Corporate Data Leakage in the “Clouds”
Folks, I am a bit sick of hearing “cloud” used as the latest buzzword to describe anything from a simple website hosted on a shared server sitting in a datacenter somewhere to the ability to create virtual servers on demand. (By the Way, it is the latter definition that I would consider a cloud, but that is my own opinion.)
Remote server storage has been around for years. We just are not use to it being as easily accessible as it is today with services like Microsoft’s SkyDrive or Google Docs. Never before has it been so easy to copy a couple gigabytes of data up to a server somewhere and then be able to access it from anywhere. Prior to the technologies behind the services of Microsoft SkyDrive, you needed to have FTP software (hopefully your remote server supported SFTP or other similar secure transfer protocol) to connect to a server somewhere and dump a bunch of files. You also needed to ensure you had enough disk space and that the remote server directory was somewhat secure so the whole world could not easily view those files.
Times have changed. Numerous online services now exist that enable you to copy large quantities of data up to the “cloud” somewhere and offer ways to easily control who has access. These same services create numerous problems for companies. In this case, I am referring to data leakage or data exfiltration.
If you allow your employees to access these services while at work, what is to stop them from copying your most confidential data up to the cloud and then accessing it from anywhere? Whether ill intentioned or not, this is a very creditable risk to ensuring the confidentiality of your data.
Just like your authorized device policy, (you do have one, right?) you need to have a policy that controls how cloud storage is used. If you are concerned (and I think you should be), you should block access to these sites using some type of web filtering technology or DNS blackholing/Sinkhole. The later is easy to configure and is free, you just need to know how to configure a DNS server. Check this link out from SANS that discusses DNS Blackholing/Sinkhole for Malware to give you some ideas: http://isc.sans.edu/diary.html?storyid=9037 There is even an ISO image that has done most of the work for you. If you are a Linux Guru, you could stand up a Linux server (pick your favorite flavor, mine is Ubuntu) and use Squid proxy server with DansGuardian. Take a little configuring, but one you have it up and running, it is quite effective. If you are not a Linux Guru, look at eBox. The eBox platform has taken the requirement of having to know Linux in and out and has thrown it out the window. They have created a small business server that is easy to setup and use.
This post was not intended to be an extreme deep dive into cloud services and the security thereof. Rather, I just want to generate awareness of this huge hole that may exist in many organizations. The trick is to know what risks and vulnerabilities are out there, use policy to mitigate the risk and technology to enforce / confirm compliance.