Monday, August 19, 2013

Buying British: Data security in the Cloud and the effect of PRISM

Daniel Hoy
UK Marketing Manager
Egress Software Technologies Ltd.
The recent revelations leaked to the international press by whistle-blower Edward Snowden regarding the scale of the US Government’s data surveillance programme have raised major concerns about the security of information stored in the Cloud, causing some to question where this leaves our basic human rights to privacy (a subject Egress CEO Tony Pepper has previously discussed).

The latest reaction has been the closure of two high-profile secure email services, Lavabit (a former favourite of Snowden’s for sharing information securely) and Silent Circle. Their reasoning? To avoid becoming ‘complicit in crimes against the American people’. In fact, Ladar Levison, Owner and Operator of Lavabit, has declared that:
‘This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.’ (http://lavabit.com)

What does this mean for the future of Cloud-based data security?


It remains to be seen whether these latest developments have any lasting impact on Cloud security; however they do raise questions over data residency and the laws that companies and their data  fall under.

Levison’s caution to avoid companies with physical ties to the US is a thinly veiled remark about the Patriot Act. Formed in the immediate wake of 9/11, the act enables the US Government to gather information on US and non-US citizens, granting them access to all data within the country and that of sister companies based outside the States or those using US subsidiaries for data processing. Fortunately in the UK, however, the Data Protection Act comes with various caveats that offer citizens greater protection and assurance over when and why their personal information might be accessed. Of course, there is no guarantee that these laws won’t change over time, which is something that we should all remain aware of.

It’s my opinion that Snowden’s revelations will have a positive effect on Cloud security in the long term. Individuals and businesses have had their eyes opened, and arguably will proceed with much more caution in the future when choosing where to store their data, and with whom. Simply put, they need to be aware what laws can, and will, be applied to their data (including any backed up versions, which may reside in a different country), and whether these will safeguard their right to privacy.

This increased awareness can only be a good thing for UK-based companies, and specifically Egress, who offer a combination of cloud-based, hybrid and on-premise data storage solutions. Crucially, this type of flexible hosting platform gives customers choice over how and where their data is stored. Depending on their appetite for risk, and the confidentiality of the information they manage, they remain in control and have the assurance of end-to-end information security throughout the lifecycle of their data.

Governments will always need to intercept communications and access data in the interest of national security, a fact that most people can accept as long as the necessary legal and constitutional steps have been taken. 

Wednesday, August 14, 2013

Ahead in the Cloud: Remaining secure with cloud computing

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
Championed as a revolution in computing solutions, Cloud offers benefits for organisations across all sectors; however IT heads need to be switched on to the security issues around storing and accessing data in the Cloud.

Bringing the Cloud closer to home

The term ‘cloud computing’ is somewhat deceptive. Not only does stored data reside in servers based very firmly on the ground, but the phrase is also reminiscent of fluffy balls of cotton wool floating innocently overhead. Through its very name, therefore, Cloud creates distance between organisations and their data – a false sense of security that a user’s responsibility is removed purely because data isn’t being stored on their premise.

The reality, however, is somewhat different.

In a survey carried out by PricewaterhouseCoopers, only just over half of European businesses recognised data security as a major risk of cloud computing, begging the question of how well-informed organisations are about the potential threats of using Cloud.

The Cloud Security Alliance (CSA), meanwhile, has identified the ‘NotoriousNine’ threats posed by cloud computing in 2013. Headlining this list are:

  1. Data breaches
  2. Data loss
  3. Account or service hijacking

Data breaches

Information stored in the cloud is just as susceptible to data breaches – whether malicious or caused by human error – as that stored in on-premise servers. Information storage firm Evernote is one recent example of a malicious data breach affecting users’ personal information. Although the California-based company insists that there’s no evidence to suggest that payment details or content was breached, user names, email addresses and encrypted passwords were – causing untold concern to users and reputational damage to Evernote.

Human error, meanwhile, often occurs when using Cloud to share data with others. A lack of verification processes, for example, can lead to unintended recipients being able to access information. In addition, human error can cause data breaches through inadequate control over whether a recipient can share information, either electronically or in hard copy. The ability to restrict or revoke access is invaluable when sharing highly sensitive data, stopping users from forwarding, printing or even accessing information, as required.

So, how can Cloud data breaches be prevented?

