Posts

G Suite: Modern Security for Modern Threats

Google CloudIn multiple blog posts over the past 2+ years, we have covered the changing and growing nature of threats to your organization, systems, and people.  For us the answer is CPR

Communicate and Educate;

Prevent & Protect;

Recover & Review. 

Once you have these basics in place, the challenge becomes keeping up with the times.  As the nature of threats change, the protective capabilities of our key systems should evolve as well.

For those of us running G Suite, we may understand that Google has expanded the security footprint and capabilities, but have we altered our configuration to properly protect ourselves?

The first step in assessing your protections is to understand the risks.

  • 91% of attacks start with a phishing email
  • 66% of malware was installed via malicious emails or attachments
  • 90% of all reported breaches caused by employee negligence, extortion, and external threats

These statistics, while not unfamiliar, point to the change in risk from physical devices to data and human interactions.

As people can be your greatest risk, the best protections compensate for human behavior.

Step two is mapping your security needs to the right version of G Suite. Each version adds additional protections, allowing you to move up to the version that best meets your needs and priorities. Understand what each version offers and map them back to your regulatory and business requirements.

G Suite Basic

  • Encryption in transit and at rest, including policy-based TLS enforcement
  • 2-Step Verification via prompt, SMS, Security Key,or Authenticator app
  • Single Sign-on (SAML 2.0)
  • OAuth 2.0 and OpenID Connect
  • Restrict emails to authorized recipients
  • Drive audit logs

G Suite Business

  • Vault for compliant archiving and e-discovery for Gmail, Drive, and Hangouts Chat
  • Team Drives for centralized access controls and permissions management
  • Domain white-listing for Drive with alerts
  • Basic Information Rights Management (IRM) to manage scope of sharing by Organizational Units

G Suite Enterprise

  • G Suite Security Center with a unified security dashboard
  • Advanced Data Loss Prevention for Gmail and Drive files
  • Email content compliance and objectional content filters, with OCR
  • Security key enforcement
  • User S/MIME Certificates for Gmail encryption
  • App white-listing to control 3rd party data access
  • Sandboxing (pre-delivery deep scanning) or email attachments

Moving the right version of G Suite has never been easier.

While no one product or service will meet all of your security, privacy, and data management needs, moving to the right version of G Suite improves your security footprint and can mitigate the need for 3rd party solutions. To help you move, we are partnering with Google to offer pricing incentives.

Your next step is to contact us to schedule a complimentary Cloud Advisory Session to assess your needs, priorities, and options.


 

 

 

Echo of Non-Compliance

Everyday, we hear about new ways we can use our smart speakers. Retailers, radio stations, product companies, and others remind us that we can use our Amazon Echo or Google Home to buy, listen, or learn. The term “smart speaker”, however, is misleading.  These are microphones and they are always listening. They are also likely recording everything they hear.

If you are covered by HIPAA or other privacy regulations, do not talk about protected information within earshot of Alexa.

This warning stems from a 2015 murder case in Arkansas. Believing that the Amazon Echo may have “heard” a murder, the District Attorney subpoenaed any recordings that Amazon may keep from the device. Amazon fought the decision on First Amendment and privacy rights, not by claiming that it was not recording. Amazon did not deny having recordings.

The issue for data privacy compliance is that your smart speaker may be listening to and recording conversations you have about protected information.  Allowing this is a violation of HIPAA and other regulations protecting personal identifying information (PII).

When is your Amazon Echo recording?

The short answer is: we are not sure, but maybe always.

Looking at the Alexa Terms of Use, Amazon tells us “Alexa streams audio to the cloud when you interact with Alexa” and “Alexa uses recordings of your voice to create an acoustic profile of your voice characteristics.” Alexa use is also covered by the Amazon Privacy Notice, which states, “We receive and store any information you enter on our Web site or give us in any other way.”

While Amazon tells us they are recording your “Hey, Alexa” commands, the Terms of Use and Privacy Notice are a bit more ambiguous. Neither document tells us that Amazon records only when listing and processing commands. Nor do the policies limit Amazon’s recording to those commands. We do not know, for sure, when Amazon is not recording what it hears on your Echo.

