File Sharing: How to Minimize RisksTaking the Right Breach Prevention Steps
The risk that hackers could target cloud-based file-sharing services must not be overlooked, security experts warn. That's because not all these services offer adequate security features, such as robust multifactor authentication and encryption. And, equally important, not all users take advantage of such features when they're offered.
See Also: DevOps - Security's Big Opportunity
Plus, in many cases, individual employees at some organizations are using, without approval, filing-sharing services not vetted and approved by the enterprise, creating the risk of leakage of corporate information.
As a result, hackers are viewing file-sharing services as prime potential targets for obtaining personal information, which can be used to perpetrate identity theft and fraud, warns Tyler Shields, a senior analyst at Forrester Research.
"If a hacker is able to take control of a file sync and share system as a whole, they would have access to an unprecedented amount of personal and enterprise data," Shields says. "Luckily, this hasn't happened that we are aware of yet."
File-sharing services, such as Box, Accellion, Intralinks, Dropbox and others, are attractive because they help solve three big productivity problems, says Ted Schadler, a Forrester vice president and principal analyst, in a recent blog. The services enable "getting all your work files on every device you use for work, sharing files with colleagues, and sharing files with trusted partners and customers," he notes.
Many organizations have a preferred vendor to handle file-sharing services and consider it a security violation if employees use the services of a different vendor, says Ira Winkler, president and co-founder of security consulting firm Secure Mentem, and former intelligence and computer systems analyst at the National Security Agency.
Employees using file-sharing services on their own can represent a significant threat to the security of enterprise data, says Al Pascual, director of fraud and security at Javelin Strategy and Research. This is due to the fact that the enterprise cannot properly account for its data, whether it's intellectual property or customer information.
"Fortunately, corporations are beginning to open up to the idea and providing for formal access to these services, which in turn leads to a formal accounting of what data is being stored and transmitted," Pascual says.
But based on his assessment so far, Winkler sees an inconsistency when it comes to security among file-sharing vendors. For example, "Some may or may not have multifactor authentication," he notes.
For industries where there are significant regulatory or national security concerns, the level of security and administrative control offered by file-sharing services has generally been found to be deficient, Javelin's Pascual contends.
Still, the front-end controls for most of the file-sharing sites are not easily bypassed by hackers, says Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth, a healthcare system in the Pacific Northwest. "The social engineering - side door - approach is much more effective, less costly and permits bad actors to assume the identities of insiders to act as surrogate agents," he says.
Dan Lohrmann, former Michigan state CISO and now chief strategist and chief security officer at security awareness training firm Security Mentor, says it's not the big-name file-sharing companies that worry him, but the hundreds of smaller players. "I have no idea what these companies are doing with your company data or how you verify anything," he says. "There should be a big red flag on these. But how do you stop employees from going there? Are those steps working?"
To help minimize the risk of a breach, Winkler advises enterprises to blacklist employee access to domains for any file-sharing services other than those officially authorized by the organization.
Other Mitigation Steps
Enterprises considering using a file-sharing service should "ensure people have to go through valid log-on processes" to use the service, Winkler stresses. "It sounds basic, but ensure that their software is secure against basic attacks like cross-site scripting. They should [also] encrypt files when they're stored."
Plus, it's important to identify all applicable regulatory compliance requirements and their respective standards to help define a baseline for an organization's security policies for file-sharing services, Paidhrin of PeaceHealth notes. "These standards will correlate to the minimum controls you'll need to demonstrate due care and due diligence."
PeaceHealth has exercised caution when evaluating file-sharing and collaboration services, Paidhrin says. "We've only approved one in the past three years," he explains - a collaboration platform to securely share personal health information.
But the healthcare organization recently signed on to deploy a hybrid on-premises and cloud-service delivery solution for secure file-sharing, Paidhrin says.
Accellion and Dropbox, two of the largest players in file sharing, say they're taking several steps to secure their product offerings.
Accellion offers encryption, customizable administrator settings to ensure only authorized users have access to specific data sets or file groups, and multi-factor authentication options, says Hormazd Romer, a senior director. The company also offers a choice of private on-premises or hosted cloud deployment.
Over the past two years, many of the high-profile online file sharing and collaboration service providers have stepped up their security efforts, Paidhrin acknowledges. "Large actors have greatly improved their security posture with many strong security controls, features, audit logs and access controls. The service landscape is improving as the customers have demanded greater accountability and depth of security controls."