Category Archives: Security

DELUSIONS OF ADEQUACY: WHY PRESIDENTIAL POLICY DIRECTIVE 41 FALLS SHORT

DELUSIONS OF ADEQUACY: WHY PRESIDENTIAL POLICY DIRECTIVE 41 FALLS SHORT

Delusions of Adequacy

President Obama’s recent policy directive on cybersecurity was eight years in the making. Unfortunately, its proposed actions are barely adequate to the massive task of defending against the onslaught of daily cyber attacks on U.S. companies and government agencies.

The new document, Presidential Policy Directive 41, is supposed to improve government and private-sector coordination in dealing with major cyberattacks. Among other things, the directive lays out which agencies will handle tasks related to a major cyber breach.

For example, the FBI gets tasked with conducting breach investigations, while DHS has the lead for providing “technical assistance” to breach victims “to protect their assets, mitigate vulnerabilities, and reduce impacts of cyber incidents.”

The White House’s Office of the Director of National Intelligence takes the lead for “intelligence support and related activities.” And of course there will be lots of “coordination” among these agencies through a newly set up Cyber Unified Coordination Group.

New Color Scheme for Cyberattacks

In addition to the directive, the administration released a five-level cyber incident severity schema, setting up a common framework for assessing the severity of cyber attacks, similar to the DHS’s national terrorism advisory system threat-level matrix. There is an attractive color pallet of white, green, yellow, orange, red, and black to categorize everything from an “inconsequential event” to a cyber event that “poses an imminent threat” to critical infrastructure, federal government stability, or to the lives of U.S. citizens.

Unfortunately, the U.S. government has zero credibility when it comes to establishing effective policies and procedures on cybersecurity. Just look at the number and scope of federal agency breaches over the last few years – the Office of Personnel Management, the Internal Revenue Service (twice), the State Department, the U.S. Postal Service, the Department of Commerce, and the Federal Deposit Insurance Corp, not to mention the recent Democratic National Committee email hack and Hillary Clinton’s questionable handling of government email while she was secretary of state.

While highly regulated industries must provide strong data security or face government fines or other regulatory action, no one is keeping the government itself honest; no one is threatening the government with fines or any other actions. Accountability forces the private sector to be proactive about data security, but the government can do anything it wants.

Securing Data Before It Is Breached

But the directive and schemata beg the question: What are you going to do to secure your data before it is breached?

This directive does nothing to help CIOs, whether in the government or in the private sector, prevent these breaches in the first place. The guidelines are too focused on what to do after an attack – there is no mention of any type of preventative measures improving user behavior.

Instead, public and private entities should be asking: What kind of sensitive data do we have, and who needs to access it? What is our plan for controlling who has access to data? What are more secure ways people can share this sensitive data other than email? Does our current security plan have provisions for data at rest and data in motion?

Most companies have strong protection of data at rest when it is stored on their servers. But when data is in motion, within the company or to outside individuals or vendors, protections are often weak. The weak link in your data security plan is when data is in motion and/or outside of your control.

Instead of expecting the federal government to do something, it is up to the private sector to take action to protect data at rest and in motion before the data is stolen by cyber criminals or nation-states.

By Daren Glenister

Modern Artificial intelligence Solutions

Modern Artificial intelligence Solutions

Artificial Intelligence

The field of Artificial Intelligence (AI) is perhaps one of the more exciting tech arenas today, due not least of all to the outlandish visions of science fiction films and novels. However, the gap between imagination and reality is steadily diminishing, and we already see the likes of KITT Car in today’s AI controlled driverless cars. Moreover, though the AI robots hitting the market aren’t quite as sophisticated as those of I, Robot (nor as alluring as Austin Powers’ Fembots) the potential of personal humanoid robots is swiftly progressing. However, these sensational advents are only one aspect of AI; Big Data, data analysis, and machine learning are the less glamorous but invaluable disciplines significantly intertwined with AI. Thanks to the rapid progress of AI technology, many of these tools are becoming available to small and medium organizations too.

The Cloud & AI

DimensionalMechanics is one startup putting AI to work with the launch of NeoPulse™, their cloud-based enterprise artificial intelligence platform.

Consisting of solutions NeoPulse Profile, NeoPulse Expert, and NeoPulse 3D, their product makes use of deep learning techniques when tackling complex data analysis, the collection of content, and simulation challenges through the integration of ‘human-like intuition’ into existing systems. In an exclusive with CloudTweaks, Rajeev Dutt, co-founder and CEO of DimensionalMechanics, say, “The feedback, insights and excitement we hear from development partners tell us that our new AI solutions are addressing real market challenges. Right now we’re working with a major broadcast media company to analyze online news content, images and video, identifying characteristics that help with curation and drive engagement, including clicks and readership, among key audience members. We’re also working with a major fashion and apparel design technology company to develop an application for designers, enabling them to create highly realistic 3D images at a quality suitable for detailed design, display, and analysis. The 3D simulation translates to gaming development, virtual reality and augmented reality as well.

