Todas las entradas hechas por tomgrave

Things that go bump in IT: Eliminate shadow IT nightmares to improve compliance and governance

Lurking in the background of any IT manager’s nightmares is the spectre of shadow IT. Shadow IT can be described as hardware or software used in an enterprise that is not supported by the enterprise. The negativity of the term is justified because it implies that employees are using technology without the knowledge or approval of the IT department – a recipe for disaster.

The risks of shadow IT are well-known and have the potential to damage a business’s ability to function effectively. Even so, organisations still need to warn employees about the dangers of using software that is not supported by the business.

In recent years, shadow IT has increased with the use of software by employees who have bypassed company IT rules. With the increasing use of cloud applications such as Slack and online business tools such as Skype to encourage faster and more effective work, the risk of employees using shadow IT have increased. Technology developments such as BYOD (bring your own device), while providing significant benefits and fulfilling a specific business requirement, have also bred the rise of third party providers in the workplace, without the blessing of corporate IT.

The most obvious risk posed by shadow IT is the security lapse it enables. Without the IT department’s knowledge, unapproved applications can quickly lead to security breaches. Software needs to follow the protocols set out by the organisation’s IT department because, without this compliance and oversight, negative consequences begin to arise. For example, sharing or passing data outside the corporate firewall to external users or collaborators, where data governance and compliance can’t be assured presents a clear business threat. In addition, corporate bandwidth can be diminished by data travelling on the network that IT managers are unaware of.

Much of the attraction of unsupported software is that employees find it simple and quick to be productive using such tools. The intent is therefore not malicious because the initial impetus for utilising software that doesn’t conform to company IT policy is the desire to work effectively. However, this ends up being counter-productive and diminishes the employee’s efficiency in the long run because employees are threatening the organisation’s security and compliance status and creating fragmentation in the types of software used by different people within the business.

Negating these risks and eliminating shadow IT requires a close understanding of the business’s challenges and the employee’s needs. Both must go hand-in-hand so employees’ initial motivation to seek out unsupported software is removed because they already have access to approved, attractive to use tools.

This is CTERA’s mission – to provide a platform that offers leading security, governance and authentication tools, to ensure that whatever a user chooses, IT mandates for security, governance and compliance are adhered to. CTERA serves as a central control point to diminish, and eventually eliminate, shadow IT use and increase organisational compliance. 

Even though organisations aspire to implement the tightest security models, if users fail to adopt the technologies that IT sanctions, there can be no security, no governance and no compliance. Businesses need to find the right balance between control and user enablement, and they are seeking solutions that enable them to do so.

Overall, there needs to be greater awareness among organisations that there are alternatives to the OneDrives and Dropboxes that can make users happy while tackling the challenges of keeping organisations protected. There are clear roles for IT departments and for individual users of hardware and software in the workplace. Successful businesses of the future will be those that understand this new reality, and have implemented IT policies that benefit the organisation and allow employees to flourish while working effectively. This will mean providing file sharing, storage and protection tools in a form that users like, that benefits the employer and that allows peace of mind for the IT department.

How to tackle changing cloud security threats: A guide

IT workers face a serious challenge when it comes to file sharing. In one corner is corporate governance which seeks to protect businesses and prevent cyber-attacks. In the opposite corner are end users who want to work more efficiently – collaboratively – by sharing or saving files.

The best way of ending this conflict is to find middle ground. In attempting this resolution, enterprises need to find the right balance between IT security and governance on one side and the needs of employees on the other. To ensure cloud protection when storing or sharing files, businesses need to provide end to end encryption, data residency control, authentication of internal and external collaborators and a good user experience.

The first key aspect is providing end-to end encryption. The encryption can only be successful if it is latency free which ensures performance isn’t adversely affected.  The enterprise also needs ownership of the keys in order to implement the encryption successfully.

Although some companies will have a positive view of a service provider managing security keys, as it reduces the stress of managing this function, there are downsides. A third-party provider may be required to hand over data to a government, thereby losing control of the security of the document.

Is there any halfway option that avoids this loss of control? One way is to allow only the owner of the encryption keys the ability to decrypt those keys used on the public service. With this model, they own the hardware and the keys.

Yet another option is to keep the hardware on-site. This means the data and metadata is on site and provides peace-of-mind to organisations for whom security is a major priority.

