Posts

Not Using Google Drive? You Are Not Alone

google-drive-icon
CIO Magazine recently published a report claiming that 80% of Google for Work customers with more than 1,000 users are not utilizing Google Drive. The statistic is based on whether or not users worked with Drive at least once per month. This is disappointing given that studies show the powerful benefits realized when the collaborative features of Drive are fully utilized.

While the report does not discuss why Drive adoption is low, we have our suspicions.

Peer-to-peer file services do not scale — not without some help

In Drive (and oneDrive and other cloud file services), users create their own folders and share them with individual and teams. Each user “owns” their space and their files and to find a file, it helps to know who shared it with you. And, without central management, naming conventions, and other controls, it is difficult to control and manage access to sensitive information.  While these file services are not as challenging as Windows for Workgroups (circa 1992), they come pretty darn close.  Users familiar with a central file structure are easily frustrated with peer-to-peer sharing and file services.

“Security” is confused with “Sharing”

Yes, Google recently announced that Ernst & Young has verified the ISO 27018 cloud privacy standard for Google Drive. But when users think of security, they are concerned about sharing — or permissions — of their files. In any cloud file service, it can be difficult to fully understand who will have access to the file you are creating or uploading.  And, the nuances of Google Drive can take time to learn.

For example, when sharing a link for a Google Doc with a person that does not currently have permissions, you are prompted to allow anybody with the link to view (or comment, or edit) the document. If your intended recipient forwards the message, access is available to others outside your original intention.

In Drive, and other similar services, the relationship between exposure (who can see, view, edit the file with or without credentials) and explicit access permissions has a learning curve that is often overlooked.  People will avoid using Drive if they are worried about exposure and permissions.

The rules are a bit different

Google Drive is more flexible, and in many respects more powerful, than traditional Windows and Linux file shares. This power, however, can be distracting to end users. Having multiple documents with identical names in a folder, for example, throws many for a loop. It’s not intuitive given their experience and it can create confusion as to which document is correct or current.

Using Drive and other cloud file services is different, but you can take steps to ease the transition and improve adoption.

Train Your Users: 

Beyond the basic “clicks and drags” of Google Drive, help your users learn and understand how to use Drive effectively. Cover permission settings so they understand how to share safely and with confidence. Discuss document naming and version management, including how to upload new versions of documents without creating duplicates. Help them learn now to navigate drive, use the search bar effectively, and launch applications from within the web interface.

Create a Managed File Service:

With an affordable add-on, you can overlay a more traditional file server structure onto Google Drive. Tools like AODocs File Server, you can add the aspects of a traditional file server to Drive:

  • Central ownership and control of space, top level folders, and folder hierarchies
  • Distributed access and permissions from a central authority
  • Conversion of personal to central ownership of files uploaded to, or created, within centrally managed libraries
  • Inherited permissions
  • Audit trails

Yes, there is a cost, but the value for many companies is much greater.

Manage Your Permissions:

Permissions are not just about user settings.  Permissions should — and can — be driven by your privacy needs and the content of your documents. Tools like BetterCloud and CloudLock give you the ability to monitor and manage user access and permissions based on business rules and content as it is created or uploaded. Analysis for HIPAA, PHI, PCI, and other compliance requirements is built-in, with the ability to create customized rules for your specific needs.

 

With the right tools, and a knowledgeable workforce, you and your team will better adopt and utilize Drive.  And with adoption, comes results.


Please Contact Us if you would like information about any of the services mentioned in this post.


 

That Time Your Security Company Sold You Out

Privacy Button
As recently reported in Wired magazine, security firm AVG is updating its privacy policy and openly telling customers of its free services that it will sell some of the personal, non-identifying information about you to third parties. The new policy takes effect on October 15, 2015 and while the data may not identify you personally, it will certainly give advertisers, scammers, and hackers a clear idea of who you are and which of your interests they may be able to exploit.

