Many businesses have challenges educating their staff on how cloud storage works and the appropriate use of cloud storage. From a cloud storage provider’s point of view, they would like to drive usage and adoption, so they offer generous storage limits and super-simple integration. When businesses have a need to ensure compliance with data security standards like HIPAA, SOX, FISMA, or PCI-DSS, taming cloud storage can be a challenge.
Consider Office 365 where most subscriptions include a terabyte of OneDrive storage and a desktop tool to make this as easy as a synchronised folder. When this is coupled with Microsoft’s push for businesses to adopt Office 365 and executive pressure to see value from cloud services, it often results in a fast-tracked Office 365 rollout despite risk and compliance concerns and lack of education within the organization.
The consequence of easy cloud storage, lack of control and lack of education is lots of sensitive files stored in potentially thousands of personal and shared drives with limited tools for finding, classifying and remediating those files. And, limited tools for understanding the exposure and extent of sharing that has occurred.
With Skyfence’s latest release, there is now a great tool to help put the cloud file genie back in the bottle. Skyfence uses the APIs of cloud storage services to scan the content of a file and classify it according to your specific compliance requirements. This approach is supported by the cloud app provider and relatively easy to deploy. There are lots of classifiers built into Skyfence for PII, PHI, and more. This can help remove the need to assess cloud storage providers for compliance.
There’s even a flexible language to define your own classifiers. For example, if your R&D department had a codename for a market-disrupting secret project (e.g., Compu-Global-Hyper-Mega-Net), then a data type can be defined as this codename or its acronym (CGHMN) within a proximity of 100 characters for the existing data type “Business Confidential Information.” Armed with this, the legal and risk folks can rest easier knowing that secret projects are not sitting in the cloud service, ready to be shared with unauthorized users.
The data type definition language has Boolean logic, Regular expressions, Proximity, Occurrences, Validators for things like LUHN and modulo checksums, as well as References to existing types so you can reuse the existing library. Check out the screenshot below to see some of the built-in data types.
You’re probably thinking that scanning all that data is a huge task and will take a long time. Fortunately, the engineering team at Skyfence is experienced with handling large data sets and have built a smart, scalable scheduler, which can scan through vast amounts of information and classify it according to applicable regulations, industry standards, or business policies.
You can elect to scan all user accounts or just those accounts associated with the known “bad actors.” The scan results are easily analysed to find the data owners and can be exported for use by other systems. Information Security admins can even review the content if they’ve got the appropriate level of permissions.
All of this activity happens “offline” (i.e., using the APIs of the cloud storage providers). It’s easy to deploy and a great way to dip your toes in the water if you’re new to cloud security.
So what are the next steps?
Deploy Skyfence and discover other cloud apps in use, identify users and departments, check configurations of those apps, provide real-time activity auditing and real-time protection via risk-based policies for blocking, enforcing step-up authentication, or even locking out an account. This means that sensitive file uploads can be stopped before they get to the cloud, helping you stay compliant.