolen from third party services outside your control. So, even if login credentials are stolen from a third party application or service, they can never be used to gain access to your stored files and data.
Also, a solution protected by PKI authentication should provide a convenient API to integrate your file sharing and storage with the third party business applications and software that you use. This way, your third party software programs can store files and data safely in your secure file sharing service, and only authorized users will ever have access to them. The API ensures that next-generation PKI authentication verifies user identity to protect access to your files and data.
With a convenient API, you can work with your software vendors to integrate next-generation authentication and powerfully secure data storage with the applications that they provide for your business. Or, if you use your own proprietary software applications, you can use the API to easily integrate these same features with your own solutions, without needing any specialized security expertise or coding capabilities.
2. Comprehensive Data Encryption
It is not enough to assume that “data encryption” means that your business data will be safe at all times during transfer, storage, uploading, and downloading. In fact, many encryption schemes leave data vulnerable and potentially unprotected by allowing them to temporarily reside in system memory as plain text. To ensure total protection for your data, a cloud file sharing solution must provide AES-256 encryption during every moment of transfer and storage. This comprehensive security ensures that data are never exposed in decrypted form, even temporarily.
3. Control of Files and Infrastructure
The right cloud file sharing service will provide specialized security expertise, advanced cryptography, and convenient tools and administrative controls that make it easy to protect your critical business data and manage your file sharing service through the cloud.
This is extremely important because, with many cloud services, you may never know how its data centers are protected. You may not know whether your data are always encrypted and even who ultimately has access to your data, including your provider’s internal personnel.
This is why it is critical to ensure that your chosen service offers encryption and additional access security that ensures that unauthorized users or individuals can never gain access to your data. For example, a provider should use a shared secret mechanism that requires the simultaneous approval and authentication of multiple administrators in order to access the encrypted server keys for its data center servers.
Of course, if your business prefers to have total control over your data and the architecture and services that provide file sharing, an ideal third party solution will also offer the ability to install and run its cloud sharing technology on your own servers and behind your organization’s firewall.
This provides a private cloud file sharing solution that gives you full control over the underlying architecture and ensures that your data are not stored on external servers or stored along with data from other businesses. Moreover, with an on-premise or private cloud installation, you always have total control over the user database and all user accounts for your file sharing solution. And you can get the added security of your own shared secret mechanism so you can limit access to your server keys and require the simultaneous approval by multiple authorized individuals to access them.
4. Functionality and Performance
Of course, no file storage and sharing solution will be useful unless it offers a full range of collaborative features and reliable, high-speed performance that ensures that employees and external partners can safely and easily upload, download, send, and store files. As an added bonus, premier solutions also offer encrypted messaging so that users can send messages, including attachments, with the same robust protection that secures their files and folders. This enables them to enjoy the convenience of encrypted email within a powerfully secured collaboration tool, with none of the data security vulnerabilities of traditional email infrastructure and software.
One of the keys to helping employees share and collaborate more efficiently is to provide a simple and user-friendly interface, with intuitive controls and features that make file sharing easy. Also important is the need for options to securely share files and folders with external users, by allowing them to have free accounts with your preferred service, or by using secure access links that are password protected and can be configured to automatically expire on a certain date or at a specific time.
Ultimately, the speed and performance of your file sharing service is also critical, so it is important to choose a vendor that offers high-speed, responsive, and secure cloud architecture. Ideally, your vendor should offer the option to install and deploy its secure file sharing solution on your own architecture and behind your firewall. This not only offers greater control for your administrators but can potentially deliver greater speed and responsiveness than anything you can achieve in the cloud.
5. Integration and Customization
Finally, if you like the idea of having total control of your file sharing solution and being able to operate and manage it on your own servers, it is also important to consider your options for integration and customization.
Ideally, your secure file sharing service should easily integrate with your architecture and other applications. This includes the ability to configure your applications to send and store data safely in your own private cloud and the option to integrate the service with your data backup scheme so you can back up your data at regular intervals on another server or even an external hard disk.
Also, customization is another important factor, and a private cloud file sharing service can also allow you to customize the user experience with your own branding, logo, and color scheme. In essence, you can private-label your secure file sharing and storage solution for internal users and external partners, including a custom URL for web access.
Want to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
Product Support
I am Interested in