Posts

Beware of Marketplace Apps on the Move

/in ,


Last week, Google announced that the Google Apps Marketplace was open for business to all Google Apps users, not just administrators.

While this move opens up a wide range of personal productivity applications to Google Apps users, it is not without risks.

  • Your users can now commit you to paid apps and services that you may not want as part of your environment.
  • Apps may require permissions to data in your Google Apps environment that needs to be, or you want to be, private and secure.
  • Not all apps are from well-known vendors.

As we have written in the past, third party apps can present a risk to your data and your business.  And while Bring-Your-Own-App (BYOA) can be beneficial to staff efficiency and effectiveness, Google Apps administrators should careful and should understand the security health of the domain.

As such, consider turning off marketplace access to all users.  (Customers with a support plan: Ask us and we will do this for you).

We also recommend that you consider a Google Apps Security Health Check (special offer through Sept 30th) to ensure that Marketplace, mobile, and other third party apps are not already posing a risk.

If your current Google Apps reseller is not providing guidance on best practices, security and other important issues, contact us.  We would love to have you join us as a client. 

 

 

 

The Google Apps / Gmail Breach That Isn’t

/in ,

News over the past few days that hackers have posted almost 5 million email addresses and passwords on an online forum has caught the media’s attention in large part because about 4.7 million of the addresses appear to be gmail accounts.

This is NOT, however, a breach of Gmail or Google Apps.  

The information appears to be from other sites and sources for which users provide their email address as their login.  In fact, several people that have found their address on the list report that the information is not their login information for Gmail or Google Apps.  As reported by Mashable, your risk is low.

Given it is not a Google Apps or Gmail breach, are you at risk?

Maybe!  Google has already analyzed the list and found some users that may be using their Google account password for other sites.  Google has notified these users and is forcing them to change their passwords. For the bigger picture:

If you use the same username/email address and password for all of your services, and one service is breached, then you are at risk of hackers gaining access to some or all of your services.

If a service is breached and you have granted the service access to your Google Apps environment, your data may be at risk.

Recommended Actions

Step One:  It is not easy, but avoid using the same password for multiple services, sites, or accounts.  And don’t write passwords down to remember them.

Step Two:  Be careful when and how you allow services to connect with one another.  For example, LinkedIn needs your gmail.com password if you are going to import contacts. While this may be safe to do, other services may not be as trustworthy.

Step Three:  Read and understand security permissions when you install apps on your mobile devices.  Many apps recognize and request access to other apps and services already on your phone.  Human nature is to say “grant” or “allow” without reading or fully understanding the implications, risks, or the trustworthiness of the app’s creators.

Note for Businesses, Governments, and Schools running Google Apps: Users installing 3rd party apps, particularly on cell phones, may be granting access to data stored in Google Apps.  To see if you have a risk, we offer a Google Apps Security Health Check that will document access rights and evaluate your level or risk, if any.  

Click Here for Information

 

5 Security Threats SMBs Should Not Overlook: Malicious Web Sites

/in

Security Puzzle
As more services move into the cloud, users bring their own apps to their work environment, and we see more integration and interconnect between systems, the nature security risks and threats are changing.  

This blog series looks at some of these threats, why the should be of concern to SMBs, and how SMBs can mitigate the risks.

Many small and mid-size business owners look past security threats in the belief that their businesses do not have trade secrets or other information coveted by hackers.  This view is naive.  Small businesses are ripe for attack because they often have personal, credit, or medical information about their customers and their employees.

Your business may at risk even if you are not a deliberate target. Hackers and thieves cast wide nets to capture personal information for identity theft. For identity theft, your business IT is no different than home computers.

Many businesses respond that they have security in place.  A well managed firewall, a big name malware suite that updates periodically, and spam/virus protection for their email service.

Unfortunately, users are 20 times more likely to suffer a malware attack from a corrupted web site or a phishing attempt then through the “traditional” means of email and file transfers. While traditional malware tools may catch these types of attacks, web-based malware often behaves more like acceptable code.  The recent outbreak of “crypto locker” malware, which encrypts your data and holds it for ransom, is an example of just how ineffective traditional malware prevention alone can be.

The overlooked solution to closing the web-enabled malware threat is known and simple: web filtering.  Web filters not only track sites known to be risky, insecure, or containing malware, they analyze web traffic and behavior in real-time, identifying sites that may be compromised, including those hacked without the site owner’s knowledge.

For most SMBs, adding web filtering to the ecosystem is an affordable increase in IT spending, typically less than $3.00 per employee per month.   Given that a single malware event can take 20 to 60 hours to mitigate at a cost of thousands of dollars, web filtering is a value-add component for most IT ecosystems.

Cumulus Global can assist in selecting a web filtering solution for your business.  Please contact us, or complete the form below, for more information.

