Something I say in customer meetings a lot is that unstructured data isn’t glamourous. In a world where people are talking about machine learning, IoT, the latest vulnerabilities and exploits, and other cutting edge stuff, files and folders doesn’t get a lot of air time. If you’re reading this blog, though, you know these uncool bits of data are potentially dangerous and need attention. That leads to an interesting effect in meetings. Often prospects and customers will ask us what we are seeing out there. People don’t get many chances to hear thoughts about unstructured data. One thing people ask about a lot are the big names in storing unstructured data in the cloud. They want to know who others are using and why. They ask what security approaches others are using. They’re hoping to validate their own choices or find guidance for programs they are looking to launch.
Recently, I have run into a bunch of customers and a couple prospects all using Box. It has been interesting to learn a bit about how they have approached things, and, without naming names, I would like to share some of what I have learned. Before this recent run of Box, the majority of what we have seen is Office 365 – SharePoint Online and OneDrive. In most cases, this has been less of a choice and more of a platform play. These people didn’t choose OneDrive, they chose Office 365 and that was part of the deal. What has been interesting about a couple of these recent Box customers is that they were also Office 365 users. They both shared the same timeline to explain this. They had a rash of users using many different file sharing services. They knew they couldn’t put that genie back in the bottle, but they wanted to gain some control. So they standardized on Box, worked on rolling that out to everyone, and then started to put controls in place to prevent use of the other services. Later they came to us to gain visibility into how people were actually using the new organizational standardized Box offering. And then their move to Office 365 came later on after Box was firmly in place.
We have seen a few examples of those who were on Office 365 and then brought in one of the other file sharing players, but that seems rare. One of those I spoke with shared that they had two reasons for making that move. They are a high tech shop, and they wanted some features they couldn’t get without Box. Some of it was end user things like the client support and integrations with other apps. But for the IT side the difference was about APIs. The Box API is powerful. When I’m asked about new features for Box and the other players in cloud file sharing, I always point out that we’re at the mercy of the APIs. If the data is in the API, we can get it. Box puts a lot of data in their API, and, more than that, they have many ways to move, manipulate, and access the data stored there. That means lots of apps and integrations. Of course, the other players have good APIs as well. It seems Box is in a narrow lead over the others right now, though.
STEALTHbits is about security. So they always ask me about security approaches. Sometimes that conversation starts off with “you would *never* recommend using these cloud services, right?” That is always awkward because I feel just about the opposite. Microsoft, Dropbox, Box, and the others in this space have a lot more focus on the security of your unstructured data than most of the people who do it as a necessity in their spare time. “But what about all those Amazon S3 breaches?!?!” I know. But, when you analyze those and the vast majority of the breaches involving cloud file sharing, you quickly see most of it is abuse of features. Or, put another way, it’s user error. Let’s say you took a Windows file share, exposed it to the Internet, and set the security policy so that any user – authenticated or not – can read the data. If that sounds stupid, then you understand why most of these breaches have happened. That’s what people did. So the number one thing I tell folks about security with cloud file sharing is: please use it. Much like the default position for a share has been open access for decades; you can set up a Box folder with a link that lets anyone access the data. But please do not. Being able to send someone a sharing link so they can get to the data without your having to provision an account is one of the cool things about cloud file sharing. Once they use it, though, you should get rid of it. Auditing your Box account to find open sharing links like this is one of the things I tell folks they need to do right away.
After the twist about the idea of security being OK in cloud file sharing and watching for open shares created in this new cloud way, the conversation about security turns to all the usual stuff. You want to tie the authentication to something you can control. You want to watch for overprovisioned accounts and accounts that mass privileges as they change roles. You want to look for sensitive data in the files and make sure those files get extra protection. With the possibilities for users that are not part of your organization having access through accounts you give joint venture partners, suppliers, or others, all this granular auditing takes on a whole new importance. Thanks to the Box APIs in depth visibility and solutions like StealthAUDIT, that’s all manageable.
At this point, you may be thinking this all sounds a whole lot like the same concerns we had about unstructured data on premise. I know putting “cloud” in front of something is supposed to make it somehow magical, but I’m afraid files or files no matter where you store them. There are some twists, and new platforms give you new ways to do the old tasks (I love a good ReST API, too). In the end, though, these conversations with Box clients start to boil down to this: “How do I get the same levels of control and visibility I had for my on premise systems with these cloud file sharing platforms?” What makes me smile is when I run into folks who had absolute chaos on prem and are now applying good controls for the first time as they move to one of these new platforms. They naturally give all the credit to the new platform. I never contradict this. I’m just happy to see good security wherever I can get it.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.