It all hinges on knowing what legislation can be applied to your data. One aspect of this is the idea of ‘data residency’: where you data is stored and what jurisdiction it subsequently falls under. Secondly, be aware of the limits of this legislation – the US Patriot Act, for example, is not only applicable to data stored in the States, but also to organisations with a parent company located in the US and those using American subsidiaries for data processing.

Before procuring Cloud services, therefore, read up on any laws that your data or company might fall under. The recent revelations from the US involving the scale of the NSA’s programme of data surveillance and use of the Patriot Act in order to obtain information have demonstrated why this is so important.

Next decide on what information will reside in the Cloud and how secure it needs to be. Ensure that you have the correct level of access control – for example, data in the Cloud can be encrypted, so as long as users remember passwords and other authentication means, the data will be secure.

When sharing data using Cloud-based services, meanwhile, it’s important to maintain control. Some solutions will only secure data in transit; however more sophisticated encryption services can ensure that it is only accessed by the intended recipient and offer full control over what they can do with it.

Data losses

While permanent loss of data can be caused by physical disasters – such as fires, floods or earthquakes – software and human error are also culprits. Consequently, a proportion of data loss is actually caused by preventable means, such as users forgetting passwords or accidental deletion by the provider.

And yet it really doesn’t matter who’s to blame – service provider or customer – the end result is the same: reputational damage and, consequently, revenue loss.

Again, preventing permanent loss of data comes back to the service level agreement and data residency. You need to know that your Cloud provider is backing up the data they’re storing, as well as where that data is backed up. You need to also contractually ensure that the backed-up data is monitored and able to be restored with just a few clicks.

Account or service hijacking

Duplicated credentials and passwords, in addition to more ‘traditional’ methods such as phishing and exploiting software vulnerabilities, all pose a risk to data stored in the Cloud. Thus cloud computing simply adds another avenue for hijack. As acknowledge by the CSA, hijackers can access information to, amongst other activities, eavesdrop on information and transactions, as well as direct customers to illegitimate websites.

However, steps can be taken to mitigate this risk.

As an organisation, prohibit the sharing of credentials between individual users, as well as with service providers. Similarly, employees should be discouraged from duplicating usernames and passwords, while further protection can be provided by multi-layer authentication, preventing one hijack leading to another elsewhere. Remember to always remain vigilant of unauthorised activity – the sooner this is detected, the sooner it can be dealt with. Finally, when engaging your cloud provider, make sure you have a full understanding of their security policies and service level agreements.

A switched-on approach

Cloud requires a more managed approach than some firms have previously taken. However, it remains one of the most cost-effective and efficient revolutions in computing – and taking a switched-on approach will realise these benefits, while also mitigating any risks to data stored in the Cloud.

At the centre of this remains the notion that 'remote access' doesn't mean 'remote responsibility'. 

Wednesday, August 7, 2013

Fax faux pas – does the Bank of Scotland ICO fine signal a harder line approach to DPA policing for the Private Sector?

Tony Pepper
Chief Executive Officer and Co-Founder
Egress Software Technologies Ltd.
Bank of Scotland (part of Lloyds Banking Group) hit the headlines earlier this week having received a £75,000 fine from the Information Commissioner’s Office (ICO) for repeatedly sending customer details to incorrect fax numbers over a three year period – despite repeated warnings.

While trying fax documentation internally, highly confidential customer information – including account and contact details, payslips, bank statements, and mortgage applications – was sent to two third party organisations. Although the first mistake was reported back in 2009, the errors continued until the ICO launched an investigation in April 2012.

"Unforgivable"

While £75,000 is the largest fine levied by the ICO against a financial company, it is a drop in the ocean compared to Lloyds Banking Group’s £1.6bn net profit for the first six months of 2013.

However, the fine is indicative of the wider ramifications that breaches to the Data Protection Act (DPA) will have for Private Sector organisations.

ICO Head of Enforcement Stephen Eckersley labelled Bank of Scotland’s behaviour as “unforgivable”, demonstrating an uncompromising position on those organisations that treat highly sensitive information recklessly. Although currently there is no legal obligation for data controllers to report data breaches, proposed changes to EU data protection legislation could alter this, in addition to which the ICO is pressing for powers to imprison those guilty of serious DPA breaches.

The tide is turning in the private sector: pressure to comply with the DPA is increasing, and implications for those who continue to flout it will only get more severe. The investigation into Bank of Scotland and the subsequent fine reveal the ICO’s unswerving commitment to upholding the DPA, as well as their ability to levy punishments against even the largest Private Sector organisations.