Closing the Consumer App Security Gap

Security administrators know that external threats are just one of the vulnerabilities they must control. However, internal sources (read: employees) are often a bigger threat.

There's no greater evidence than the growing, unauthorized use of free consumer applications in the enterprise. Employees frustrated by limited IT budgets and lengthy project queues for simple functionality are turning to free consumer applications, especially for document storage. 'This poses a security red flag like no other.

The application vendors themselves tout how documents will remain "safe and secure" on their servers. That's not the security problem. The problem is that employees are using these services to store and share documents -- often confidential or sensitive documents -- that should remain on premises.

These risky services are easy to set up. Employees need no credit card, just a browser and Internet connection.

How fast are these services -- and these problems -- growing? Gil Zimmermann, CloudLock CEO and co-founder, put it succinctly: "It's huge and growing."

He confirms that the consumerization of IT is real and that many enterprises do understand "that they need to embrace the latest consumer offerings rather than block them for several reasons, the primary of which is end-users demanding tools that increase their efficiency and collaboration, those they're familiar with already, and are readily available." Such consumer services democratize IT, giving end users "far greater control," and Zimmermann praises their ability to increase "the speed of business."

"The down side is that the liability and corporate duty to protect sensitive data cannot be democratized. It's still the businesses' responsibility to secure their data and their customers' data, regardless of the IT tools being used by the organization."

Robert Hamilton, senior manager for product marketing, data loss prevention at security giant Symantec, is more cautious but no less concerned. "We don't really know how big this problem is, but what we do know is that the majority of employees who leave their jobs take confidential data with them (59 percent) and file sharing services make it very easy to transfer large amounts of confidential data to a repository that is easily accessed or shared in the future.

"Having file transfer capability opens up a whole new avenue for 'saving' confidential data -- and unless the employee is monitored with a product such as data loss prevention (DLP), the company may never know such transfers are occurring."

Zimmermann points out that cloud is just one of three vulnerable areas imposed on the enterprise from the consumer realm. In addition to cloud storage from desktops, consider the rise of smartphones, making mobile document storage a similar threat. Furthermore, "e-mail is outdated," he says, and "the new generation of knowledge workers is growing up with social networking as their primary communication and collaboration platform. Asking them to forgo it when they come to work is an artificial productivity barrier."

At least many enterprises aren't taking a "head-in-the-sand" approach to the problem. Zimmerman says that cloud and SaaS providers are helping educate IT about viable alternatives, citing Google Apps with his company's CloudLock as one example of consumer apps for business (Gmail, Docs, Sites, Google+) that offer the ability to add on enterprise controls and compliance (which is where CloudLock comes in).

Why isn't IT taking a more active role in proactively enabling an enterprise cloud-storage solution? One problem for many enterprises is that security is among the greatest concerns preventing them from adopting cloud storage -- at least according to 81 percent of IT decision makers surveyed by Nasuni, an enterprise storage company, back in November. Control over data was the second highest concern (at 48 percent). These two problems were listed consistently across industries, which included "business services, education, financial services, government, health care, manufacturing, and software and telecommunications."

What steps should IT admins take to better protect their enterprise's assets?

Paul Madsen, senior technical architect within the Office of the CTO at Ping Identity, says there's not much enterprises can do beyond blocking the sites of consumer-service sites to prevent employees from signing up. However, visibility is one key to regaining control.

For the enterprise, Madsen says IT should look for more powerful solutions that control document sharing applications installed onto devices, including bring-your-own devices (BYODs).

"However, if the document-sharing SaaS application was to only accept single sign-on (SSO) as the authentication mechanism (i.e., not accept individual sign-ups), then the enterprise would have greater visibility (through audit and logs, for example) into what documents the employees were uploading. In addition, the enterprise would be able to enforce roles-based access control of those docs if employees were SSOing in to the SaaS applications. Enterprise would also be able to kill access if an employee leaves, which is vitally important whether the employee's termination is voluntary or via dismissal."

Oded Valin, product line manager at Cyber-Ark Software, points out that "IT and security [admins] are using data loss prevention tools (DLP) to inspect each file being transferred." Unfortunately, Valin admits, "this does not ensure the secure transfer of sensitive files once in transit. By integrating secure file exchange processes with DLP and scanning tools file exchange can be secured end-to-end."

Symantec's Hamilton is also a DLP proponent. "The problem could be on IT's radar, even if they don't have DLP. Many organizations have Web monitoring and filtering capability and with this they can get a rough idea of whether these file transfer applications are being used and how often they are used. However, unless they have DLP they would not have visibility into the content that was being sent to these file sharing sites."

On Hamilton's list of best practices: First, "use data loss prevention to monitor who is sending data to these sites and what type and content are they sending." You also need to put "DLP policy (controls) in place that limit a user's ability to transfer confidential data to these file transfer sites. The idea is not to blacklist these sites but to use 'content-aware' monitoring. After all, there may be legitimate business uses for these sites, and IT does not want to get in the way of legitimate use."

Is that enough?

"I'd go further. IT needs to get in front of the problem, now. Yes, DLP is a good option," and Valin says by using the Cyber-Ark product, "enterprise policies can be defined [that] are flexible enough to satisfy the varying business processes within an organization. By pre-defining segregation of duties, every access is being controlled and audited, while business users have a variety of interfaces to choose from to access the files anywhere, anytime."

Valin says that tools such as his Cyber-Ark's sensitive information management suite can provide that surety. "The solution is based on a secure digital vault for storing the sensitive documents where IT cannot access the content of the files but can still audit activities and integrate it with content filtering solutions."

However, let's not forget that these consumer apps typically offer an enterprise version, and it would be wise for IT to give business users a simple-to-use solution that can be deployed quickly. For example, Box claims on its Web site that "over 100,000 companies -- including 82 percent of Fortune 500s -- rely on Box to access, share and manage critical content."

In a drive to improve business collaboration using the cloud, Hewlett-Packard (HP) is offering Box's "cloud content-management and collaboration platform on select small and midsize business and enterprise PCs." HP says Box offers 99.9 percent network up time, SSL encryption, configurable permissions, and redundant storage. It constantly monitors production systems and makes "ongoing threat assessments."

Dropbox's Dropbox for Teams is their enterprise equivalent, though the company's Web site doesn't explain what "admin controls" are offered. Another option: Central Desktop lets users share documents in the cloud; its Enterprise Edition's Security Pack provides more granular security to comply with everything from corporate governance to HIPAA.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 01/30/2012