In summary, the route picked by any organisation is determined by the approach that best suits its business. While some companies may prefer owning the keys due to their size and the flexibility it offers as the business changes, others will be content to hand over control to a third party. The strategy will therefore be decided by the degree of control required and capacity to adapt.

The second aspect is having 100% data residency control; a necessity that no organisation can bypass. As we see an ever-increasing layer of regulations put in place, at a national and regional level, data residency has become more important.

The issue is more prominent in Europe, in particular the 27 member states of the EU, although data residency is a worldwide factor. Many international companies aim to standardise to one single solution. Conforming to international laws is a requirement for a company with multiple offices in different regions. So, a US company with offices in Europe will need to conform to UK laws as well as those of the EU. In the US itself, interstate laws may also apply. In Europe, some countries have to keep the data in the country it was created.

To complicate matters further, different types of data have different requirements which determines where that data can be hosted and the approach that needs to be taken. An enterprise may require two solutions or just one which enables it to comply for all kinds of data.

As regulation change is inevitable and regular, enterprises should own data storage or have control over residency.  Having the agility to adapt to changing regulations can only benefit companies. Regulation change needs to be carefully considered and included in strategic planning by enterprise, allowing themselves a degree of latitude as circumstances change.

The third aspect is putting in place advanced authentication for internal collaborators. To minimise the risk of passwords being hacked, one solution is two factor authentication. Users risk leaving themselves open to hacking and breaches by reusing the same passwords and passwords with only minor variations. To avoid this vulnerability, two factor or multi-factor passwords should be used.

The fourth aspect is authenticating external collaborators. There are inherent risks with this area of authentication. Inevitably, sharing data to external partners, suppliers and clients is crucial for business success. IT needs to play a key role in controlling what is being shared, with whom and how information is being shared. In addition, IT needs to know how long data is being shared for and it must control sharing permissions which can be stopped when required. There are many examples of how sharing data and access to files can lead to security risks. One example is of participants in a webinar being given continued access to a shared company folder for over five years. During that time, the company ownership changed but access to shared information has remained the same.

The reason this factor is of greater importance is the risk of intellectual property being lost to a third party. When working with a third party on projects, sharing data happens frequently. Safeguards need to be in place so that all parties know who has rights to access or share specific information and what the terms and conditions are for that access. IT needs to provide the relevant tools to enable individuals to manage permissions. The security team’s role is to be aware of all the data being shared at any given point.

When collaboration occurs between internal enterprise users, one is safe in the knowledge that risks are to some extent contained, as the data rests within corporate boundaries. However, in many instances these days, IT must meet the needs of external collaborators for outsourced projects and work with contractors, designers and others.

The bigger challenge for IT is how to ensure confidentiality and data integrity, outside of its control. In order to achieve this, enterprises need to have in place robust policies for collaborators for authentication and have a complete view of permissions granted.

The final aspect is the risks of providing user-friendly file sharing services that come with risks to an organisation’s confidential and sensitive data. The increase in collaboration and employees behavioural change can severely impact businesses. There must be attractive advantages of using enterprise-controlled secure file sharing so users can switch from the file sharing methods they currently use.

Enterprise users have the ability to use convenient file sharing services such as Google Drive or Dropbox.  These tools allow users to access files anytime, on any device, at any location and make changes in real-time. The challenge for organisations is to implement enterprise file synching tools and policies before users start using unauthorised solutions.  This is only part of the solution. Companies need to remember that simply dealing with file sharing and not addressing the entire file data challenge will lead to problems in the long run. What is required is a solution which creates fully secure workplace collaboration.

Ensuring the user experience of the service is as good as a service such as Google Drive is crucial. If it isn’t, users will simply not want to switch over.  Users have an expectation level of file sharing services that must be matched by enterprises so that users can migrate onto more secure platforms.

When it comes to creating a file sharing strategy alongside a virtual desktop approach, it is inevitable that the user experience has to be better than the laptop experience, for it to be successful. For file sharing, the strategy must deliver what users regard as an accepted standard. One way of ensuring this happens is to enable more capabilities.

One successful technique is to have a file sharing capability which is faster, provides data protection and backup, at the same time enabling remote office and branch NAS. This will achieve the twin objectives of creating a secure environment for the enterprise and maintaining a high level of user experience.

In summary, the techniques outlined here are essential components in the aim of achieving total security in the cloud. They enable the IT organisation to do its job effectively and ensure stable business continuity for the enterprise.