A Targeted Approach

Delivering their platform and product offerings to development partners, DimensionalMechanics is initially focusing on fashion and retail technology, the broadcast media, and interactive entertainment gaming industries. Says Dutt, “We are squarely focused on horizontal artificial intelligence for enterprise users, using AI to solve wide-ranging market challenges, rather than address a single problem. With that in mind, we built NeoPulse as a cloud-based, fully extensible platform so that it would be flexible and developer-friendly. NeoPulse has the potential to make AI a scalable centerpiece of enterprise operations, lowering barriers and expanding access so that businesses can readily incorporate the power of AI into their existing systems and decision-making processes.

Currently working with development partners on use cases, DimensionalMechanics is collaborating with a leading broadcast media company in the analysis of online news coverage, identifying features which lead to the highest levels of engagement. Concurrently, an advanced 3D design simulation applications is being built for a large fashion design technology company, allowing designers to input pattern specs, fabric, and body types with resulting visualizations of the end product.

Artificial Intelligence for Business

The role of AI in business is expanding, and Gartner predicts that by 2018, more than 3 million workers globally will be supervised by a “robo-boss,” while 20% of business content will be authored by machines. We can expect to see many more business-focused and practical AI assimilations in the coming years. States Dutt, “From the start, we’ve been driven to take artificial intelligence from the abstract into the tangible and provide real solutions to pressing enterprise concerns. It’s like the early days of the airplane – you can try replicating the bird, or you can focus on flying. We’re less interested in recreating the human brain itself than in leveraging AI technology’s human-like intuition in innovative, useable ways.”

By Jennifer Klostermann

How The CFAA Ruling Affects Individuals And Password-Sharing

How The CFAA Ruling Affects Individuals And Password-Sharing

Individuals and Password-Sharing

With the 1980s came the explosion of computing. In 1980, the Commodore ushered in the advent of home computing. Time magazine declared 1982 was “The Year of the Computer.” By 1983, there were an estimated 10 million personal computers in the United States alone.

As soon as computers became popular, the federal government began to legislate their use. In 1986, the Comprehensive Crime Control Act was amended to included the Computer Fraud and Abuse Act (CFAA). The CFAA criminalized trafficking in passwords, distributing malicious code, and other computer-related acts.

The CFAA has been amended five times in four decades (including in 2001 when it was amended by the Patriot Act), and the courts have interpreted it in ways that further extend its scope. The result is a law that Tim Wu called “the worst law in technology.” As part of his article for The New Yorker, Wu wrote:

Orin Kerr, a former Justice Department attorney and a leading scholar on computer-crime law, argues persuasively that the law is so open-ended and broad as to be unconstitutionally vague. Over the years, the punishments for breaking the law have grown increasingly severe—it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free.

Wu wrote these words in 2013, and the CFAA is only worse today. It goes far beyond its original intent to target cybercriminals and hackers, and now threatens many normal people, using their computers in harmless and legitimate ways.

Nothing demonstrates this as ominously as the July 5 opinion from the U.S. Ninth Circuit Court of Appeals. In this opinion, the court found that sharing passwords can be grounds for prosecution under the CFAA. Theoretically, this means a husband could be prosecuted for sharing a banking password with his wife, or vice versa.

The court issued this opinion knowing full well the implications of it. They state in their opinion, quoting part of another court’s ruling:

We are mindful… that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently ‘mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.’”

Their “mindfulness” will be of cold comfort to Americans who are prosecuted under CFAA. It’s not only innocuous password-sharing that makes someone run afoul of the Act; it has also been used to prosecute the violation of terms of service agreements. Most infamously, the FBI used it to pursue Aaron Swartz. Swartz was a programmer and activist who downloaded research papers from a database at MIT, in violation of its terms of service. The fact that he was a research fellow at MIT, with authorized access to the database, didn’t matter. Swartz committed suicide while under federal indictment.

The July 5 opinion from the Ninth Circuit Court of Appeals will turn many others like Swartz into criminals. The dissenting judge on the case noted this, stating that the majority opinion “… loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”

The vagueness of the CFAA and the nuances of terms of service, which vary from company to company, make this ruling dangerous for ordinary corporate and individual citizens. Will sharing a bank or Netflix password with a spouse or child be a federal crime? The only way to know would be to find the terms of service, find any clauses that apply to password- or account-sharing, and work out how it legally applies in each case. It’s not simple or straightforward.

Take the examples of Netflix and HBO Go. Both subscription-based services have limits that prevent too many people from using the same account. Both companies’ CEOs have stated account-sharing is positive. They view it as an excellent way of marketing their services.

Yet this ruling raises many questions about what the government may consider an offense worthy of prosecution, regardless of what Netflix or HBO thinks about it. Is it a violation of the CFAA if a Netflix account owner enters the password to their account to watch a show on a friend’s device? Does that count as password-sharing?