Better Safe Than Sorry

When speaking about sensitive or protected information, stay away from your “smart speaker” or manually mute the device.


One more thought:  Ever notice how after certain conversations, you see ads on Facebook related to the topic discussed?  Unless you turn off microphone access, Facebook is using your phone to listen to your conversations, analyze what you say, and profile you. Letting Facebook listen is another potential HIPAA and PII breach.


 

Myth Busting

Myth-Busting Monday: On-Premise is Safer Than Cloud

Office365-Logo-and-textJust because you can see it and touch it, does not mean it is safe and secure. With the number of successful ransomware attacks up more than 400% in the past year, it is increasingly clear that on-premise systems are not inherently more secure than they would be in the cloud. Many companies are hacked and remain unaware for weeks or months, as the use by cyber criminals of advanced persistent threats continues to rise.

Microsoft Office is secured with technologies and resources beyond the reach of nearly every small and mid-market business.

Large enterprises know that security is a full-time job, requiring a team of expensive experts and advanced technologies. And while large enterprise can afford to make this investment, most small and mid-size businesses do not have the resources to prevent, detect, and mitigate security issues.

Moving to Office 365, you enter an environment designed for security, backed by a team of security experts, industry leaders in regulatory compliance, and the latest security technologies and methods. Office 365 complies with the latest rules and regulations, including but not limited to:

  • HIPAA
  • Sarbanes-Oxley
  • Federal Information Security Management Act (FISMA)
  • ISO 27001
  • European Union (EU) Model Clauses and U.S.–EU Safe Harbor framework
  • Family Educational Rights and Privacy Act (FERPA)
  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

And, with this security, you get a 99.9% uptime guarantee.

Thinking of going cloud — or expanding your cloud use — and remain concerned about security and data privacy, give us a chance to assess your needs and map out a solution.


This is the third of a multi-part series designed to help companies better asses the opportunity and value of cloud-based solutions.  Contact Us for more information or a free Cloud Advisor session.


Moving to the Cloud: Regulatory Compliance

 

Green_GaugeThis post is the seventh in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Moving to the cloud often entails more than switching to an email service or spinning up a some cloud-based storage and servers.  For many businesses — including Small and Mid-Size Businesses (SMBs) — regulatory requirements place demands on IT systems and security.  And, while these requirements impact in-house and cloud solutions, moving to the cloud requires planning.

The most common regulations for SMBs relate to consumer (customer) privacy:  HIPAA, which protects personal health information, and PCI, which protects personal and credit related information.  Many SMBs, however, must also meet the requirements of Sarbanes/Oxley, FINRA, SEC, and various state regulations.

The solution:  Integrating Solutions.

Fortunately, the tools and systems exist to provide compliance with data security and privacy regulations.  Cloud vendors are creating environments and the management controls necessary for customer regulatory compliance and certification.

The challenge is to make sure that all of the pieces work together.

  • Message Archive/eDisovery:  Manages retention of email as official business records and provides the eDiscovery and audit tools necessary to meet federal subpoena requirements.
  • Message Encryption: Encrypts email at the individual message level based on content and rule sets, requires users to authenticate before accessing the message, and prevents forwarding.
  • Two Factor Authorization / Single Sign-On: Provides identity management services and audit trails beyond core products in order to meet regulatory or policy requirements 
  • Third Party Encryption:  Encrypts data in the browser or client before transmission to the cloud, providing a second level of encryption prior to the encryption provided by the cloud vendor.  In the event of a vendor data breach, the exposed data would be encrypted.

These types of solutions, and others, provide cloud environments with the capabilities to meet regulatory requirements.  Vendor contracts and policies should still be carefully reviewed for any terms and conditions that threaten compliance.

And remember, no vendor can ensure compliance.  Compliance exists when the technology meets the technical standards and is used in accordance with policies and procedures that meet the regulatory intent.

Next Post in the Series:  Internationalization

Previous Post in the Series:  Integration with Legacy Systems