The workplace is never static. Developments include the widespread use
of public cloud storage services like Dropbox and the growing use of virtual
servers. Cloud-based storage is vital to businesses so data protection must
continue to evolve to meet these changing realities. Organizations need to
extend their data protection policies to focus on securing the data wherever
it’s stored and not just securing particular devices. This paper explores
developments in data protection and how our SafeGuard Enterprise solution
can help you protect data everywhere.
On The Network, Cloud
And Virtual Servers
Data protection everywhere
We live in a world where data can be stored and accessed anywhere. This requires an evolution in the way we view data protection. Ultimately, the “where” doesn’t matter. What’s important is that your data is securely encrypted, independent of its location. Your data protection strategy can't focus solely on encrypting laptops, desktop computers and USB devices. Instead you need to enable encrypted data to move seamlessly between storage locations, secure from prying eyes but immediately accessible to those who need it.
At Sophos we see three main developments in the data protection environment: • Securing data in cloud storage services
• Securing central file shares • Securing virtual servers
This paper explores each of these and looks at how SafeGuard Enterprise can help you protect data everywhere.
Securing data in cloud storage services
Cloud storage services like Dropbox, Google Drive, Egnyte or Microsoft’s OneDrive are useful tools that let people access their files from anywhere, on any device. They’re great for collaboration and productivity. But if the data’s not encrypted before being uploaded to the cloud, these services have the potential to undo all your on-premise data protection efforts. Here are four main risks posed by cloud storage services:
1.
Accidental data loss: Users can share sensitive information stored in the cloud with anyone, opening the door to common errors such as sending the link to a document to the wrong person.2.
Data theft: Hackers know that cloud storage services are modern day pots of gold, making them a common target for attack. Of course, all reputable cloud storage services take security very seriously. However, users themselves create easy theft opportunities, such as by using simple passwords for their cloud storage accounts rather than the complex hard-to-crack ones that are enforced within your organization.3.
Storage provider vulnerabilities: Cloud storage providers have full access to your data and control where it is stored, making your data subject to security and technical issues with the providers themselves.The solution: SafeGuard Encryption for Cloud Storage
The simple way to secure data is to encrypt files before they're uploaded to the cloud from any managed endpoint. But it’s important to do so in a way that's seamless to your users, doesn’t slow them down, and allows them to access the encrypted data from anywhere, including their Android and iOS devices.
SafeGuard Encryption for Cloud Storage does just that. It automatically and invisibly encrypts data as it’s uploaded to the cloud storage service. And you can manage it through your current SafeGuard Management Center—minimizing the administrative overhead.
It’s straightforward for your users too. If they access files from their local computer holding the encryption key, the files are decrypted automatically. And if they access a file from another computer or device they simply need to enter the password they set at the start to be able to read it. Without the proper encryption key or password, SafeGuard-protected files can't be accessed by unauthorized users or hackers.
SafeGuard Encryption for Cloud Storage in action
Bob creates document on his laptop in the office.
Paul accesses the file from his hotel room (using the password).
Bob makes final edits to the document.
Bob uploads encrypted file to the cloud, creating a password to access the file.
Paul edits the document and then uploads the encrypted file back to the cloud storage service.
Paul reviews the final edits on his iPad in the taxi (using the password).
Bob tells Paul the password.
Bob accesses the file on his work laptop from home (no password needed—his PC already has the keys).
Paul and Bob present the final document to their senior management team.
Result: They’ve been able to collaborate effectively from any location, while ensuring their
Securing network file shares
Consider the following scenarios:
Scenario 1: Your R&D manager is working on a new concept document. He works on his SafeGuard-encrypted laptop, so the file is secure. But then he uploads it to a network file share for colleagues to review and in doing so he inadvertently decrypts the file.
A colleague then sends the document as an email attachment to a third party, killing your competitive advantage.
Scenario 2: Your company’s being acquired and the HR team is working on a confidential new resourcing plan. The files are stored on the HR team’s area of the file share, which only they and the system administrator have access to. The system administrator opens the file and learns that major cuts to the IT team are planned. This leads to widespread concern in the department, impacting output and productivity.
