Posts tagged Data Leak Prevention
Megaupload – Can we prevent this type of mega-mess?

By John Thielens, CSO, Axway

The Megaupload incident surprised a lot of people, especially because the FBI shut down the site even though thousands of individuals – including some from other divisions of the federal government – were depending on it for data storage. The problems resulting from the incident point to the consumerization trend known as “BYOA” or “Bring Your Own Apps to work.” This trend is not so much about bringing consumer devices onto the network (BYOD), though – it’s about bringing consumer behaviors onto the network.

Employees are simply trying to get their jobs done. And since employees are also consumers in a connected, Internet-driven world, they have gotten very good at utilizing services such as data storage or data exchange at home, doing their work, and then synchronizing the content. So it’s no surprise that when they log in at work they expect the same options and services, and realize that they don’t have them. But they do have Internet connectivity that enables them to connect to what they need – so they start bleeding their expectations over the line.

There are numerous potential risks when employees use these consumer services instead of proper corporate (or in this case, government-sanctioned) services. Some risks are well-known, such as inadequate security, and accidental data disclosure or data leaks. But the problem around government employees using Megaupload was more one of “collateral damage” – that is, federal employees were using a site that was actually a relatively secure “file locker in the sky,” but other people were using it to securely but illegally distribute copyrighted movies and other pirated material. This illegal activity was discovered, the site was shut down, and everyone’s content was lost due to the illegal actions of only some users.

For the government, this is a prime example of the unintended consequences that can result when there is no detailed, rationalized, CIO-led and IT-driven process for selecting corporate services, with attendant contractual relationships.

To prevent this type of scenario in the future, the CIO must elevate his/her game and challenge IT to fully analyze IT usage patterns and tools across the organization. A detailed understanding of employee needs must be developed – including some type of monitoring of where employees are going on the Web – so that better services, with greater security and control, can be provided.

The type of file sharing that happened on Megaupload is not the only BYOD/BYOA challenge CIOs are facing, but it’s one of the many IT security challenges Axway solves for organizations every day. Whatever technology trend is under scrutiny, the bottom line is that IT cannot afford to be reactive. In order to protect the organization, IT must proactively partner with employees and take consumerization trends seriously. This effort may make things tougher for IT, but in the end, protecting the organization and empowering employees to get the job done is what it’s all about.

Like a Brand New Dishwasher – The Greatest Technology Just Works

By Dave Brunswick, Head of Technology Strategy, Security Solutions Group, Axway

Recently, we went through the process of shopping for and buying a new dishwasher at my house. We chose a brand with a reputation for quality and super quiet operation. All the controls are inside, so when the door is shut it looks really sleek and simple, except for one thing. There is a little orange light on the outside. We wondered why in the world the dishwasher would need this – until we ran it.

The product is well constructed, washes dishes incredibly well and looks good, and is in fact so quiet and unobtrusive that you actually need that little orange light shining on the kitchen floor to tell you that it’s running, and doing its job.

It reminded me of an issue we have in computer systems design and especially in the security arena. We like complexity, lots of visible controls, the ability to turn dials and choose your knobs, etc. We tend to get away from the simplicity of function, and forget that the ideal system is one that just works – and it needs that little orange light to tell us that it’s still working, it’s going great, and it’s doing its job.

So rather than confusing our end users, administrators, and partners with a lot of knobs and switches, particularly in a secure environment where we are trying to safely transfer data and information between individuals or organizations, we need to focus on simplicity of function. What we are trying to do is enable them to do business – to partake in that secure transaction. The technology, whether it’s encryption, policy management, or whatever, should be there, do what it needs to do functionally and not get in the way or intrude on what the users are doing. In fact, if it needs a little orange light to tell you it’s working, then it’s doing its job really, really well – because it is providing the functionality you want without the users having to even be aware that it’s running and doing things for them.

The technology should work as much as it can like my dishwasher – it should just work.