The situation gets even murkier when:

  • A service’s terms of service do not specify if you can or cannot share passwords.
  • It’s not easy to find the terms of service.
  • The login to a service uses a multi-factor login (such as a Facebook account) rather than a password. In this situation, does sharing your Facebook account then count as password-sharing for the other service?
  • Corporations keep password libraries for use of many employees in the same company.

This ruling also fails to account for the practical nature of life and business. How can a parent or business plan for serious illness, death, or other significant events without consensual password-sharing? Our personal and business lives revolve around myriad disparate online services requiring password access, and in some cases not sharing those passwords could lead to serious business or personal disruptions. Consider, for instance, a wife using her husband’s bank accounts to pay the bills while he is in the hospital.

It’s dispiriting to watch individuals being prosecuted. The CFAA has veered far from its original intent of targeting hackers and other egregious offenders. It’s possible it will be used like the Digital Millennium Copyright Act (DMCA) was used to go after illegal file sharers in bulk, going after the many, many Americans who innocuously share their passwords with others.

 

Sadly, this is only one of many recent examples of the courts extending the scope of criminal law in a way that seriously undermines people’s ability to function and do business on the Internet. The cases of Lavabit and Apple clearly show the encroachment of government fingers into the electronic privacy rights of American citizens.

There is some steady light at the end of this tunnel. Another ruling shortly after the July 5th one, in Facebook v. Power Ventures, a separate court ruled that one can willfully pass along your authorization to specific login credentials to another person. However, even this ruling leaves many unanswered questions as to what types of activity are allowed and what “authorized access” exactly means. In particular, under what specific conditions can this delegated access be revoked such that continued use would be considered a crime?

The message of these cases: The government gets to dictate how Americans use computers and the Internet, regardless of their rights or what makes sense. Americans should be vigilant in staying on top of the legal developments surrounding their online lives, and communicate loud and clear with their representatives to let them know what they think about legislation such as the CFAA.

By Erik Kangas

THE CLOUD IS FUELING THE TECH SECTOR’S PROFITS

THE CLOUD IS FUELING THE TECH SECTOR’S PROFITS

The Tech Sector’s Profits

The tech industry continues to generate huge profits, and for good reason. Internet usage in its various forms keeps growing, leading to demand for tech-related products and services.

Over the years, various sectors within tech have driven revenue, and the latest is the cloud. Here is a look at how technology companies are harnessing the cloud to generate billions of dollars in revenue, as well as which companies may be left behind.

Why the Cloud, and Why Now?

Huge profits are nothing new for the tech industry. In the 1990s, the internet rolled out to the mainstream, causing PC sales to skyrocket and the dot.com boom – and subsequent bust. Later, internet advertising began generating revenue.

While other sectors still make plenty of cash, the cloud is the latest driver, and it has mobile technology to thank.

These days, 68 percent of U.S. adults own a smartphone and 45 percent own a tablet. For many, mobile devices have become the go-to device for web browsing and other online activities.

However, mobile devices such as smartphones and tablets don’t have the memory PCs do. That means much of the data and information consumed via mobile devices is stored on the cloud.

Take music, for instance. Ten or 15 years ago, you likely had all of your music stored directly on your computer and/or iPod. Today, more and more music lovers rely on streaming services such as Spotify or Google Play to host and manage their music collections, driven by the cloud.

The Proof Is in the Profits

Look no further than the recent round of earnings reports to see the influence the cloud has on the tech industry.

During the second quarter of the year, Amazon’s cloud unit reported nearly $3 billion in revenue, a 60 percent increase.

Google and Microsoft are also huge players in the cloud space. The segment of Google’s business that includes its cloud services rose 30 percent to $2.2 billion in the second quarter, while Microsoft expects its cloud-computing businesses to generate $20 billion in annual revenue by 2018.

Further, because the mobile internet largely depends on it, the cloud generates plenty of indirect revenue as well.

Take mobile marketing, which mainly serves ads to users via cloud services. Facebook is expected to generate more than $23 billion in global ad revenue this year, and in the second quarter, 84 percent of its ad sales were mobile.  That’s just one company.

Not All Companies Benefit

One sector that has taken a hit with the rise of cloud computing is the PC market. With smartphones and the cloud now the main focal points of the tech sector, companies that depend on PC technology for their revenue have suffered.

For example, PC chip manufacturer Intel saw profit decrease 51 percent in the second quarter, as the company restructures to focus less on PCs. Intel should be back, however – it hopes to use its technology to become a company that helps run the cloud, which needs a massive amount of servers to operate.

The Cloud’s Drawbacks

Cloud computing is on a roll, but it’s not without its faults. The top concern among business and IT professionals with migrating its digital setups to the cloud is security. In fact, in a recent survey, 67 percent said security would slow down migration, while 55 percent believe there will be more data breaches or other security issues.

That said, businesses of all sizes are using the cloud for their IT infrastructures, and there are still years of growth to come. When large and influential tech companies like Google and Microsoft say they’re going to invest and innovate in cloud computing, it’s a safe bet the dollars will continue to flow.