Security Breach? There are Apps for That

/in

 

security-checkHere’s a Story …

Emily tells Dan about a cool app on her iPhone that helps her stay organized when she is out of the office.  Dan looks it up and downloads it to his Android phone.  The App is cheap and has great reviews.  When Dan installs the app, he gets a screen about permissions with only a few items listed.  He scans the list.  Dan is not a techie and the list seems reasonable; he clicks “Allow” and the installation finishes.  Dan uses the app and is happy.  Over the next few weeks, Dan has trouble finding docs he saved in Google Drive.  Some were uploaded Word and PDF files, while others were created in Google Docs and Sheets. Asking IT for help, they find some documents in the trash, others appear gone for ever.

Here’s the Lesson …

When Dan installed his cool new app, he granted the app full access to the content of his Google Drive account and to other content in Google Apps.  The app had a bug (we do not want to assume malice) that set all of Dan’s files to public on a periodic basis.

Third party applications, including mobile apps, create a security and privacy risk for your Google Apps environment.

Here’s the Offer …

Partnering with CloudLock, we will conduct a Google Apps Security Health Check for your Google Apps for Business or Government Domain.  Normally costing $1,000 to $5,000 (or more!), through September 30, 2014, we will perform the check for $300 (or less!).

Please click here for more information or to request your Google Apps Security Health Check.

Chromebook SSO Eases Access Administration

/in ,

Single Sign-On (SSO) enables users to access multiple systems and applications with a single username and password, and a single login screen.  And while many schools and businesses use SSO for Google Apps and related solutions, Chrome devices have always required a separate login.

To easy access administration and simplify user logins, Google has launched SAML-based SSO login for Chrome devices.   Organizations running current versions of Chrome on devices registered via Chrome Management licenses can now extend their Google Apps SSO login to the registered Chrome devices.

Feel free to contact us if you would like more information or assistance with your setup.

 

Assessing Your Google Apps Security Threats

/in ,

accept button
The power of Google Apps comes from the variety and scope of its collaboration features.  Unfortunately, the same tools we use to share and to work more efficiently can be used against us. When users set permissions, they may accidentally (or intentionally) over-share, resulting in data leaks, disclosures, policy breaches, and regulatory violations.

With the easy to select and connect 3rd party mobile and web apps to your Google accounts in just a few click, employees can easily and unintentionally grant access to non-trustworthy apps.

How do you protect your users from threats they do not know exist?

Assessing and managing information security within Google Apps warrants a multi-faceted approach.

  1. Education. Make sure employees understand your organization’s privacy and security policies, and any regulations and laws you must follow.
  2. Education. Make sure your users understand the basics of how permissions work within Google Drive and Sites, and how to use settings to comply with policies.
  3. Education. Make sure employees know that 3rd party apps can be dangerous and cause problems.

Beyond Education, many organizations look to deploy data protection and security solutions that support policies, that monitor the Google Apps environment for risks and violations, and that can respond and remediate potential data sharing violations.

Before you invest, however, understand your risk.  By reviewing Drive content and permissions and analyzing the inventory of 3rd party apps accessing your Google Apps domain, you can best assess if and when additional security and administrative tools are warranted.  While this can be time-consuming, tools and services exist that can automate the process of gathering and analyzing Google Apps security threat information.

Through September 30, 2014, Cumulus Global is partnering with CloudLock, the Google Apps collaboration security company, to offer a comprehensive Google Apps Security Health Check, which will analyze both Drive content and the risk from 3rd party mobile and web apps.  Normally a service costing $1,000 to $5,000, we are offering the assessment for $300 or less.

Click Here for more information and/or to speak with a Cloud Advisor.

 

Avoiding Real Drive Security Threats

/in


Are Your Users Letting Data Thieves in Through the Front Door?

When most organizations think about protecting files in Google Drive, they focus on Google’s security certifications, whether or not to allow external sharing, and setting up groups to make assigning permissions easier. Too often, they fail to consider the bigger risks to data: users and apps.

Users typically have the ability to share Drive content within your domain and externally. A simple user error (and the occasional intentional act) can expose sensitive data, creating headaches and potential liabilities.

Apps, whether browser extensions or on smart phones, can be installed by your users without your knowledge. These apps often request broad access to data ranging from contact lists to Drive content and can expose data before you know the apps even exist. Human nature tells us that if person wants an app, they “Allow” and “Accept” without necessary reading or understanding the permissions being granted.

Critical to securing data in Drive, organizations should monitor and manage both user permissions based on policies and content and third-party apps with access to data. An understanding of the access granted each App and whether others have deemed the App trustworthy, gives you the power to allow Apps that help your team work efficiently while blocking Apps that pose too much risk.

