The following articles were authored by The Axway Blog Team
Dr. Larry Ponemon: Achieving Security in Workplace File Sharing

This is a transcript of The Axway Podcast of the same name.

YouTube Preview Image

PONEMON: We find that about 80 percent of our respondents, therefore almost all of our respondents, see the need to secure documents, especially documents containing intellectual property. The company secret sauces. Business information, for example, that in the wrong hands could be a big problem. Respondents in our study consider the loss of intellectual property to be by far the most negative consequence of insecure file-sharing tools. Even though it’s a big problem, and it’s viewed as a big problem, it seems to happen regularly. That’s another finding of this study.

ANNOUNCER: From Phoenix, Arizona, this is The Axway Podcast. Here’s your host, Mike Pallagi.

PALLAGI: In January 2014, The Ponemon Institute — an institute dedicated to advancing responsible information and privacy management practices in business and government — presented the findings of “Achieving Security in Workplace File Sharing,” a study that focused on the practice of public cloud file sharing in the workplace, threats to corporate information, and the features most desirable in achieving security in the sharing of files and documents. Next week on November 18th, Dr. Larry Ponemon, chairman and founder of the institute, will join Dave Butcher, Axway’s Senior Director of Managed File Transfer Solutions, for a candid webinar about the study. So to give our readers and listeners a little preview of the webinar, I caught up with Dr. Ponemon and asked him some questions. First, what did the study find?

PONEMON: What we find in our study is data breaches involving company data, stored in a public cloud environment, are likely to go undetected. This is a big problem for companies, as well as for regulators. Only 11 percent of our respondents say they would be very likely to know if sensitive or confidential information was even lost or stolen as a result of a data breach. So one way of looking at that is that 89 percent, if my math is correct, basically would be not necessarily likely, or maybe unlikely, to know whether or not data was lost or stolen as a result of a data breach. As it would happen, obviously, in a public cloud environment, I think that’s where the most risk is.

PALLAGI: What about employee use of file-sharing tools?

PONEMON: This is a very important issue, obviously. In an organization where you have hundreds, if not thousands, of employees running around doing their job, what we basically find is that employees’ decisions to use certain file-sharing tools — including cloud-based tools and, as I mentioned before, may be insecure — are made without guidance or oversight from the organization. Only 50 percent of our respondents say their organizations have a policy that informs them about approved file-sharing tools. In other words, about half even have a policy, an acceptable use policy.

PALLAGI: Of those who do have a policy, what do they say about the state of their policy enforcement?

PONEMON: So if you do the math, it’s like half don’t have a policy, but those that do, almost half, 48 percent, say that policy is not enforced. And if a policy is not enforced, it means the policy is not really a policy. We also find that 69 percent of our respondents are not likely to know whether employees are even using unapproved and risky file-sharing tools. Even if you have a policy, and even if the policy is not enforced or enforced, there’s a very high percentage of companies that acknowledge the fact that they don’t have the wherewithal to know whether an employee is doing something…not nefarious. Again, good people make mistakes. We say good people do stupid things in the workplace, and it seems to happen a lot in the file-sharing arena.

PALLAGI: Popular cloud sharing services have created problems for IT departments and their organizations for a while now. What were the survey’s findings on that issue?

PONEMON: About half of respondents, in our study, in fact exactly 48 percent, believe that popular cloud-sharing services are, quite frankly, not suitable for business use. But they would worry less about the security of confidential documents in these insecure environments if the data’s encrypted. Especially if it’s encrypted and the encryption keys are in their control rather than in the hands of the cloud provider, and storage was segregated, not shared with other tenants, unlike, for example, servers or at the rack level. If we were able to control the physical storage location and have encryption with key management in the hands of the company, that would go a long way in reducing the concern that people have. But still, it doesn’t solve the problem completely.

PALLAGI: Here’s what Dr. Ponemon had to say about corporate culture as a security challenge.

PONEMON: Corporate culture, in almost all of our Ponemon studies, is a barrier to achieving security in the workplace. And it’s true in the security of workplace file-sharing applications. Fifty-eight percent of respondents say their organizations place more importance on employees’ productivity than they do on security of corporate data. Not to say that corporate data, or the security of corporate data, is not important. But it’s really about employee productivity and enabling them to do all of the cool things that they want to do in the workplace. With the tools that they like, usually. So, with that being said, many of our respondents believe that the use of file-sharing tools increase worker productivity and efficiency. So it’s the yin and yang: on the one hand, we want people to be mindful of security issues, but we want them to do it in ways that do not diminish their productivity and, quite frankly, that can be a problem.

PALLAGI: To minimize the risk, Dr. Ponemon suggests that one solution that would work for many companies would be to provide an approved file-sharing tool.

PONEMON: In fact, 62 percent of our respondents believe providing an approved file-sharing tool would reduce employee use of public cloud. If we have a tool that basically has the same functionality as our favorite file-sharing tools that operate in a public cloud environment, I think a lot of people would recognize the fact that these in-house tools should be used first and foremost. And it would probably reduce demand for basically going outside the organization’s perimeter and choosing tools that are, in fact, creating great security problems. So I think that is kind of a natural. And I think a lot of companies are waking up to the fact that they need to have something that is secure but doesn’t diminish the productivity of the employee.