By Kayla Matthews

THE AGE OF DATA: THE ERA OF HOMO DIGITUS

THE AGE OF DATA: THE ERA OF HOMO DIGITUS

The Age of Data

In our digital era data deluge – soaring amounts of data, is an overriding feature. That’s why it’s fitting to focus on the concept of Homo Digitus, which I first learned about about in“The creative destruction of medicine: How the digital revolution will create better health care,” by Eric Topol, and more recently highlighted as a Gigaom conference theme.  In Topol’s vision there is a new human species, Homo digitus that benefits from the data deluge brought about by the convergence of the digital and physical world.  They track sleep quality with brain-wave headbands, monitor vital signs with wrist transceivers and use cell phones for self-diagnosis amongst other things, realizing the opportunity for a much more evolved life.

Data is the New Food

Each evolution of the human species delivers on the promise of a smarter human far more capable than the species that preceded it.  In earlier species humankind looked for new ways to improve hunting and gathering of food and in some parts of the world, such was their mastery that they even created an oversupply of certain foods. Homo Digitus sees data as the new food and you’d be challenged to find any facet of life that has not been revolutionized by data deluge – there are a great many varying estimates, on how much data is created every year but everywhere you look volumes of data are soaring.

Mostly, it’s been for the better good of humankind.  With new data points we’ve experienced great transformation in the quality of services, business process and everyday living.  We’ve come to have a great reliance on the benefits that data deluge brings.  If you consider how often an individual might use map services to estimate a commute, or an app to compare shopping prices, and then for business the productivity and economic gains from using data points to estimate customer preferences, improve customer service and speed business delivery times.

Data Exploitation

Conversely, data is also exploited and misused in ways that leaves humankind fragile and that puts businesses at great risk.  Data breaches, privacy infringements, identity and data theft, and unauthorized data access and changes abound.   Every day we read of some new exploit, more egregious than the previous where criminals have found a new way to extract data and then profit from the sale of that data.

There are also businesses who have started to use data from individuals in a way that is not always very transparent. That’s stating it in very simplistic terms.  However, as great a risk might be posed to businesses from well-intentioned individuals, who might accidentally misuse or overshare data.  It’s only natural considering that for many individuals digitization occurred midway during their lifespan and dealing with the data deluge is not yet a completely natural phenomenon.  Also, our lives are increasingly fast paced, workplaces are more pressurized and the convergence between home and work narrower, that workers are prone to accidentally misusing data.  For example, it’s very easy to accidentally drag and drop a file into an email and send as an attachment.

Controlling the Data Deluge to Maximize on Homo Digitus

What’s needed is a way that allows Homo Digitus to benefit from the positive effects of data deluge but with the safety net that data flows are being directed to only those authorized to have access.  In an enterprise being able to proactively determine data flows and then implement additional safeguards based on a comprehensive set attributes ranging from geolocation, network, device down to multiple facets of identity will be critical, given the sophistication of data exploitation.  Information securitytools have traditionally been associated with impeding progress.  Newer solutions need to be easy to implement and policy attributes stated in a way which are business-consumable.   Homo Digitus is still in the process of being shaped.  Now is the time to ensure that data deluge does not become the destroyer of this species and remains the positive enabler.

By Evelyn de Souza

Lavabit, Edward Snowden and the Legal Battle For Privacy

Lavabit, Edward Snowden and the Legal Battle For Privacy

The Legal Battle For Privacy

In early June 2013, Edward Snowden made headlines around the world when he leaked information about the National Security Agency (NSA) collecting the phone records of tens of millions of Americans.

It was a dramatic story. Snowden flew to Hong Kong and then Russia to avoid deportation to the US, where the government had charged him with violations of the Espionage Act. Journalists boarded a flight from Moscow to Havana on the speculation Snowden would be onboard. Some called him a hero; others branded him a traitor and a villain.

Meanwhile, on June 28, 2013, FBI agents showed up at the door of Ladar Levison. Levison owned an email service called Lavabit, and the agents had a pen register order requiring him to hand over the metadata for the email activity of a particular customer’s account. However, Levison argued that to do this, he’d have to reprogram the entire encryption system that protected his users’ privacy.

The court sealed the case, so the first the public heard of it was when Levison ended his email service, stating on Lavabit’s website: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul-searching, I have decided to suspend operations.”

The full text of his statement is still available on the Lavabit site.

Only recently did the court lift Levison’s gag order, at which point he could confirm what everyone had guessed: the FBI had been after Edward Snowden’s communications made through Lavabit.

Every American email service provider has a clause in its privacy and non-disclosure policies that indicates it may disclose information as necessary to comply with law. Some promise they will inform customers if or when authorities request that information.

Yet, as in the case of Lavabit and Snowden, a gag order often accompanies the request, making it illegal to tell the customer the government has requested access to the data. In these cases, the law wins, and the contract with the customer loses.

data-economy

(Image Source: Shutterstock)

So, what do you do when presented with an FBI warrant for private data, which you believe to be unethical and even unconstitutional?

