Companies contemplating moving their unstructured data to the cloud are often concerned with the security of the platform and the cloud provider: managing cyber-risk to protect digital assets. Contrary to those concerns, the evidence shows the data centers and security processes of cloud providers are, in fact, far more hardened than any corporate data center. Greatly eliminating this security concern has led to widespread adoption of cloud platform, despite compliance departments questioning the ability for these platforms to meet industry and regulatory standards, such as HIPAA, HITRUST, SOC 1 SSAE 16, SOC 2 AT 101, and ISO 27001 and 27018.
With the general consensus being the cloud is secure, is there exposure? What “digital assets” need to be protected? Does protection cause inconvenience or does it hamper productivity? In this article, we will discuss the security hardening measures and data governance options that regulated industries should employ when engaging with cloud platforms.
Many of us remember carrying RSA SecurID fobs to access even a single file from the corporate network.
A lot has changed. With increased adoption, we see file shares on corporate data centers have migrated to various cloud-based platforms such as Box, Dropbox, Google Drive, Office 365 (SharePoint Online), and OneDrive. These technologies make it easy to access email, files, and other content from any device. All you need is an internet connection and a relatively recent browser.
Cloud data security was initially the main deterrent for cloud adoption. However, there is now consensus that cloud providers have data centers far more secure than most corporate ones. Timed administrator access, seismic protection, perimeter security, and geo-redundancy are some of the features contributing to the tide turning. In addition, user access to cloud providers and SaaS solutions can be further secured by an SSO product, which gives the perception of reduced risk.
But while this is great, there are also increased risks — beyond data center intrusion. These risks involve user behavior, data governance, and information leakage. One can argue that every email and every file is a digital asset. So why are security and compliance departments not mandating these controls in this era of all too easy, VPN free access to content and data?
The Inconvenience of Data Governance
Several cloud platforms provide governance mechanisms. However, based on our experience these controls are seldom implemented. We’ve heard common answers as to why. One, these controls inconvenience the end user; thus, their experience will not be as simple as the personal, cloud-sharing mechanisms they are used to. Second, the perception that these enabling technologies should not be made restrictive as it is “old school”. Third, the lack of awareness of the associated controls that are available.
Yes, data leakage of insignificant data is relatively benign. But what about intellectual property, molecule development presentations, clinical trial information, meeting minutes with investors, or confidential internal memos?
Startup and mid-size companies are likely to use Exchange Online, SharePoint Online, OneDrive for Business, or Box. Regulated industries generally use products such as Intralinks (financial services) or Veeva (life sciences). However, not all content can be kept in these systems due to the restrictive nature of these products and the controls around them. Therefore, a lot of sensitive content is found on the O365 platform and without proper controls, it is all too easy to share, copy, duplicate and send this content. Box and Office 365 (or SharePoint) provide defenses that report and pro-actively monitor user behavior. Box also provides governance for data in four major areas: data retention, security policies, defensible eDiscovery, and compliance.
Office 365 In-Depth
If your unregulated content is in Office 365, you will need to invest in its administrative controls: Information Rights Management policies (IRM) and Data Loss Prevention policies (DLP) as part of the software’s Security and Compliance Center. A simple evaluation is available to determine the security score of your corporate tenant and its associated data risk. This score does not only focus on the platform itself. The tenant settings allow you to ‘declare’ your region and your industry. Doing so provides a Service Assurance (audited controls, associated reports, and trust documents) for the relevant industry and region.
In addition, strong data management features exist for controlling data storage and data lifecycle. Real-time monitoring of sharing and enforcing policies, such as the ability to quarantine data, is also available via a DLP API. That allows organizations to connect DLP event data from Office 365 with third-party tools, such as a security information and event management (SIEM) system. With Microsoft Azure Information Protection, you can add another layer of protection to the data you store in Office 365. The rules you set protect your files whether they're viewed using Office online or downloaded to a user's device. Policies and encryption let you safely share files in email or OneDrive and safeguard confidential information.
Data Governance and Compliance as a Service
Choosing and implementing a full set of controls is by no means a quick exercise. It starts with understanding the types of content being generated by users. It also starts with talking to compliance officers about determining appropriate rules and staffing to execute a governance plan.
Are you using Office 365 or Box? Are you considering these platforms as a replacement to traditional file shares or on premise SharePoint? Do you have visibility into the various collaborative tools that may be in use within your organization?
HighPoint Solutions offers the following set of services to help guide you through security, data governance and compliance:
- Achieve a target Security Score for your O365 Tenant
- Configure your Tenant with the appropriate region, industry and Trust settings
- Define Sensitive Information Types
- Assist in creating a data governance committee and outline roles and responsibilities
- Setup DLP Policy Templates and implement them
- Setup IRM Policy Templates and implement them
- Manage e-discovery holds and retention policies
- Setup Reporting and Dashboard to monitor compliance activities
- Setup and configure partner toolsets to monitor and manage data loss
We can share our experiences on how we implemented IRM, DLP, and e-Discovery for various life science organizations. We can show you why Office 365 (Exchange, SharePoint, and OneDrive) can be a safer choice to store unstructured data, but only when properly governed and integrated with a device management strategy. We can help you define and achieve the compliance requirements and certifications these cloud-based platforms offer.