If you’re using enterprise collaboration tools like Sharepoint for sensitive, confidential or classified content, it could be less secure than you think. Find out why and what you can do.
You need to collaborate
Collaboration platforms and tools are indispensable for knowledge workers these days. The ability to access data wherever you are and work with it, fits today’s mobile world like a tailored suit. The trouble is, the information being shared could be your organisation’s most sensitive – such as new product designs, strategic plans, Intellectual Property and more.
That makes collaboration platforms a honeypot for ‘just for fun’ hackers, industrial spies and unscrupulous journalists seeking hot scoops. And the risk of exposing confidential, classified or sensitive content is amplified by the special access privileges given to some collaborators. These people aren’t always inside your organisation and may include advisors, subject matter experts, contractors, partners and the like. How can you control how they access, share and use your content?
Why securing the environment isn’t enough
Sure, collaboration platforms are a big improvement on sharing files via USB sticks or email, but that doesn’t make them secure environments. To address that issue, some vendors have added in security functions – but does that make them as secure as a purpose-built platform?
Let’s look at Microsoft Sharepoint. It’s long been popular in large organisations and is now available as a cloud service through Azure. Apparently, the software giant went to great lengths to make Azure secure and has obtained ASD certification for Azure and Office 365 at the PROTECTED level, albeit with a ‘Consumer Guide’ clarification.
So what does that mean? Well, Office 365 and Sharepoint may be operating in a secured cloud environment, but that doesn’t mean these applications have acquired stronger security features. Secure hosting is just one link in the cyber security chain.
The weakest link
‘The Biggest Azure Security Risk is Not in the Cloud’ Hamish Haldane wrote back in 2015 and little has changed since. The same old vulnerabilities continue at the application level, and security software vendors like Symantec and McAfee are offering the same kinds of products to keep Office 365 secure in the cloud.
In the cloud services world, users are subjected to the same kinds of attacks as they are on-premise. If anything, huge SaaS infrastructures like Azure make even more enticing targets for hackers, as this CBR report confirms: ‘Microsoft Azure users hit by 300% rise in cyber-attacks.’
Late in 2017, Infosec reported that a ‘cloud-to-cloud brute-force attack against Microsoft Office 365 users has hit high-level employees at multiple Fortune 2,000 organizations.’ Slawomir Ligier, VP of Engineering at Skyhigh Networks which remediated the attack, told Infosec: ‘Sensitive data has already moved to cloud applications, so it’s only natural that sophisticated attacks are following’.
He added this key point: ‘Enterprise cloud providers secure their infrastructure, but the ultimate responsibility to control access to sensitive data lies with the customer.’
Also late in 2017, The Guardian reported that accounting giant Deloitte had been hit by an attack on its email servers, in which ‘hackers may have accessed usernames, passwords and personal details of the firm’s blue-chip clients.’ The emails of 244,000 Deloitte staff were stored in the Azure cloud.
Apparently the hackers accessed the servers by using an administrator’s account, which ‘gave them full and privileged access to the information contained within.’ It appears that the compromised servers were not secured with two-factor authentication.
Most security discussions focus on intruders and criminals, yet 25% of data breaches are caused by insiders. These range from careless executives with unwarranted access privileges to disgruntled employees who seek to do harm. Tight control of privileges is essential for secure collaboration.
Certification of a different kind
You may have noticed recently that some security consultancies have launched niche Secure Collaboration Products. Some claim special security credentials for these products even though, on closer inspection, the security credentials are for those staff who work on sensitive government projects.
To explain, it’s common for computer technicians employed by IT groups in Canberra to carry Negative Vetting 1 clearance, which gives them access to systems installed in secured areas, for upgrades, maintenance and the like. NV1 clearance permits them to work on systems classified as ‘Secret’, while NV2 clearance permits them to work with ‘Top Secret’ installations. More Here.
“Most websites you visit are already sharing your activity with a wide network of third parties who share, collaborate, link and de-link personal information in order to target ads” says Jules Polonetsky from the Future of Privacy Forum.
The browsers you use expose you even more: If you store bookmarks and passwords in them, you make it really easy for hackers to get to know your habits. That’s how they craft those genuine-looking phishing emails that fool so many users.
Advertisers and search engines also know an awful lot about you, since they track your moves. That’s how they serve up ads that play to your interests. Browsers like Chrome or Firefox can be made more secure by tweaking their settings and keeping them up-to-date, but how many people do that? Do you?
That’s why standard browsers are a threat to secure collaboration, unless the data is encrypted.
In 2019, smart phones and tablets are now the most common devices for accessing the internet. They are inherently more vulnerable than PCs in corporate networks – because PCs at least are being monitored by IT staff. Mobile devices are also prone to loss and theft: in London alone, some 200,000 mobile devices are left in taxi cabs every year.
The vulnerability of browsers is most concerning with smart phones, since browser caches retain some of the data the user accessed. On mobile devices, files being used are also stored in cache – before they are encrypted. That’s why truly secure collaboration platforms must offer alternative, secure access for mobile devices. Encryption of data is crucial as well, but the real issue is not just which algorithm is being used – but how the encryption keys are being managed. Mostly, they’re kept on the device, which is no protection at all.
In addition, sensitive data must be protected when in transit over public networks, which offer little security. To do this, you’ll need an encrypted file transfer tunnel or similar which obviates the need to browse. So, for truly secure collaboration, the sensitive information must be secured end-to-end. That means at its origin and its destination and in transit – not just where it’s hosted.
The bottom line
The best Secure Collaboration Platforms should be built from the ground up with twin goals of equal weight: security and collaboration, not collaboration first with security cobbled together later on.
Not only should they control which users have access to what kinds of information, but also how they can work with that information, who they can share it with or send it to and more. Aligning users, content and context only goes so far; you need to be sure your collaborators comply with your business rules and processes or you leave the job half done and the door partly open.
Given that collaborators on major projects work inside and outside your organisation, workflow-based business controls are a robust way to ensure that they all follow the same rules – yours. It requires a higher level of functionality and granularity than most platforms offer, but it raises security to a new level.
Another way to ensure optimal protection of sensitive data is by keeping it tightly compartmented. The principle of ‘least privilege’ or ‘need to know’ has been to protect sensitive military information by armies since antiquity. These days, the most advanced Secure Collaboration Platforms use compartmentation to ensure that those with the highest security clearances won’t see sensitive data, let alone access it, unless it’s essential for doing their jobs. We saw what happened when this principle was not followed; remember Chelsea Manning?
So, how secure ARE your sensitive collaborations?
If you’re not sure, contact us about patented Secure Collaboration technology.