The challenge for IT professionals as a result of the Bring Your Own Device (BYOD) phenomena and the virtualization and mobilization of the workplace is that securing the enterprise has become exponentially more complicated in just the past few years. This is a multi-headed hydra. It has resulted in what I have previously called “IT Anarchy” breaking out.
IT is now confronted with:
In fact, studies show that not only is IT not trusted, but that distrust is growing in regards to how an individual’s personal information is used/abused.
Trust and balance need to be restored, and the security industry is working hard on providing the tools required to do so.
Part of the industry’s efforts to provide the right tools and help restore trust is illustrated by an interesting initiative by security industry leader SafeNet (News - Alert). Earlier this year, SafeNet founded SafeNet Labs, a technology incubator dedicated to developing next generation solutions to some of the biggest problems facing information security. In case you missed it, a few weeks back SafeNet Labs announced the release of the beta version of SafeMonk —a "tapproof" encryption solution designed specifically for users of the file-sharing service Dropbox (News - Alert)™. The reason this commands attention is as SafeNet says, “SafeMonk is believed to be the only Dropbox security solution available that is tapproof, meaning no one has access to the files without your approval—not big brother or little sister, not Dropbox, or even SafeMonk. We mean it—tapproof.”
Tackling the “Dropbox Effect” —a "tapproof" encryption solution designed specifically for users of the file-sharing service Dropbox (News - Alert)™. The reason this commands attention is, as SafeNet says, “SafeMonk is believed to be the only Dropbox security solution available that is tapproof, meaning
More than 100 million people use the popular Dropbox service because of its ease of use and convenience for file sharing, collaboration, and backup. That makes Dropbox a target of opportunity for hackers. SafeMonk was designed to give Dropbox users— and when fully commercialized, users of competitive third-party services as SafeNet follows its desires to drive broad adoption—a way to ensure their information and privacy are in a word, SAFE.
"Our goal is to allow the CIOs of the world to say 'yes' to Dropbox for the enterprise. We recognize that Dropbox's efficiency and usefulness will only make it more prevalent among the workforce, so making the service more secure through tapproofing is a better and more realistic option than discouraging or forbidding people from using it," said Chris Holland, Chief Monk, SafeMonk. "SafeMonk offers a powerful solution for Dropbox security without affecting its simplicity or functionality."
According to recent research on file synchronization and sharing from Gartner (News - Alert), Inc., "the best products also ensure that files leaving the sharing location are encrypted and only readable by those authorized to access the data."
SafeMonk is a “host-proof” encryption technology that ensures only the user holds the key used to encrypt and decrypt files within SafeMonk without being exposed to SafeMonk or Dropbox. In order to gain access to the files, the requester must go straight to the source, the user. The keys stored on SafeMonk servers are encrypted with users' private and local keys, so in the event of a system breach, or subpoena request, SafeMonk user keys are protected and the files are not viewable.
In a recent survey conducted by SafeNet Labs, more than 55 percent of respondents in charge of their company's security said the uncertainty around the Dropbox infrastructure, and susceptibility to attack, makes them the most hesitant to allow employees to use the service. Despite this, 91.7 percent of respondents use the service anyway.
How it works
SafeMonk works by simply downloading the app, which seamlessly creates an encrypted SafeMonk folder in the service. Once an account is created, files the user wishes to secure are selected and dropped into the SafeMonk folder where they cannot be tampered with. Plus, opening, editing, and Dropboxing with SafeMonk is fast (Dropbox fast); it recognizes and applies encrypted edits with the same speediness as non-encrypted edits. Unlike most file-sharing security solutions, SafeMonk offers account recovery via a one-time recovery key if passwords are lost or forgotten.
Encryption is key
Pardon the double entendre in the heading above, but the reality is that if trust is to be restored in both directions—IT trusts that content being accessed is trustworthy and users have the control they desire as to whom else might be looking at their stuff—encryption is important and the needs of everyone must be taken into consideration.
I had an opportunity to discuss the issues of trust restoration and the criticality of encryption with David Etue, Vice President of Corporate Development Strategy at SafeNet, recently and he provided insights and food for thought as to where we are and the path forward.
Etue noted that enterprises need to take a holistic approach to data protection, and that BYOD has served as a massive sea change that is forcing the issue.
Etue said the current situation feels like a “long drunken IT bender,” and it’s time that organizations adjust and find “Cloud Serenity.” This encompasses the fact that as a result of BYOD and the cloud, the old approach to enterprise security of securing the perimeter is gone. “IT must assume that the network perimeter will be breached,” he stated. “Two critical matters arising from this are that IT needs to be transforming its security spend beyond firewalls, intrusion protection, etc., and moving toward employing strong identity/authentication, better data protection capabilities (including making more use of encryption), improved application security, and better security management and incident response.”
“It all starts with identity,” Etue continued. “SafeNet has great products in this space to assure that the user is who they say they are. Without that initial authentication, everything else becomes problematic.”
Where encryption comes in is in the protection of that data (apps, content, etc.) when it is on the move. As Etue observes, “This has become more complicated as the number of vectors has increased and endpoints have become extensions of the data center and cloud environments, public, private and hybrid. What has become IT’s challenge is how to have secure mobile endpoint interactions with centralized business intelligence. That is why encryption has become so critical.”
He noted that BYOD in particular has been a forcing mechanism for changing the approach to security as well as an opportunity because, “Making use of the phone as an authenticator is a big deal and makes a lot of sense on several scores. It is why device management is so important, but it is also how users experience the world and hence is at the intersection of that need for balance between IT needs for visibility as to who, what, where, why and when people, apps and content are being used, and the users’ desire to have access to what they need to do their jobs with some degree of control over the privacy of their interactions.”
Etue discussed why, because of BYOD, the consumerization of IT and the use of the cloud in its various manifestations are inevitable, that organization must embrace rather than fear them in the context of traditional controls no longer being adequate to provide protection. As he says, “authentication and encryption will drive those environments.”
This leads to a really important question, “Who can and should control the keys?”
If the goal of a “high assurance” world is striking that balance referred to previously, encryption key management becomes a foundational issue. In fact, the reason the SafeMonk beta should command your attention is that it is a nice example of how that balance can be established.
Employing a variety of mobile device management (MDM), mobile applications management (MAM), and network software performance management capabilities, along with strong individual authentication, gets you partly there in terms of IT having visibility, contextual awareness and control. However, the missing link in trust restoration has been in terms of what’s in it for the user. SafeMonk says that what’s in it is the ability to have access to critical information whether it resides on corporate resources or on third-party ones.
Can IT Anarchy be ended? The short answer is yes. The longer one is that a number of challenges need to be addressed. These include the enterprise taking a holistic approach to overall communications and computing risk management where all stakeholders have their say about priorities and time tables for deploying mitigation capabilities (proactive, as well as reactive). It also entails not just the creation of strong policies and rules, but comprehensive end-user education and, ultimately, consequences for improper actions.
As noted several times, this is about finding a balance between IT’s need to know so they can detect and remediate problems quickly and effectively and user desires to use what helps them perform at their best without fear of their privacy being compromised. SafeNet is squarely focused on the needs of both sides of the equation.