As the policy states:

“We collect non-personal data to make money from our free offerings so we can keep them free, including:

  • Advertising ID associated with your device
  • Browsing and search history, including meta data
  • Internet service provider or mobile network you use to connect to our products
  • Information regarding other applications you may have on your device and how they are used.”

Granted, AVG gets credit for being upfront and honest.

But do you want your security software giving others your browser and search history, a list of applications on your devices, and a history of how you are using your apps?

The Advertising ID being shared means that so long as you have AVG on your device, third parties will know it is you even if they do not know specifically who you are (yet!).

Free is not free.  Lesson Learned.  AVG is telling you that in exchange for free security software, they will sell information about you to people that will use that information to advertisers, marketers, and those will try to scam you, steal your identity, and get you to bypass the very security you want to maintain.

Yes, you can upgrade to AVG’s paid services, but is this a company you still want to trust? Maybe it’s time for a new solution and a realization that even in IT, you get what you pay for.


If you prefer an endpoint security solution form a trusted vendor, contact us to discuss solutions or visit our web site for more information.


 

Expanding HIPAA Accountability

HIPAA Logo
As more businesses provide health care coverage, or assist employees in obtaining coverage, under the Affordable Care Act, we find ourselves possessing and managing even more sensitive personal information about our employees.  And, while we are not working with medical records, per se, we are often exposed to insurance account and activity information that cannot be disclosed.

Communications with your insurance broker or carrier should be secure — from end to end.

The good news is that you have options.

  • Policy-Based TLS Encryption
    • If your broker or carrier is willing to share some technical info, you can setup policy-based TLS encryption that will forcibly encrypt all emails between your email service and theirs.
    • They will likely need you to prove, or certify, that you encrypt data from your email service to your end users on every platform.
    • Policy-Based TLS Encryption is part of Google Apps, but not every email service is capable.
    • This is the lowest cost, but most technical solution.
  • Manual Encryption Tools
    • Third party apps, like Virtru, let users encrypt email messages before they are sent.
    • They are inexpensive and easy to use, and can also track when messages are opened or forwarded.
    • They are NOT foolproof, as they depend on users knowing what must be encrypted and remembering to do so — every time.
    • This is the lowest cost solution, but most susceptible to an accidental breach.
  • Automated Encryption Tools
    • Integrated email encryption solutions, like Zixmail, give users the ability to flag messages for encryption.
    • They also use heuristics to scan all email traffic, identifying those that should be encrypted and doing so automatically.
    • While slightly more expensive, these tools effectively monitor policy compliance and mitigate your risks.

Select the type of encryption solution you need, based on how your business operates and who is responsible for keeping information private.


 

Unlike many providers, we offer each type of email encryption service on a per-user basis. Most businesses have a limited number of staff working with sensitive information; we can provide these users with encryption services. Our approach provides the protection you need and respects your budget and priorities. Contact us to learn more.


 

Our First eBook: 7 Policies for Every Company Using Drive

We are please to announce the launch of our new eBook series with the publication of 7 Policies for Every Company Using Drive. Based on one of our most popular 3T@3 Webcasts, this eBook discusses information privacy and security issues and policies that should be in place to protect your customers, your information, and your business.

Our new eBook series is part of our growing suite of resources intended to help educate and inform on topics related to Cloud Computing for Small and Mid-Size Businesses.

Click here to access the eBook.

 

 

Cloud File Services: How to Define Their Role and Manage Data Better

cloud file services

What Are Cloud File Services?

Users can store, access, and exchange files and data via online platforms known as cloud file services, also referred to as cloud file storage or cloud-based file sharing services. Without the use of physical storage devices or on-premise servers, these services offer a practical and effective solution to manage files from numerous devices and places.

Cloud file services can fill many different roles for your business. Often, the use of cloud file services begins with employees using consumer products, like Dropbox, to share files with customers and each other. While sync-and-share can be an effective way to manage files, you should always rely on the business editions to ensure that the business is in possession of, and is managing, your data.

That said, this use of file sync-and-share tends to be transient in nature. At the other end of the spectrum, many businesses are replacing on-premise servers, NAS, and SANs with cloud file services, which become the primary file service.

