Have you ever stopped to consider the sensitivity and potential value of the information you have distributed using the many widely available file sharing websites?

These types of sites have seen considerable uptake in recent years, as users struggle to share large files whilst battling standard email file size and gateway limits imposed by IT departments. Many users would argue that restrictions placed on them by central IT policies leave them with no choice but to look for alternative ways to send ‘must share’ data. However, although these sites may seem easy to use, they also pose a considerable data security and compliancy risk to corporate networks.

Understanding the Data Security Threats

While many file transfer sites claim to have invested heavily in security and authentication mechanisms designed to keep user data safe, recent stories in the press have caused many to question this:

www.bbc.co.uk/news/technology-26969629

www.computerweekly.com/news/2240160676/Unsafe-password-practices-cause-Dropbox-spam-scare

www.computerweekly.com/news/2240204366/Dropbox-can-be-hacked-say-security-researchers

Typically, security breaches can be routed back to one of the following causes – or in some cases, both.

Access control

By their very nature, consumer file transfer sites have been designed with ease of access in mind. Internal and external access to documents and information enables users to share content and work collectively on files, which in turn offers substantial efficiency and cost-saving potential. However, if insufficient access control mechanisms are put in place, the risks to data protection can be significant.

In many cases, once a user has gone through the initial authentication process steps, there is nothing to stop them from sharing personal or commercially sensitive data with an extended group of external third parties. Additionally, with no auditing or tracking capabilities, in many cases an organisation’s IT team will have little to no visibility over what information has left the corporate network.

This reduced control also extends to the types of devices and applications that are used to access the data. With links being forwarded to different email addresses, for instance, sensitive information can be downloaded onto personal laptops. This is not only a concern due to potential malware or viruses existing on these devices, but it also means that individuals can continue to access certain information after they have left a project, or even, the company.

The hacker / cyber security threat

The recent disclosure of the Heartbleed bug and the ease with which hackers have bypassed the security / authentication mechanisms of many websites that were previously perceived as secure raises a more fundamental security concern. As Dropbox found out when they were hacked two years ago, the consequences of unpermitted users gaining access to unencrypted data can be disastrous. An attentive reading of the security credential webpages of many file transfer service providers shows that although they may have taken steps to protect data in transit using TLS, very few have taken steps to encrypt information at rest.

A Secure Approach to File Transfer

These factors pose significant threats to data security – however, they shouldn’t be used as excuses to avoid effective file sharing through Cloud-based service providers. Organisations should be able to take advantage of the benefits offered by file transfer sites, such as time and cost efficiencies, without compromising their data security.

Investment must be made in suitably secure platforms. Sensitive data needs to be encrypted both in transit and at rest, and appropriate access control mechanisms need to be implemented so that organisations and central administrators have full visibility and control over who accesses information – including the ability to restrict the access rights of those no longer relevant to the project, such as ex-employees.

In addition, independent certification can provide further reassurance for users and their IT departments. CESG’s Foundation Grade CPA programme, for example, certifies commercial security products for use by government, the wider public sector and industry in lower threat environments. Products that are awarded this certification have to meet a detailed set of characteristics and security principles, and as such, demonstrate that the technology and supporting business processes behind them can be fully trusted to protect sensitive information during the data sharing lifecycle.

Managing File Tranfer Services

Aside from data security concerns, file transfer sites can also present service management and integration issues. For many, these sites are seen as separate from traditional email and online collaboration solutions, which means they are procured, developed and managed differently, with solutions kept in isolation from one another. The result is data silos, system complexity, unnecessary costs, additional ongoing management overhead, and low end-user take up.

In the absence of a centralised solution, various file transfer sites are often used on an ad-hoc basis, again making it difficult for IT staff and senior management to maintain visibility over what information is being shared where and with whom. Similarly, managing multiple sets of credentials for separate email and file transfer services can create problems for users, who may result to using unsecure websites as a solution to this. Not only does this risk a data breach but it also impacts efficiency – one of the reasons these services are used in the first place.

An Integrated Approach to File Transfer

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

To simplify this process and increase centralised control over the information that employees are sharing with external third parties, an integrated approach to data management needs to be taken. This involves procuring file transfer solutions as part of a broad information sharing platform that also includes secure email and collaboration functionality. Moreover, it is also important that these services sit well within an organisation’s existing infrastructure to improve workflow and business processes.

Benefitting from Cloud Services

File transfers shouldn’t be an issue that makes senior management and IT departments uncomfortable. Visibility over personal and commercially sensitive information shared with third parties shouldn’t be sacrificed to benefit end-user ease of use, and similarly, workplace efficiency should only be impacted positively by file transfer solutions.

The benefits of Cloud services, data protection, and an integrated approach to secure communication shouldn’t be mutually exclusive.