File Storage and Sync Services Data Security
This is part one of a three-part series giving insight into observations from our 24/7 security operations center.
As technology moves forward to create capabilities and increase convenience, the focus on security can be lacking, or in some cases completely missing or ignored. In Sword & Shield Enterprise Security’s Managed Security Services operations, we often find this is true of our clients when dealing with file sync services such as Dropbox or Google Drive.
Let’s set aside the employees who become frustrated with the current solution (or lack thereof) offered by their employer and choose to use their own personal versions and focus on Enterprise File Sync and Share (EFSS). A significant number of events we see in the enterprise environments we monitor stem from the use of file syncing services such as Drop Box and Google drive, among others. This clearly represents a breakdown in security for many reasons; the most egregious would certainly be data security and control of company assets.
Compounding the problem are vendors that started on the personal side of the market and have now become players on the enterprise side. This transformation has brought with it the same tiered pricing models seen throughout many forms of business and services that offer a free or inexpensive entry level solution. From a security perspective, unless these tiers are examined for features that should be inclusive in the respective business environment, they can present a significant security gap.
IT departments need to be aware that these solutions are insecure if not maintained properly or thoroughly vetted for security-focused feature sets.
What is EFSS?
Loosely defined, EFSS is a service that allows users to save or share files to either a cloud or on-premises solution with access from a multitude of platforms including mobile devices. These files can be viewed, edited, and possibly collaborated on simultaneously with others. The appeal to have this ability is ever-growing, and we can see in the sheer number of startup companies that offer these services that there is no end in sight to this growth. Enterprise environments are adopting this trend to increase productivity and collaboration. However, what we are seeing from our 24/7 security operations center (SOC) is that security can take a back seat to convenience.
Sure, team collaboration and sharing provide increases in efficiency, but the cost is often security, and rarely do the two balance.
The Importance of Understanding the Vastly Different Plans
Considering the myriad of plans that exist for these services, we quickly see the level of security built into them differs greatly.
For one solution, the entry level plan offered at a significantly reduced price versus the advanced or enterprise tier reduces the administrator’s ability to control the number of connected devices, integration with enterprise mobility management platforms, network control, SSO integration, and the ability to audit logs and file tracking. Further, advanced training for end users is relegated to only the most advanced tiers of the offering.
It’s not hard to see why a company would choose a lower-tiered plan, especially if it is just getting into the market for this service or cost is a factor. This often puts security professionals at a disadvantage by increasing the risk of data loss through decreased control, gaps in training, and consequences of theft of the devices that can use these platforms such as mobile phones and laptops. And this can be even more troublesome for those companies that don’t have a security presence.
Additional concerns are the ability to keep track of where copies of data reside and what controls exist that are being violated. In today’s world, compliance with industry controls and laws dictate just about every move a business makes. What if there is a clean desk policy in effect that may get violated while the worker is polishing up a proposal at home or the local coffee shop? Or, how about multiple copies of important files that are out in the wild because of remote workers? How about suddenly insecure personally identifiable information (PII)? If the devices are stolen, there is an added risk sensitive documents could be accessed and dispersed to companies willing and able to accept the bounty.
Free or Personal Versions
As alarming as the differing security levels mentioned above for business versions of file sync platforms are, some of the highest concerns are when the use of the personal or “free” tiered versions are allowed in the environment, or the user simply becomes frustrated with the current solution and uses an alternate solution without notifying the IT department.
It should come as no secret that this can exacerbate security concerns and gaps exponentially.
For instance, we often see that data exfiltration can be significantly more problematic if the workforce can utilize personal accounts versus the controls in place for vetted business applications.
Moreover, the convenience of setting up a free account generally comes with additional third-party software that can decrease the overall security posture even further. This most often includes the addition of advertising or tracking tools which can wreak havoc on resources if left alone in the environment.
Worst yet would be if the third-party company is compromised and distributing exploit kits or something much more nefarious. These add-ons alone pose a security risk in and of themselves, but to now be on the same host as the platform that syncs potentially sensitive files, is troubling to say the least.
Wrapping it Up
The lure of productivity and collaboration tools is hard to resist; especially in an environment that is tasked with doing more for less or perhaps providing flexibility for a remote workforce. The responsibility to keep the expected level of security is often left up to the end user. However, without proper understanding and training it is often assumed by the user that security is someone else’s job and therefor the responsibility is not their own. This becomes a cycle of unintended irresponsibility.
Education and training are key in this respect, as are regular network monitoring and risk assessments. These offer a more conducive and productive environment, but unless these are right up there in the security consciousness, gaps will persist.
What we have seen is even small gaps in training and awareness programs can introduce pitfalls that increase the security risk for many organizations no matter the size. Conversely, a properly vetted and maintained solution will be mostly trouble-free and quite secure.
Sword & Shield partners with you through our managed security services platform to offer world-class security experts and resources to serve as an extension of your internal IT department and security teams. Request a customized demonstration of our MSSP turnkey solution and download the product brief.
The focus of the second installment of this series will be “Free”ware, it has a cost.
Brian Lowe is Sword & Shield Enterprise Security’s security operations center operations manager.
With more than twenty years of progressive, forward facing customer support, Brian Lowe is highly effective at driving projects to completion with an energetic and positive approach. Brian’s proactive, analytical, and problem-solving mindset help to make Sword & Shield’s managed security service platform the value to its customers that it is.
As SOC operations manager, Brian manages the SOC team on a daily basis and plays an active role with customers and prospective customers by conducting service demonstrations, leading proofs of concept engagements, and writing policy and procedures