The First Step to closing user sharing and Apps permission risks is to audit and assess your environment. Audit user assigned permissions and third-party Apps with access and review the results for potential data security issues.

With an understanding of the scope of your risk, you can best decide if you should further investment in your Google Apps ecosystem.

In partnership with CloudLock, we are offering great discounts on our Google Apps Risk Assessment service. Normally a $1,000 per audit service, we will examine collaboration and permission settings as well as the 3rd party Apps that already have access to your domain for $300 or less.

Contact us for more information or to request a formal quote.

Lots of Bots; Not so Many People on the Internet?

/in ,

bot-traffic-report-2013
As recently reported by CloudTweaks, a recently published analysis tells us that only 38.5% of Internet traffic is from humans.  The rest is from Bots — good and evil.

Good Bots are primarily search engines and data aggregation services.  These represent 31% of Internet traffic.  This leaves 30.5% of traffic originating from Bad Bots.  

What are the Bad Bots?

  • Scrapers: These bots scrape web sites, capturing text to steal email addresses for spam purposes or to reverse-engineer pricing and business models
  • Hackers: These bots break into sites to steal credit card data or inject malicious code
  • Spammers: Email addresses are the target for these Bots, enabling billions of useless and annoying email messages and inviting “search engine blacklisting”
  • Impersonators: These bots specialize in intelligence gathering, DdoS attacks and bandwidth consumption

The result?  Web sites, email systems, and other online activities should be secure.  Our defenses must continue to evolve and all technology users should have a basic understanding of the threats at hand.

Focusing on protecting users and data, rather than devices, creates a mindset that enables a more integrated approach and solutions.

Contact us to explore solutions that fit your business and budget.

Google Apps and Student Privacy

/in ,

student-privacyAs you have probably heard,  there is a Federal lawsuit against Google in California that accuses Google of mining student data for commercial purposes. We have received a few questions and should expect we will have more.

Here is what we know so far.

  • Google Apps for Education remains certified as FERPA compliant. Federal regulators have not seen any issue to warrant reconsideration, revocation, or further investigation at this time.
  • Yes, Google scans all email before it reaches its inbox.  The scanning addresses several issues, including spam and virus protection, archiving, spell checking, and priority inbox, as well as automated identification of keywords.
  • Auto identification of keywords is for ad display.  Unless explicitly turned on by a school district, ads are not displayed and this functionality is disabled.  We have never turned on this service for a school, and to the best of our knowledge, no school has turned on ads themselves.
  • No humans read emails or other Google contents.  The scanning is automated, by computer algorithm.
  • Google does not sell the information it gathers — that is not how Ads work. When an advertiser selects keywords, Google’s system matches keywords from ads with keywords from users.  Advertisers do not know the identity of those who see ads.
  • The lawsuit alleges that Google could use a “profile” learned from email scanning to advertise and market to students using other Google services. Emphasis is on “could”.  While Google could do this, they do not, as to do so would invalidate Google’s FERPA compliance and would destroy the trust of thousands of schools and districts.   Also note that SaaS providers offering SIS and LMS services also have information that could be sold or used for marketing.   Like Google, these providers hold the information as confidential.
  • The judge in the case denied the request for class action status. This indicates that there is likely insufficient cause to expect a broad application of fault or liability. While we are not lawyers, appears to be an early indication regarding the merits of the case.

We will continue to monitor the case for developments and publish relevant information as it becomes available.  If you have any questions, please feel free to contact us.

A New Approach to Protection

/in ,

Security Key
One of the challenges in today’s world is that malware can come from anywhere.  Traditionally, viruses and other malware travelled by disk or thumb drive.  As our desktop protections improved, malware appeared in infected files attached to emails, or spam.  Today, malware is more likely to come from a web site you visit — even legitimate sites have been hacked — than anywhere else.

Additionally, malware targets every platform.  Once thought immune to viruses, MACs face some of the same risks as PCs.  Our smartphones and tablets, running iOS and Android, are also under attack with malware built specifically for those platforms and the information they often hold and access.

The problem with protecting all devices, is that we have historically needed a solution for each platform.  For those with laptops, smartphones, and/or tablets, as many as three solutions may be needed — each with purchase and subscription costs as well as administrative time and costs.  Additionally, historical malware protection focuses on infected files and malicious code on each device … even though the web is the greatest source of danger.

Looking forward, we need a better way!

Instead of working to protect devices and data, let’s focus on protecting the users.  Let’s offer protection through a single system across all devices.  Let’s offer protection that not only looks for traditional viruses and malware, but prevents malicious code and activities from hacked web sites.  Let’s deploy a solution that works with they way our users work — on smartphones and tablets, as well as PCs and MACs.  And, let’s do this without breaking the bank.

Does such a solution exist?

YES!  And, we are launching it soon.  Fill in the form, below, for pre-launch information and pricing.