Email Providers Face a Serious Dilemma

There are two options:

1. You can fight these orders in court. However, smaller email service providers do not have the money on hand to fund an expensive legal battle and to pay “contempt of court” fees for non-compliance during the case. This lack of resources puts these companies at a serious disadvantage in their ability to push back. They have to give in.

2. You can give in and follow the letter of the request, but in a way that’s inconvenient for law enforcement. This buys time and can limit the scope of what the officers or agents can access. However, depending on the actions taken, it can also seriously hinder the email provider’s business.

For Lavabit, when law enforcement wanted Levinson to hand over an encryption key that would have not only exposed Snowden but also his other customers, he decided to close shop. He did not have the resources to fight the government in court and could not guarantee the privacy and security of his users’ email.

The Privacy Predicament

It is egregious that the government’s requests in pursuit of Snowden were so broad as to impinge on the privacy of 410,000 other unrelated users of Lavabit’s service. This is blatantly unconstitutional. It would be as if the police received a warrant to wiretap one person’s phone line and then listened to all calls in the city that included that phone line. Though it may not be technically possible to narrow the scope down to the communications of a specific individual, this does not give the government the right to infringe on the privacy of everyone who happens to have a phone.

This affair with Lavabit and Snowden preceded the recent iPhone decryption issue, when the FBI tried to force Apple to put in a backdoor in iOS software, post facto, so it could decrypt an iPhone belonging to Syed Farook, responsible for the San Bernardino shootings in December 2015.

DataLock-cloudtweaks-comic-small

Apple pushed back in legal proceedings. The FBI dropped the case when it found a third-party to unlock the iPhone.

Although that legal battle ended, another fight has begun. The government wants cellphone providers to build in legitimate “second front doors” to encrypted devices, so that it can access on demand with a court order.

This will jeopardize the privacy of average American citizens without making it significantly easier to catch the bad guys, who will inevitably get their unbreakable encryption elsewhere. Hundreds of companies outside the US offer secure encryption technology. These companies make it easy for people to get encryption outside the reach of American law.

If the fight for second front doors wasn’t enough, discouraging developments have worked their way through the courts, too. In June, a federal district court in Virginia ruled the federal government does not need a warrant to hack into an individual’s computer. Given the Fourth Amendment bars unlawful searches and seizures, it’s unlikely this ruling will hold up in appeal. Nonetheless, it speaks volumes for how the courts and governments view privacy and security.

The Fight Continues

It’s likely that many more court battles lie ahead as organizations and individuals go head-to-head with the government to argue their right to privacy.

Enter the Lavabit Legal Defense Foundation (known as LavaLegal for short). Lavabit’s founder Ladar Levison launched the nonprofit to help service providers avoid complying with unconstitutional requests, such backdoors and handing over encryption keys. The nonprofit will operate on donations.

If LavaLegal receives enough funding, it can help small companies continue operating as usual while pushing back on perceived unconstitutional requests, until the courts can make decisions in their cases. For small businesses, this could be a lifeline that lets them continue operating while paying hefty legal fees.

By Erik Kangas

ADDRESSING BIG DATA CONCERNS THROUGH ANONYMIZATION

ADDRESSING BIG DATA CONCERNS THROUGH ANONYMIZATION

Addressing Big Data Concerns

Data privacy and security concerns have mounted in the last few years as the potential of Big Data is tapped and more effectively realized. The bits and bytes of our lives are, more now than ever before, tracked, recorded, and analyzed. And while providing insights both noteworthy and frivolous, it sometimes feels a little like we’re living in the Matrix as the information we consider personal and private is swiftly logged, categorized, and stored in colossal databases, no longer belonging solely to the individual but available to whoever is granted (or illicitly forces) access.

Data Security & Data Privacy

privacy-threats

Though the concerns of data security and privacy are typically linked they are two separate, although equally important, matters. Data security refers to the confidentiality and protection of collected data and involves the processes which ensure data is accessed only by those with the necessary authorization. It further warrants that the data being used is both accurate and reliable. When implementing data security plans, most organizations address the obligation of collecting only the required information, securing it during storage, and destroying that which is no longer needed. Data privacy, on the other hand, is the appropriate use of data which addresses organizations only collecting and using information according to agreed purposes and conforming to the regulations of the organization, the state, and the country. Organizations that collect data against an individual’s wishes, or sell it on without first seeking consent, are obstructing data privacy.

De-Identifying Personal Data

Government organizations, healthcare providers, financial institutions, and just about every other responsible organization collecting personal data are under pressure to implement adequate privacy and security policies. Increasingly, the de-identification (also termed anonymizing in the EU) of personal data before sharing it with marketers or research institutions is occurring, but this is not a foolproof strategy. Because so much data is available from such a variety of sources, it’s possible that individuals can be identified through combinations of personal attributes.

bigdata-alert

(Image Source: Shutterstock)

Fujitsu Laboratories Ltd. has recently involved itself in the protection of shared personal data, and CloudTweaks discussed the issues and potential solutions with Kouichi Ito, Research Manager of Fujitsu Laboratories Ltd.’s Cyber & Data Security Project. Says Ito, “To support the safe utilization of personal data, in Japan, the Protection of Personal Information Act is being updated. While technologies for de-identification processing are an important tool towards this aim, Fujitsu Laboratories posits that robust assessments of the risks associated with the data itself are indispensable for achieving secure anonymization.”