To help you plan how to create the best cloud file service for your business, consider these working definitions and considerations with respect to data protection and management.

Define the Role of Your Cloud File Service

Transient File Service

  • Transient file services are used occasionally for storage and sharing of files.
  • Often a sync-and-share service (Dropbox, box.net, etc) or a peer-to-peer service (Drive, etc.), files are copied to the file service and shared.
  • In most cases, files sync back, or are manually copied, to their primary location. As the primary location for files is protected by backups and permissions management, transient file service generally don’t need or have backup protection.
  • Permissions management is often the responsibility of the individual users. As such, transient file services should not be used for sensitive or protected (PHI, PCI, etc) information.

Secondary File Service

  • A Secondary File Service will fill the role that the Transient File Service provides, but will also be the home — the system of record — for some information.
  • Companies create Secondary File Services to handle information that is used collaboratively, but wants to keep internally-used data and critical business information in-house. An architecture firm, for example, might have active projects residing in a cloud file storage service while keeping past project data and internal operations (HR, finance, accounting, strategy) on in-house systems.
  • While sync-and-share can serve the needs of secondary file server, peer-to-peer and managed file services provide better control over your data.
  • As a Secondary File Service will be the system-of-record for important information (i.e., the data is not synced or copied to other storage), these file services should be protected by Backups.
  • Secondary File Services may or may not be used for sensitive or protected information. If they are, then active permissions monitoring and management is advised to prevent inappropriate disclosures, leaks, or breaches.​

Primary File Service

  • A Primary File Service becomes the system of record for most, if not all, of your company’s files and data. As such, the cloud file service will hold sensitive and protected data.  Access, permissions, and protection are as critical in the cloud as they are on-premise.
  • Backup/recovery and active permissions management become critical components for ensuring data reliability, security, and privacy, and may be required for regulatory or industry compliance.
  • While smaller businesses can use the peer-to-peer, larger businesses or those with larger numbers of files find that a managed and structured file service works better.
  • Centralized ownership and control over permissions improves security and efficiency.
  • Sync-and-share services may still be used to support off-line work, but should be managed closely to ensure sensitive and protected data remains secure.

 Hybrid File Service

  • A Hybrid File Service exists when the Primary File Service is split between on-premise servers and cloud-based file services.  A Hybrid File Service differs from the use of a Secondary File Service in that the Hybrid File Service sees both on-premise and in-cloud as equal components of the ecosystem. Data location is based on access needs and usage rather than on the type of data.
  • For some organizations, Hybrid File Services represent a transition period from on-site to cloud file services. For others, Hybrid File Services reflect a broader hybrid cloud strategy that mixes SaaS and IaaS services with on-premise systems.
  • As Hybrid File Services create a cloud-based extension of on-premise servers, a managed file service with central ownership and permissions control is most often the best structure.
  • With a Hybrid File Service, the cloud component requires backup/recovery and permissions protection on-par with your in-house servers.

By understanding and defining the role of your cloud file services, you have a better understanding of the type of managed cloud services to use — sync-and-share, peer-to-peer, or managed file services. You can also best determined the level of backup/recovery, access, permissions, and encryption you want and need to meet your business’ needs and any regulatory or industry requirements.

Security Breach? There are Apps for That

 

security-checkHere’s a Story …

Emily tells Dan about a cool app on her iPhone that helps her stay organized when she is out of the office.  Dan looks it up and downloads it to his Android phone.  The App is cheap and has great reviews.  When Dan installs the app, he gets a screen about permissions with only a few items listed.  He scans the list.  Dan is not a techie and the list seems reasonable; he clicks “Allow” and the installation finishes.  Dan uses the app and is happy.  Over the next few weeks, Dan has trouble finding docs he saved in Google Drive.  Some were uploaded Word and PDF files, while others were created in Google Docs and Sheets. Asking IT for help, they find some documents in the trash, others appear gone for ever.