PALLAGI: Any thoughts about the upcoming webinar?

PONEMON: We have lots of very interesting, and I’ll call them cool, findings. And I think it’s going to be enjoyable for the members of our audience. I would also encourage our audience members to ask good questions. A good webinar happens because you have a good speaker and you have really good questions, otherwise known as a good audience. So we really look forward to a great event. It should be fun.

To sign up for the webinar, please click here.

To read the report in its entirety, please click here.

The Grey Market

This is a transcript of The Axway Podcast of the same name.

CHAUGHTAI: “Grey market” refers to legal goods which are sold outside the normal distribution channels. And they’re done without having any relationship with the producer of that good directly. This frequently follows the form of what is called parallel trading or parallel importing. Entrepreneurs basically buy the products. They’re available cheaply. And then take the product and offer it for retail in their designated areas to actually gain significant profit from those products. It’s mostly doable because those products are not directly available in those markets.

YouTube Preview Image

ANNOUNCER: From Phoenix, Arizona, this is The Axway Podcast. Here’s your host, Mike Pallagi.

PALLAGI: While a channel partner has a clear responsibility to adhere to the terms and conditions of partner programs, the burden of enforcing those T&Cs ultimately falls on the organization itself. So how, I wondered, can a track and trace solution help an organization protect its profits and brand equity by detecting potential “grey market” product diversion? Here’s Atif Chaughtai, Axway’s director of solution marketing for the Healthcare industry.

CHAUGHTAI: Because of the nature of the grey market, it is difficult or impossible, in some cases, to track the precise number of grey market sales. It’s hard to put a finger on “Okay, how many millions of dollars of grey market sales is happening for a particular product?” Importing — there are certain legal restricted items, such as prescription drugs. Drugs or firearms would be categorized as black market, as with smuggling the goods into the target countries to avoid import duties. Some prescription medication, most modernly popular and branded, can have very high prices in comparison to the cost of transporting those drugs there.

PALLAGI: I asked Atif to give us an example.

CHAUGHTAI: If you look at the drugs that are being distributed in Canada, it’s much more expensive than the drugs that are in the U.S. This varies from country to country. It’s mostly because a government has negotiated specific prices in their market or in their country. This opens up the potential for savings by the consumer to purchase these drugs from Canada or between the U.S./Canadian borders for significantly lower prices than the same drugs would cost in the U.S. pharmacies.

PALLAGI: What this situation calls for, Atif says, is a solution that allows you to integrate your supply chain from the manufacturers to the distributors. A solution that provides end-to-end visibility. You’ve probably heard about this idea before — end-to-end visibility. But what does it mean? What does it mean to actually integrate your supply chain? Here’s Atif again.

CHAUGHTAI: To actually leverage your massive product data, which might be in an ERP system, your line systems that are being used in the data manufacturing facility or in distribution facilities, along with your inventory systems. Or any other system that has captured the data about your production and about your distribution. We can actually bring it all together and give you a 360-degree view of what’s happening in your supply chain in real time or near-real time. Why real time or near-real time is important is because you want to be able to detect these things right there and then and stop it. There’s no point in chasing the diversion after even three months or six months after it has happened.

PALLAGI: It’s about monitoring all of these different data sources in real time and applying business rules to them, so that any problems can be detected, like product diversions, for example.

CHAUGHTAI: Let’s talk about what happens in the field investigation. Either you have an audit company that you have hired to actually check for these kinds of conditions throughout your supply chain, or a retailer who has gotten a product from a pharmacy that might have gotten products, and they are suspicious of the origins of the product or the distributors that were involved. They actually all need to have a way to authenticate the product that they have received. Now, with the emerging regulations around the globe, the U.S. has the (Drug) Supply Chain Security Act, and in Brazil, it’s ANVISA, that is promoting serialization and visibility into… visibility and identification into the whole manufacturing-through-distribution process. Then actually leverage some of these regulations that are in place to provide capabilities to these third parties either through a portal, where they can simply login and type in a product identification, that might be a combination of serial numbers or other encoded information on the bottle to authenticate with your master data and your events data that you have captured throughout the supply chain to verify that this product is real and it is coming from the manufacturer directly or the authorized distributor directly.

PALLAGI: Another aspect would be to actually leverage an automated authentication by using a solution that can expose data to certain APIs. You probably know that APIs are becoming extremely common throughout tech industries. Well, these APIs can allow you to pull off various moves, like authenticating product and sharing information that you’d want your consumers or the dispensers to have. I asked Atif one more thing: How can a manager use a track and trace solution to quickly detect anomalies? What capabilities should she expect from a track and trace solution?

CHAUGHTAI:  …the capability to define business rules, and define scenarios through those business rules. Those scenarios are basically your standard operating procedures or your normal business work. In real time, when we are collecting information from the supply chain, and those events are coming in, we can run those business rules and do correlation on the information coming in to identify any data that constitutes an anomaly outside of the norm or the normal behavior that we have defined in the standard operating procedures. Once we detect an anomaly, we can notify a manager that there is something outside the norm — doesn’t meet the normal behavior, doesn’t meet the thresholds you have set — to identify and quickly act on those anomalies.

To learn more about the DQSA and whether a cloud global traceability and compliance service is right for your business, please click here.