Some experts suggest that correctly anonymizing data is, in fact, a step further than de-identifying it as it removes all of the identifiable information from data and results in an assemblage of data that no longer requires protection, but instead offers only broad-spectrum data ideal for research and analytics.

New Technologies Addressing Concerns

Currently developing new technology that searches anonymized data for the most easily identifiable records and indicates problematic attribute combinations with a quantified score, Fujitsu plans the practical implementation of their solution for 2017. Says Ito, “Professionals in diverse fields, including marketing and health care, have an increasing demand to utilize personal data. Fujitsu Laboratories’ hope is that our new technology, by visualizing the privacy risks of personal data, will streamline the use of secure, de-identified data, thereby facilitating the co-creation of businesses among Fujitsu’s customers.”

Thanks in part to governments recognizing the necessity of, and insisting on, high data security and privacy, organizations are working hard to mitigate the risks which characterize Big Data and the sharing of it. Few of us would deny the promise of Big Data analytics, but knowing our personal information remains private and secure makes it a far more exciting mechanism.

By Jennifer Klostermann

5 Things To Consider About Your Next Enterprise Sharing Solution

5 Things To Consider About Your Next Enterprise Sharing Solution

Enterprise File Sharing Solution

Businesses have varying file sharing needs. Large, multi-regional businesses need to synchronize folders across a large number of sites, whereas small businesses may only need to support a handful of users in a single site. Construction or advertising firms require sharing and collaboration with very large (several Gigabytes) files. Financial services or healthcare providers have stringent compliance requirements.

As a key stakeholder, your recommendation or decision impacts the degree of adoption of your file sharing solution, as well as the overall productivity of your organization.

To aid your vetting process, here are 5 things to consider when evaluating enterprise file sync and share (EFSS) solutions:

  1. Built for Businesses or Built for Consumers?

Many popular file sharing solutions were built for individual users. They onboarded tens of thousands of ‘freemium’ users before realizing that their freemium business models weren’t generating nearly enough revenue to justify their unrealistic valuations. So they went after businesses.

The needs of businesses, however, vary significantly from the needs of individual users. For freemium solutions, re-architecting from the ground up for businesses didn’t make a great deal of sense because the existing base of consumers still needed to be supported. Maintaining two separate platforms would have destroyed their already thin margins.

consumer-focus

(Image Source: Shutterstock)

So these Consumer-first solution providers simply slapped an admin interface and a single sign-on process on top of their consumer solutions, and rolled out ‘for Business’ offerings. The result? A collage of individual user accounts.

All business information resides in someone’s account rather than in a centralized, managed repository. Control over information, by design, lies more with the content creator than with administrators. Searching for a document or running an audit requires searching individually through each user account. As you’d expect, this architecture does not scale.

Business-first file sharing solutions, on the other hand, are architected from the ground up for businesses. They possess a centralized content repository that is managed by administrators, eliminating content silos. They address numerous other limitations of Consumer-first solutions such as sub-folder level permissions, which we’ll discuss at length in future posts.

Key Takeaway:

If your small business has a handful of users and a single site, a Consumer-first solution may work out fine. Otherwise, opt for a Business-first file sharing solution. How can you tell? Look for the suffix ‘for Business’ or ‘Business’ in their names.

  1. Cloud, On-premises or Hybrid Storage – Do You have Options?

Back in the day, files were stored and shared from file servers. Then came the cloud, and organizations began moving files to the cloud. But many organizations continue to use file servers, for reasons such as:

  • They have significant investments and massive repositories residing in in-house file servers. Moving everything to the cloud may simply not be viable in the near future
  • They deal with very large files that are impractical to store on the cloud due to the latency associated with synchronous, multi-user access over the Internet
  • They operate in highly regulated environments that impose stringent restrictions on the storage of sensitive information on the cloud

A cloud-only file sharing solution does not work for these organizations. An on-premises solution on the other hand requires sustained capital outlay (to support a growing content repository), and does not offer the flexibility and usability of cloud-based solutions.

If you’re faced with this conundrum, you need a Hybrid file sharing solution. Hybrid solutions allow access to content stored both in the cloud and in on-premises servers. They can synchronize content between the cloud and all your sites, as well as directly between any pair of sites without first syncing with a cloud. So every file can be accessed from every site (subject to applicable access restrictions, of course).

Key Takeaway:

Hybrid EFSS file sharing solutions are your safest bet. They protect both your cloud and on-premises file sharing investments and support the widest range of use cases.

data-protection

  1. Will Your Confidential Information Be Secure?

When it comes to security, not all EFSS solutions are created equal. Because your employees, partners, customers, vendors and contractors are all potential users of your file sharing infrastructure, having bulletproof security and granular administrative control over user accounts is critical.