Of course, systems administrators need access to your file shares to keep your business running. But they don’t need access to the content of the files and folders.
Today’s technologies exacerbate the challenge. It’s no longer just a case of who can see the content of your files, but also where they can send it. Developments such as 4G and the widespread availability of high-speed Internet connections make it possible for individual users to upload huge datasets and share them across the globe in an instant.
The solution: SafeGuard Encryption for File Shares
Securing virtual servers
Public cloud providers, such as Amazon EC2, are a cost-effective way to host virtual servers. They eliminate the management overhead of traditional IT hardware options. And it’s a good bet that they provide a better level of backup and disaster recovery than many organizations could manage internally.
The downside is security. First you need to consider how secure your data is in the cloud. If your provider is compromised or has rogue employees, data can get into the wrong hands. And if you want to switch virtual providers, can you be sure that your data is no longer stored with the former provider?
The solution is to encrypt the data. So it doesn’t matter if the data gets into the wrong hands because it can’t be accessed. But that leads to the second challenge, which is how to do it. If you have a third party managing your encryption keys this is a clear vulnerability in your data protection strategy. And if they only encrypt the data after transmission to the virtual server, it’s open to being sniffed in transit.
The solution: SafeGuard Encryption for File Shares
With SafeGuard Encryption for File Shares your virtual server becomes simply an extension of your network file share. It automatically, invisibly encrypts data before it’s transferred to the cloud. And it’s all managed through your SafeGuard Management Center.
SafeGuard Encryption for File Shares use the same key management as other SafeGuard Enterprise modules—you manage and control everything. No need for middle men or
involvement from the virtual server provider. You’ll keep your data safe and have the flexibility to switch providers without worrying about potential breaches.
The regulatory implications of data protection
everywhere
Some data protection requirements have global reach such as PCI compliance. Other
legislation affects you depending on your geography or industry (e.g., EU legislation, Australian Privacy Act, HIPAA for U.S. healthcare organizations). Cloud storage adds to the complexity. For example, the data might not even be stored in your home country.
Whichever regulations you need to comply with, you have to include data in the cloud and on file shares in your data protection strategy. Regulators don’t care where the data’s stored. What they want to know—and what you need to demonstrate—is that it’s secure at all times independent of its location.
By securing data in the cloud and on file shares with SafeGuard Enterprise you are able to demonstrate easily that your data is protected and prove your compliance at all times. Even if the files fall into the wrong hands they are always encrypted so they can’t be read, which delivers seamless and transparent data protection that is independent of storage location.
Additional data security controls
Encryption may be the core element of your data protection strategy, but there are other steps you can take to enhance your data security.
1.
Apply URL filtering to control access to unauthorized cloud storage websites. You can also decide to permit access on a case-by-case basis with multiple profile settings, so that selected users retain access and others are denied it.2.
Use application controls to set policies for the entire company or specific groups to block or allow particular applications. In the case of most commercial cloud storage vendors, application controls can prevent people from installing and running the vendor's application.3.
Enable easy email encryption with “encrypt email” as an option in users’ Outlook toolbars, so they can quickly encrypt sensitive emails and attachments with just a click.4.
Enforce data loss prevention (DLP) controls for email. Automatically scan the content and attachments of emails for sensitive data such as credit card numbers or personally identifiable information. Then automatically alert the sender that the message has sensitive information. Based on rules you create, you can block or quarantine the message for approval or encrypt the message before it leaves your network and control.5.
Implement mobile device management to ensure that all company or BYOD devices meet your security requirements before they're allowed to access corporate data or email. Enable remote lock and wipe in case of loss or theft plus enforce built-in security features such as passcodes and device encryption.United Kingdom and Worldwide Sales Tel: +44 (0)8447 671131
Email: [email protected]
North American Sales Toll Free: 1-866-866-2802 Email: [email protected]
Australia and New Zealand Sales Tel: +61 2 9409 9100
Email: [email protected]
Asia Sales Tel: +65 62244168
Email: [email protected]
Oxford, UK | Boston, USA
© Copyright 2013. Sophos Ltd. All rights reserved.
Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are
