Pop quiz time. What’s more secure; financial records locked in a filing cabinet or financial records stored in the cloud?
If you don’t understand how cloud security works, you probably said the filing cabinet. It’s time for a little mythbusting about how secure your paperless office could be.
Last week, Cindy Bates posted on the Microsoft SMB Blog about the benefits of a completely paperless office. Like Delta Airlines, who recently switched to the paperless cockpit, it’s possible for any office or organization to ditch the dead trees and move entirely into the digital space.
One of the first questions decision makers ask when considering the paperless office is “how
secure is this?” It’s a fair question, so let’s consider Delta’s paperless cockpit example and overall data security.
The problem with paper is that, well, it’s paper. Paper gets lost, it burns, it can be misfiled and disappear. It’s only as secure as its physical location. If that location is a locked filing cabinet (or a vault under Fort Knox), if someone really wanted to get to it, they could.
A file in the cloud cannot burn, be stolen, accidentally left behind in a restroom, or any other number of things that could affect a hard copy of important information. For a recent example, take a look at the Internet Archive, whose scanning facility in San Francisco recently caught fire. Although no data was stored in their San Francisco office, if it had been, cloud redundancies would have prevented any loss.
But what about a data center, such as what powers Windows Azure or Office 365? Let’s start with physical security: data centers are monitored 24 hours a day, 365 days a year. A team of ninjas could, in theory, break in, but they’d still have to know which of the thousand machines contained your exact data—so unless you’ve upset the cast of Ocean’s 11, it’s significantly less likely than an office fire that could destroy physical data.
In addition, with Office 365, data transmitted across networks is encrypted—so if some agency (or other villain) happens to tap the wires, they still won’t be able to read your files.
While a move to a paperless office does not entirely guarantee data security—there are still those ninjas to think about—it is significantly more secure than leaving your information in paper form, where it could be destroyed or stolen with greater ease.
“Cybersecurity is definitely no longer a server room issue,” says David Finn, Executive Director at the Microsoft Cybercrime Center. “It’s a boardroom issue.” He notes that on average, it takes 243 days before an organization even knows that it was penetrated by a cybercriminal.
Today, when one in five businesses are the target of a security breach, bad things are inevitably going to happen. That’s why looking at your organization from “the bad guy’s perspective,” says Tiffany Rad, is crucial. Rad is rated one of Bloomberg’s top “white hat” hackers (computer specialists who break into protected networks to test security and advise organizations on improvements).
One of the most difficult things in Rad’s industry is protecting against insider threats. But she notes there are products entering the market that have “an algorithm to check for abnormal patterns, when it looks like someone’s going to sites perhaps that they shouldn’t be during working hours or they’re on different hours than normal.”
In terms of external threats, there’s a lot of attention on protecting businesses as they move to the cloud. Ken Biery Jr., Verizon’s Managing Principal of Governance, Risk and Compliance, explains that it’s important to provide physical and logical security. Rad agrees, noting that in addition to firewalls and antivirus software, protection against malware is critical as more and more hackers look to steal intellectual property to give themselves or your organization’s competitors a heads-up on what your organization is planning.
You’re “only as safe and secure as your weakest link,” says Finn, admitting that when you rely on the cloud, “you trust that an organization is going to invest enormously in your security.”
But, as Biery sees it, “the good thing about a lot of the cloud providers that are out there is their default security, and the security they built into their environments are often better—especially for small and medium businesses—better than what they could do themselves.”
Biery also points out that companies need to stay in control with the advent of BYOD (Bring Your Own Device). With mobile device management, “you can take and keep your sensitive information in an encrypted container on that employee’s phone. So it kind of exists as its own virtual machine in that environment,” he says, explaining that you can delete access and the encrypted container without affecting personal data such as photos.
The bottom line, agree the experts, is that companies of all sizes need to amp up protection. Even if you think your business information isn’t of interest to others, Rad assures us that there will always be hackers that find your digital footprint interesting and will do something with it—if only because they can.
Mobile devices are the mighty double-edged swords of today’s workplace. On the one hand, they provide greater integration of information, on the other, they could be your business’s one-way ticket to a catastrophic security breach. This week we had the amazing opportunity to speak with Anthony Kinney, Microsoft’s Verizon Partner Manager, about mobile security and the ways to mitigate data risk in a BYOD environment.
According to Kinney, the three main security risk areas associated with BYOD are:
Data loss prevention, which has to do with securing the data on a device in the
case of it being lost or stolen.
Data in transit, which is most often
protected by encrypting information to ensure that all communications between
the device and backend infrastructure are secure.
Data leakage, which is
about keeping a user’s work and personal information separate. In other words,
“protecting users from themselves.”
We asked Kinney what Microsoft is doing to make sure that moving to a pocket office doesn’t mean introducing security risk. He discussed how our multilayered approach to security makes adopting a BYOD policy far less of a risk, with solutions like Secure boot technology, remote “wipe” capabilities, and automatic cloud storage (among other security solutions).
What makes the greatest difference, however, are the actions a company takes to ensure that their data is secure. The way Kinney sees it, employees jailbreaking and rooting devices is one of the largest risk factors for companies who allow employees to BYOD. What those companies do is implement third-party services to “containerize the data,” so it never actually goes onto the local device.
According to Kinney, Windows Phone solves for this by protecting the data at the data center level before it even gets to the device. This means each document can have specific edit/view/share settings so that when it’s accessed on a mobile device it can’t be ‘saved as’ or forwarded to another cloud service, depending on what the settings permit. This way the phone fully understands the corporate policies on the document, helping IT to provide security—even at the file level.
This level of device integration with your data allows your company to consider a BYOD or CYOD policy without the need for third-party security solutions—which themselves offer another point of potential failure and risk. By working with your existing desktop OS, email, and other systems, the native Windows Phone OS helps mitigate data loss risk for your pocket office by preventing it in the first place.