Here are some key requirements to consider when evaluating the security features of EFSS solutions:

  • Sub-folder Permissions: Unique user permissions for sub-folders is a table stake requirement for businesses. Take the example of a financial analyst who needs to be able to access to all the sub-folders within the Finance folder, except Payroll.  Your EFSS solution should allow an administrator to provision access to the Finance folder (and all its nested sub-folders) for the financial analyst, and then remove her access to the Payroll sub-folder. It is almost certain that your business will require role based sub-folder permissions, and some EFSS solutions don’t support this feature. Beware!
  • Encryption: Your EFSS solution should allow content to be encrypted at rest (i.e. not in use), in motion (i.e. accessed over a network) and in use (when viewed or edited), with state of the art encryption algorithms. It should support encryption with internally generated keys as well as with and third-party encryption keys (e.g. from Amazon AWS CloudHSM or Microsoft Azure Key Vault).
  • Administrative Control over External Users: When employees share files with external collaborators – like contractors, vendors, partners and customers – is your confidential business information secure? If the EFSS solution requires external collaborators to use independent accounts (that are not managed by your administrators) to access your business information, then the answer is likely no. Choose a solution that provides complete administrative control over internal and external user accounts, including special limited-access accounts for external users and the ability to remote-wipe files on devices belonging to a user.
  • Retrieving Deleted Files: When a user accidentally or maliciously deletes important files, they go into a Trash folder. Is the Trash folder accessible to administrators? Or do the files go into a private Trash folder within the user’s account that is only accessible to the user? Businesses need EFSS solutions that offer a centralized Trash folder managed by administrators. So when a user deletes files, an admin can easily locate and retrieve them as needed.
  • Comprehensive Auditing: Your EFSS solution should provide comprehensive audit capabilities, including the ability to monitor logins, permission changes and user events for internal and external user accounts.

Key Takeaway:

With security, there can never be too much. Security is as much about having complete visibility and control over your content as it is about preventing malicious attacks and theft.

  1. Will Your EFSS solution Scale with your Business?

In this digital age, we’re all generating more content than we ever did before. As your business grows, or as the number of employees accessing your EFSS solution expands, can your EFSS solution scale?

More specifically, can users sync several hundreds of thousands of files between their numerous devices and the cloud? Sync a 1.5 GB file in less than 30 minutes, upload 100,000 files to the cloud in less than 2 hours or download 15,000 files in less than 15 minutes? Be sure to ask for performance metrics and comparisons with other vendors before you make a decision.

Key Takeaway:

Select an EFSS that will not only meet your performance requirements today but also scale for your future needs.

  1. Will Your Business Be Compliant?

Depending on the industry or region it operates in, your business may be need to comply with standards like EUDPD, ISO/IEC 27001, FINRA, HIPAA, 21 CFR part 11 (FDA) and SSAE 16.

Select an EFSS solution that complies with the regulatory requirements your business is subject to, and offers extensive audit trails to prove compliance.

Key Takeaway:

Being non-compliant with regulations applicable to the industry or region your business operates in can greatly damage your business. Choose an EFSS solution that meets your compliance needs, and offers deep audit trails to monitor and establish compliance.

By Rajesh Ram, Chief Customer Officer and Co-Founder of Egnyte.

Rajesh-RamAs Chief Customer Officer, his charter is to maximize customer acquisition, satisfaction and retention. Rajesh works with Egnyte’s customers and internal teams to ensure that the comprehensive voice of the customer is reflected in the company’s corporate strategy and execution.

Previously, Rajesh held executive roles within Egnyte’s Product Management and Engineering functions. His strength in defining, delivering and supporting software solutions was developed while at Oracle, KPMG consulting and Valdero Corporation. Rajesh holds a BS in Engineering from the Indian Institute of Technology-Madras and received an MS in Industrial Engineering from the University of Minnesota.

CloudTweaks Comics
Cost of the Cloud: Is It Really Worth It?

Cost of the Cloud: Is It Really Worth It?

Cost of the Cloud Cloud computing is more than just another storage tier. Imagine if you’re able to scale up 10x just to handle seasonal volumes or rely on a true disaster-recovery solution without upfront capital. Although the pay-as-you-go pricing model of cloud computing makes it a noticeable expense, it’s the only solution for many…

Cloud Computing – The Real Story Is About Business Strategy, Not Technology

Cloud Computing – The Real Story Is About Business Strategy, Not Technology

Enabling Business Strategies The cloud is not really the final destination: It’s mid-2015, and it’s clear that the cloud paradigm is here to stay. Its services are growing exponentially and, at this time, it’s a fluid model with no steady state on the horizon. As such, adopting cloud computing has been surprisingly slow and seen more…

