How to keep terrorists, hackers and other bad guys from stealing your data
The sheer volume of digital information that businesses produce and collect today offers a greater incentive than ever for hackers to break into private online communications and company files. Recent revelations that the National Security Agency (NSA) successfully used digital snooping to foil real-world terrorist operations serves as a glowing reminder of life in the digital information age.
The dramatic leak is also a somber reminder of the fragile nature of computer security. Even disregarding concerns over NSA surveillance, small businesses need to ask themselves if their IT infrastructure can withstand potential intrusion attempts from foreign governments or organizations with deep pockets and no qualms about hacking into their networks.
One way to significantly increase your security may be to reduce your company’s reliance on third-party cloud providers. Given an inherent lack of oversight over external vendors, businesses have no viable means to accurately assess a particular cloud providers’ security posture or competence.
Moreover, cloud services may make an appealing target for sweeping, state-sponsored hacking attempts by foreign governments. And these cloud service providers could conceivably be compelled to reveal information via a secret federal subpoena.
With this in mind, here are some strategies that your businesses can consider to tighten the bolts on security and reduce your risk.
Bringing IT home: better security, but at what cost?
Bringing everything in house is the easiest way to ensure that no data can be secretly accessed. This is relatively straightforward task for popular collaboration platforms such as Microsoft Exchange Server and SharePoint, both of which are available in both cloud and onsite flavors. In some instances, a hybrid deployment model that puts highly sensitive data on an onsite server, but more generic information at a cloud location, may serve you well, too.
While the initial cost of a non-cloud approach will almost always be more costly than a cloud deployment, the maturity and available expertise in virtualization infrastructure deployment means that mid- to long-term costs should not be significantly more expensive. Moreover, the availability of more powerful computer hardware, not to mention cheap storage and RAM, means that even a relatively low-end server today is capable of running more virtual machines simultaneously than ever before.
Unfortunately, the proliferation of online services means that an onsite deployment may not always be possible. Security-conscious businesses may want to reevaluate if online-only services such as QuickBooks Online and FreshBooks are really necessary.
If that answer is “Yes,” then you should at least ensure that all communications with the online service is always conducted over an encrypted channel such as secure sockets layer (SSL). This can be set up with the appropriate configuration at the company gateway or proxy server to prohibit non-SSL connections.
Add encryption services to cloud storage
Cloud storage has garnered a big following among businesses and end users—and for good reason. The benefits are real: You can back up data to a remote location with nothing more than an Internet connection, then access this data regardless of your geographic location.
You can use cloud storage reasonably safely, provided you adhere to certain precautions-specifically, encrypt all data and perform all uploads over SSL.
While practically all cloud providers say they encrypt uploaded data, many also hold the decryption key, which renders any benefit moot. Ideally, the cloud storage provider should have no access to the unencrypted data at all. This is referred to as having zero knowledgeof the data.
SpiderOak is one vendor that encrypts data at the block level. If your business has already invested in a cloud storage service such as Google Drive, SkyDrive, or SugarSync you may want to look at Boxcryptor, which works on top of these services to add AES 256 and RSA encryption to uploaded files.
Another option is Mozy, which offers the optional capability to encrypt data with a private key. You can even nonsecure services such as Dropbox if you ensure that data files are separately encrypted prior to being uploaded.
In addition, small and mid-sized businesses will be glad to know that offsite backups are possible without having to resort to cloud services, because network-attached storage (NAS) appliances from vendors such as Lenovo Iomega and Synology offer the capability to perform device-to-device replication.
With the appropriate network infrastructure in place, there’s no reason why businesses can’t deploy redundant units at branch offices to add real-time synchronization or backup capabilities without having to invest in expensive SANs.
Protect instant messages by establishing private networks
Unprotected IM communication is also vulnerable to interception. Workers used to conducting chats via public IM networks such as AIM, Google Hangouts, or Windows Live are essentially transmitting confidential discussions, passwords, and other privileged information with no guarantees of their privacy. Moreover, many IM services also support video calls or voice chats, which serves as additional risk vectors vulnerable to snooping by unauthorized parties.
Sidestepping these glaring security shortcomings entails circumventing public IM networks entirely by establishing a private network—typically with a private IM server deployed within a corporate network.
Options include Microsoft Lync Server or an open-source alternative such as Cisco Systems’ Jabber. (Note that Lync may entail additional licensing costs, while Jabber and others may require more effort to deploy.)
Getting users to adopt a new IM service may be a bigger challenge than most businesses anticipate. AIM, Google Hangouts, and Windows Live are popular for a reason. Also note that many popular IM chat clients on both the desktop and mobile devices may not support open standards such as Jabber, while a closed platform such as Lync is typically accessible only on official clients.
Use VPN to encrypt all data transfers
The virtual private network (VPN) is another commonly ignored security component that businesses should hasten to implement. For remote workers, the capability to encrypt data communications from their laptops and desktops back to the office not only protects them from snooping at insecure Wi-Fi hotspots, it also grants remote access to resources on the corporate network.
The complexity and cost of setting up a VPN has declined significantly. Moreover, support is offered on a variety of tablets and smartphones. That said, you will need to do some research to determine what will work best. (Most leading VPN services will plug into existing directory services such as Active Directory for authentication.)
Depending on the number of VPN users your company expects at any given time, it may be necessary to deploy a beefier appliance or increase the specifications of the virtual machine to deal with the workload.
Traditional physical and virtual solutions aside, outlier offerings such as the iTwin Connect may work well for smaller organizations, too.
The iTwin makes it child’s play to create an encrypted VPN tunnel back to the corporate network. It leaves one end of the two-piece device plugged into the office desktop, with the other end plugged into a laptop outside the corporate firewall.
Businesses must stay on their toes
Allegations of snooping on government officials at the 2009 G20 summit, along with the high-profile RSA hack in 2011, offer additional insight into what governments and highly skilled hackers can pull off. Even SSL encryption may not be as foolproof as once believed, given how hackers are stealing secret encryption keys and successfully attacking digital certificate authorities.
No one is immune from hacking attempts and digital harassment. With so much at stake, the onus is on businesses to raise their security baseline by eliminating risky behaviors and implementing sound security measures. With diligence and awareness, there’s no reason for even small businesses on a modest budget can’t achieve greater security.