Security and Control of Data in the Cloud with BitTitan Data Encryption

Transcription

1 Security and Control of Data in the Cloud with BitTitan Data Encryption

2 Contents Ownership and Control of Data in the Cloud... 3 Unstructured Sensitive Information in /Calendars... 3 How Can Be Exposed? and Regulatory Compliance... 5 The Data Lifecycle... 5 Protect Data throughout its Lifecycle... 6 Copyright 2015, BitTitan, Inc. 2

3 Ownership and Control of Data in the Cloud BitTitan DataEncryption offers a solution to a key problem standing in the way of broader cloud adoption: maintaining ownership and control of data that is processed and stored by third-party cloud services such as Office 365. Most decision-makers recognize the financial benefits of moving their businesses to the cloud. The savings in staffing and infrastructure can be significant over the costs of maintaining data centers and the staff required to manage them. In addition, moving to the cloud can be a smart move from a security point of view. Cloud service providers have a dedicated focus on providing secure, highly scalable and available systems for their customers that is their only job. Contrast this with on-premise infrastructure, where IT is a secondary concern and security is not always a top priority. But while the arguments are numerous for moving to the cloud, many companies are rightly concerned over the issue of ownership and control of their information. A company s information is its lifeblood and it can be uncomfortable ceding a measure of control over it. Ultimately, it is the responsibility of the company to protect its sensitive information and that responsibility cannot be transferred to a third party no matter how trusted they may be. When discussing security in the cloud, many focus on the protection of documents and systems, and many tools exist to attempt to control the distribution of structured information. But surprisingly little attention gets paid to the case of unstructured sensitive information in day-to-day . Unstructured Sensitive Information in /Calendars and calendar information can contain a vast amount of information from the trivial to business critical all in an unstructured form which is very difficult to automatically identify and filter. Something as simple as a casual discussion between executives about a potential partner could have huge consequences if revealed. As an example, in the recent Sony Pictures hack, what was thought to be private was released to the public. This included details of talent compensation, negotiations, and personal opinions of various talent all of which will make future negotiations much more difficult and expensive, and has embarrassing ramifications for the company as a whole. Unstructured company information commonly found in includes: Trade secrets It sounds silly to say it, but trade secret protection is only maintained as long as the information is kept secret. It is the responsibility of the company to make reasonable efforts to protect the information, and there is legal recourse if the information is misappropriated. But accidental release voids protection. And even in the case of misappropriation, once the information is out, it is by definition, no longer secret. Product plans Most companies that invest in new product development use extensively to discuss plans, share details, organize meetings, explore patent protection, etc. All of this is information would be very valuable to competitors. Copyright 2015, BitTitan, Inc. 3

4 Negotiation details Negotiating contracts, prices, partnerships, mergers, acquisitions, or any of a myriad of business deals requires communication. Most of that is discussed over , and calendar details of who met with whom, and when, can be very valuable intelligence. Competitive information/discussions Analysis of the competition and subsequent compete planning is exchanged via . Exposure of this information can damage your ability to execute on plans. Employee reviews The details of an employee review are confidential information and release could lead to legal actions by the employee. In addition, private discussions about employees that do not make it into the formal review may contain information that would be inappropriate to share. Private executive discussions Executives need to be free to discuss a wide range of issues over , without fear of disclosure. This can be corporate strategy, pie in the sky long-range plans, or even simply opinions expressed in impolitic terms. Meeting details Exposure of calendar information can give a very clear picture of business relationships and exposure of minutes from what should be confidential meetings can damage relationships and potentially scuttle partnerships. Employee personal information Human resource departments often require personal information from employees much of which is sent via . Companies have legal responsibility to protect this personal and sensitive information. Legal/privileged information Communication with counsel is privileged and often sensitive, yet it is common to carry on extensive discussions over . And more It makes sense to ask yourself the question What would the cost to my company be if all of our internal s and calendars were made public? How Can Be Exposed? While cloud providers take great pains to provide secure and trustworthy services, ownership and responsibility of your information ultimately rests with you, and there are a number of ways your private data could be exposed. Government snooping Recent revelations have made it clear that many governments are actively engaged in large-scale data gathering on citizens in the name of national security. This can be internal to a specific country or extraterritorial as in the reported activities of the NSA and GCHQ under the PRISM and MUSCULAR programs. Unauthorized disclosure through subpoena When a legal subpoena requesting customer data is presented to a cloud data provider, they have no option but to comply. Often, the company will not be allowed to let the target of the action know that their data has been provided. Copyright 2015, BitTitan, Inc. 4