Mobile Connected Technologies – The Future Of The Healthcare Industry

Mobile Connected Technologies – The Future Of The Healthcare Industry

Mobile Connected Technologies Clinics, hospitals, and other healthcare facilities are embracing new mobile technologies in order to be more efficient in their daily tasks. With faster communication and better collaboration, clinicians can spend much less time handling medical devices and more time administering care to their patients. Industry experts are stating that mobile connected technologies…

Consequences Of Combining Off Premise Cloud Storage and Corporate Data

Consequences Of Combining Off Premise Cloud Storage and Corporate Data

Off Premise Corporate Data Storage Cloud storage is a broad term. It can encompass anything from on premise solutions, to file storage, disaster recovery and off premise options. To narrow the scope, I’ve dedicated the focus of today’s discussion to the more popular cloud storage services—such as Dropbox, Box, OneDrive—which are also known as hosted,…

4 Different Types of Attacks – Understanding the “Insider Threat”

4 Different Types of Attacks – Understanding the “Insider Threat”

Understanding the “Insider Threat”  The revelations that last month’s Sony hack was likely caused by a disgruntled former employee have put a renewed spotlight on the insider threat. The insider threat first received attention after Edward Snowden began to release all sorts of confidential information regarding national security. While many called him a hero, what…

Digital Marketing Hubs And The Cloud

Digital Marketing Hubs And The Cloud

Digital Market Hubs Gartner’s recently released research, Magic Quadrant for Digital Marketing Hubs, recognizes the big four marketing cloud vendors as leaders, but also points to many challengers. Adobe, Marketo, Oracle, and Salesforce inhabit the leader’s block of the Magic Quadrant, reflecting both their growing capabilities as well as marketing technology platform scopes. Gartner believes…

The Rise Of BI Data And How To Use It Effectively

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the business world as a whole. In 1983, the first commercially handheld mobile phone debuted and provided workers with an unprecedented amount of availability, leading to more productivity and profits. More recently, the Cloud has taken…

7 Common Cloud Security Missteps

7 Common Cloud Security Missteps

Cloud Security Missteps Cloud computing remains shrouded in mystery for the average American. The most common sentiment is, “It’s not secure.” Few realize how many cloud applications they access every day: Facebook, Gmail, Uber, Evernote, Venmo, and the list goes on and on… People flock to cloud services for convenient solutions to everyday tasks. They…

What You Need To Know About Choosing A Cloud Service Provider

What You Need To Know About Choosing A Cloud Service Provider

Selecting The Right Cloud Services Provider How to find the right partner for cloud adoption on an enterprise scale The cloud is capable of delivering many benefits, enabling greater collaboration, business agility, and speed to market. Cloud adoption in the enterprise has been growing fast. Worldwide spending on public cloud services will grow at a…

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Once upon a time, only a select few companies like Google and Salesforce possessed the knowledge and expertise to operate efficient cloud infrastructure and applications. Organizations patronizing those companies benefitted with apps that offered new benefits in flexibility, scalability and cost effectiveness. These days, the sharp division between cloud and on-premises infrastructure…

Using Cloud Technology In The Education Industry

Using Cloud Technology In The Education Industry

Education Tech and the Cloud Arguably one of society’s most important functions, teaching can still seem antiquated at times. Many schools still function similarly to how they did five or 10 years ago, which is surprising considering the amount of technical innovation we’ve seen in the past decade. Education is an industry ripe for innovation…

Cloud Services Providers – Learning To Keep The Lights On

Cloud Services Providers – Learning To Keep The Lights On

The True Meaning of Availability What is real availability? In our line of work, cloud service providers approach availability from the inside out. And in many cases, some never make it past their own front door given how challenging it is to keep the lights on at home let alone factors that are out of…

Is Machine Learning Making Your Data Scientists Obsolete?

Is Machine Learning Making Your Data Scientists Obsolete?

Machine Learning and Data Scientists In a recent study, almost all the businesses surveyed stated that big data analytics were fundamental to their business strategies. Although the field of computer and information research scientists is growing faster than any other occupation, the increasing applicability of data science across business sectors is leading to an exponential…

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service Security It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each…

Having Your Cybersecurity And Eating It Too

Having Your Cybersecurity And Eating It Too

The Catch 22 The very same year Marc Andreessen famously said that software was eating the world, the Chief Information Officer of the United States was announcing a major Cloud First goal. That was 2011. Five years later, as both the private and public sectors continue to adopt cloud-based software services, we’re interested in this…

Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies are retaining their existing, on-premise IT infrastructures while also embracing the latest cloud technologies. In fact, IDC predicts markets for such hybrid cloud environments will grow from the over $25 billion global market we saw…

3 Keys To Keeping Your Online Data Accessible

3 Keys To Keeping Your Online Data Accessible

Online Data Data storage is often a real headache for businesses. Additionally, the shift to the cloud in response to storage challenges has caused security teams to struggle to reorient, leaving 49 percent of organizations doubting their experts’ ability to adapt. Even so, decision makers should not put off moving from old legacy systems to…