Here’s the Lesson …

When Dan installed his cool new app, he granted the app full access to the content of his Google Drive account and to other content in Google Apps.  The app had a bug (we do not want to assume malice) that set all of Dan’s files to public on a periodic basis.

Third party applications, including mobile apps, create a security and privacy risk for your Google Apps environment.

Here’s the Offer …

Partnering with CloudLock, we will conduct a Google Apps Security Health Check for your Google Apps for Business or Government Domain.  Normally costing $1,000 to $5,000 (or more!), through September 30, 2014, we will perform the check for $300 (or less!).

Please click here for more information or to request your Google Apps Security Health Check.

Google Apps and Student Privacy

student-privacyAs you have probably heard,  there is a Federal lawsuit against Google in California that accuses Google of mining student data for commercial purposes. We have received a few questions and should expect we will have more.

Here is what we know so far.

  • Google Apps for Education remains certified as FERPA compliant. Federal regulators have not seen any issue to warrant reconsideration, revocation, or further investigation at this time.
  • Yes, Google scans all email before it reaches its inbox.  The scanning addresses several issues, including spam and virus protection, archiving, spell checking, and priority inbox, as well as automated identification of keywords.
  • Auto identification of keywords is for ad display.  Unless explicitly turned on by a school district, ads are not displayed and this functionality is disabled.  We have never turned on this service for a school, and to the best of our knowledge, no school has turned on ads themselves.
  • No humans read emails or other Google contents.  The scanning is automated, by computer algorithm.
  • Google does not sell the information it gathers — that is not how Ads work. When an advertiser selects keywords, Google’s system matches keywords from ads with keywords from users.  Advertisers do not know the identity of those who see ads.
  • The lawsuit alleges that Google could use a “profile” learned from email scanning to advertise and market to students using other Google services. Emphasis is on “could”.  While Google could do this, they do not, as to do so would invalidate Google’s FERPA compliance and would destroy the trust of thousands of schools and districts.   Also note that SaaS providers offering SIS and LMS services also have information that could be sold or used for marketing.   Like Google, these providers hold the information as confidential.
  • The judge in the case denied the request for class action status. This indicates that there is likely insufficient cause to expect a broad application of fault or liability. While we are not lawyers, appears to be an early indication regarding the merits of the case.

We will continue to monitor the case for developments and publish relevant information as it becomes available.  If you have any questions, please feel free to contact us.

Google Apps for Education Security and Privacy

Secure Cloud
Recently, there has been much media discussion in light of litigation regarding data privacy in Google Apps for Education.  Here are the important facts about student accounts and Google Apps for Education.

First and foremost, Ads in Gmail are turned off by default for Google Apps for Education and Cumulus Global advises every school and district we work with not to change this setting at any point in time.

Gmail for consumers and Google Apps users runs on the same infrastructure, which helps Google deliver high performance, reliability and security to all users. However, Google Apps offers additional securityadministrative and archiving controls for education, business, and government customers.

Gmail scans and indexes email for multiple purposes, including spell check, virus and spam protection, features like Priority Inbox and auto-detection of calendar events, relevant search results and advertising.  This scanning is done on all incoming emails, is 100% automated and cannot be turned off.

When ads in Gmail are turned off for Google Apps for Education, automated scanning that is done in Gmail is not used to target ads to Education users, whether inside Gmail or in other Google products (e.g. YouTube, Google Search, etc.).

Google does not scan information stored in Google Drive or Docs (or Sheets, Slides, Drawings, Forms) to target ads to Apps for Education customers.

Google does not share personal information with companies, organizations or individuals outside of Google unless one of the circumstances outlined in the Google Privacy Policy applies.

The data schools and students put into Google systems is theirs, and Google believes it should stay that way. If an education department, school or university decides to no longer use Google, it easy for them to take their data away with them.

Google Apps for Education offers schools a number of additional controls and security features. These include a 99.9% uptime guarantee, 24/7 customer support, greater storage capacity and the ability for school administrators to turn certain features or services on or off. As with all our accounts, we keep our users secure by filtering out spam and looking out for viruses and malware.