5 Such subpoenas may even be applied extraterritorially for example, requiring that data of a foreign company which is hosted on US-owned servers outside of the USA be turned over to US agencies. Malicious actions No matter how secure data centers may be, they are still run by people. And a rogue admin with the right access can bypass most security. In addition, hackers are constantly probing for weaknesses that would allow man-in-the-middle attacks or other ways to intercept data in transit. Accidental disclosure Data co-mingling, unencrypted data in memory snapshots, and general operational processes may expose data outside of expected channels. and Regulatory Compliance No single product can guarantee compliance with any particular set of regulations. At the end of the day, it is up to the owner of the data to guarantee compliance. It is your data and you need to maintain control over it even when you store it in the cloud. While BitTitan DataEncryption cannot, in itself, guarantee you are compliant, it can form an important piece of your compliance plan. There are two main areas of compliance for which encryption at rest, in transit and in use can act as key components. Data residency Many countries have regulations requiring that personal information not be transmitted outside of the country of origin. This can be a barrier to moving to the cloud since in most cases, the provider will have data centers serving multiple countries. In the case of Office 365, Microsoft will not guarantee that data on its servers won t be relocated outside of the initial region for support and maintenance purposes. Residency concerns can be addressed by encrypting data in the country prior to sending it to the cloud servers, and by maintaining the encryption keys within the county of origin. Note that personal information can be broadly defined and often can be found in unstructured form within . Privacy There are a host of regulatory entities aimed at protecting the privacy of users of data services. Private information ranges from the Personal Health Information (PHI) to Personal Commercial Information (PCI) to Personally Identifiable Information (PII). There are dedicated solutions for many business types, but for the most part, they focus on formal structured documents and information for example, a credit card order form or a medical record form. However, all sorts of private information can be and is found in unstructured form within s. For example, imagine a doctor sending an to his nurse asking that she order a specific test suite for a patient. This simple request carries a wealth of information about the patient which needs to be protected. The Data Lifecycle Cloud data exists in three states during its lifecycle, however, standard encryption solutions only protect the data in two of those states. In-transit Data is in-transit when it travels over the internet from the user to the cloud, between data centers in the cloud, and from the cloud back to the user. Data in transit is generally protected Copyright 2015, BitTitan, Inc. 5

6 by SSL or TLS encryption. SSL is widely used to protect everything from web transactions to . TLS is a superset of SSL with additional security features and is generally used between data centers and to connect mail servers. At-rest Data is at-rest when it is stored on a physical device including your PC or on a server at the cloud service provider. Data at rest is often protected with strong encryption which makes it virtually impossible to access the data should a thief steal a computer or server drive. In-use Data is in-use when it is read into memory from a storage device for example, when you turn on your encrypted laptop, or an Office 365 server loads your into memory. Data in use is not usually protected by encryption due to the complexity of having data be both encrypted yet usable. Protect Data throughout its Lifecycle BitTitan DataEncryption addresses the gap by protecting data in use without compromising access or user functionality. Information is encrypted at the DataEncryption proxy, and remains encrypted in-transit, at-rest and in-use in the cloud. Because the encryption keys are stored separately from the cloud data, if is exposed through snooping, malicious actions, legal requirement or simple accident, all released content will be unreadable encrypted information. At the same time, BitTitan s advanced encryption technology means: The user maintains easy access to and calendar data with full functionality, without the need to install any new software or make any changes. All mail they send and receive and all of their calendar data is stored in the cloud, fully encrypted. This gives the user the freedom to work normally using Outlook on a computer, Outlook Web Access in a browser, or on their mobile device using ActiveSync. BitTitan DataEncryption provides companies control over their in the cloud with persistent end-to-end encryption while in-transit, at-rest and in-use without requiring users to master new technology or install any additional software. Control Your Information with BitTitan DataEncryption The benefits of moving to the cloud are very real, but so are the risks and the potential cost of the release of confidential information. Internal company holds tremendous amounts of information that can cost your company time, money, and legal exposure if stolen or inadvertently made public. Copyright 2015, BitTitan, Inc. 6

7 BitTitan s DataEncryption protects your internal and calendar data in transit, at rest, and in use, and keeps the encryption keys separate from the data allowing you to maintain control and ownership over your information in the cloud. To learn more about BitTitan DataEncryption, please visit or contact [email protected]. About BitTitan BitTitan is the IT change automation expert that delivers end-to-end solutions for migration and onboarding challenges. Unlike competitive solutions, BitTitan removes barriers to change, including complexity, risk, cost and time constraints. With IT change automation, users can be current, have a choice, maintain control and eliminate chaos. Its globally recognized products, MigrationWiz, DeploymentPro, UserActivation, DataEncryption and SmtpLogic, deliver tailored solutions for today s challenges, such as Office 365 onboarding, and archive migration, as well as Office 365 security and controls. The credible, safe and trusted choice for both direct and partner channels, BitTitan has migrated more than 1.5 million mailboxes to the cloud in more than 100 countries. For more information, visit BitTitan, Inc Lake Washington Blvd, Suite 200 Kirkland, WA USA [email protected] Copyright 2015, BitTitan, Inc. 7