If you have any questions or concerns regarding Google Apps for Education security and privacy, please contact us.  We are happy to answer questions and provide additional information.

Google Apps, PRISM, and the NSA

With media attention and hype, leaked documents, Congressional hearings, and a great deal of explanation and back-peddling, the world now knows that the United States government spies on people.

Okay, we already knew that.

So, we learned that about a secret “FISA” court that can issue secret subpoenas letting the government look at information about us.

Okay, we already knew that, too (many of us just did not pay attention or really seem to care very much).

So, we learned that the Government had issued subpoenas for huge amounts of data about phone calls from Verizon as part of secret program called PRISM.

Now must be the time to panic?

As our 24-hour, instant, news machine struggled to find alleged experts on this top-secret program, we began hearing reports that the National Security Agency has direct, unfettered, complete access to all of the data on all of the servers of all of the major public cloud providers, and that they were capturing, recording, and saving all of this information.

Unfortunately, the cloud service providers are prohibited by law from disclosing the the number of FISA subpoenas and/or the number of users subject to those subpoenas.  We do know, however, that all of the service providers deny any direct connection between their systems and the NSA.

Without accurate information, myths become ‘facts’.

For those of us that promote and rely on the cloud, including those of us running Google Apps for Business, Education, or Government, we want assurances that our data remains private.

Google Apps and Your Privacy

On June 7th, Google posted this statement on the Official Google Blog regarding the matter.  In short:

  1. The NSA and other agencies do not have unfettered access to customer data
  2. Google was not participating in, nor aware of the PRISM program
  3. Google actively works to limit the number and scope of FISA requests

Coincidentally, CIO Magazine reported on June 4th (before the FISA/PRISM revelations in the media) about Google’s efforts to modify or restrict FISA subpoenas.  You can see the article here.

Media reports have been largely inaccurate about the scope of the PRISM program and FISA warrants and its use on American citizens on US soil.

Google is not allowed to release the numbers and scope of the requests by law.  On June 11th, Google made public an official request to release that information so that Google customers will have a more accurate picture and will understand that their data remains secure.

Conclusion

The Terms of Service and Privacy Policy for Google Apps for Business, Education, and Government have very specific rules for how private Google keeps your data and how Google responds (and lets you respond) to subpoenas Google receives for customer data.

There is no evidence, or any indication, that Google has acted outside the bounds of these terms and conditions, even as Google vigorously defends the privacy of customer data in court.

 

Moving to the Cloud: Internationalization

 

Green_GaugeThis post is the eighth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Cloud computing is global and a growing number of cloud solution providers are global as well.  Data stored in the cloud can end up in data centers in other countries and jurisdictions with differing laws and level of privacy protection.   In addition, organizations may be subject to laws or regulations that restrict data from being stored across national boundaries or in other jurisdictions.

Some risk exists in national or local laws related to data privacy and ownership.

Learn Before You Leap

Before signing on with a cloud provider, ask the questions about where data is stored and how the provider is protecting your data from foreign governments and other interests.  Review all contracts, agreements, and vendor policy statements to ensure they are consistent with the message you hear from the sales team.

Look for adherence to privacy standards based on international treaties, such as Safe Harbor and EU Safe Harbor. While these programs cannot eliminate all risk, they do set reliable standards and ensure the vendor has a process for managing any issues that arise.

Explore options with your vendor.  Many cloud vendors allow customers to select specific data centers in which their systems will run and/or data resides.

Seek out some knowledge about the privacy laws and regulations in the countries in which your data may reside (many Canadian firms, for example, see the US Patriot Act as a risk when data resides in the US).

With a small amount of due diligence, organizations can judge the vendor’s competency in managing data privacy and ownership across boundaries, and can ensure the cloud solution meets the organization’s needs above all.

Next Post in the Series:  Coming Monday June 10th

Previous Post in the Series:  Regulatory Compliance