Building cloud security from the end up

In the spring of 2009, Gartner identified data security as one of the top five inhibitors to broader adoption of cloud computing. Research commissioned by Cisco and Intel on the impact of cloud on IT consumption models in 2013 found that security concerns loom large as the biggest impediment to adoption. And in June 2014, North Bridge Venture Partners/Gigaom Research published findings from their fourth annual survey into cloud adoption drivers and hurdles reinforcing the importance of security to potential adopters: in that study, most (49%) respondents voiced concerns about the security of their data in the cloud. But what else happened in this past half decade? Business interest in the efficiency and cost savings benefits of cloud translated into increased usage of the technology (SaaS adoption grew from 13% in 2011 to 72% in 2014; IaaS grew from 11% to 56%; and PaaS grew from 7% to 41% as per the Northbridge/Gigaom study), while risks associated with the corporate experience of BYOD, consumerization, shadow IT and increasing IT complexity commingled with the evolving threat landscape to intensify security challenges (data breaches are increasing in terms of number, in the number of individuals effected, and in terms of cost for repair). This intensification was the case for companies with cloud deployments in particular: according to the Ponemon Institute, there is a three percent higher risk of a data breach for every one percent increase in the use of cloud services, a “cloud multiplier effect“ that highlights the scale of security threats in the cloud era. So what do all these numbers add up to? If cloud adopters have been consistent in their concern for security over the past five years, their concern is justified as risk is growing apace with incremental cloud usage.

At the same time, however, solutions are being developed to address this risk as providers work to harden the security in their offerings. This is evident in an evolving collaboration between Dell and the popular cloud file sharing/storage provider, Dropbox. Back in December 2013, the partners introduced a strategic relationship which saw Dell offer Dropbox for Business through its sales organization to enable customers to implement Dropbox alongside security products from the Dell security portfolio, i.e. Dell Data Protection| Cloud Edition (DDP|CE). Six months later, the partners have announced an update that pushes product integration to deliver more advanced security capability to Dropbox users. Specifically, the announcement covers:

  • Separation of personal and work data – Though users can access both their personal and business files through a Dropbox account, Dell Data Protection | Cloud Edition ensures that company files are properly managed and secured with encryption for sensitive company data, while personal files receive Dropbox encryption and remain in the control of the individual user. The solution also issues an automatic alert when business files are placed in a personal folder to educate the user on the need to always take proper security precautions. “On the client side, we’re starting to see the blurring of the personal device and the work device,” Brett Hansen, executive director of client solutions software at Dell, noted “and our solution can help address that by creating segmentation… so there’s no possibility that a disgruntled employee could hook up a USB key, pull out work files and pass those on to a competitor.”
  • Remote wipe In cases where a device has been lost or an employee’s identify compromised, the company can use the Dropbox for Business admin console or the DDP|CE admin console to complete a remote wipe of all Dropbox encrypted files.
  • Simple mobile collaboration The integration of Dell Data Protection | Cloud Edition allows Dropbox users to take advantage of one-click sharing capability, while maintaining file-level encryption. Employees will now be able to open encrypted files through the Dropbox app on Windows 7 and 8, Android and iOS devices, OS agnosticism solving for the BYOD challenge that many organizations now face.
Brett Hansen, executive director, client solutions software, Dell
Brett Hansen, executive director, client solutions software, Dell

From Dell’s perspective, the relationship with Dropbox is driven in large part by the company’s market success. While Dell owns a panoply of storage solutions aimed at the midmarket in addition to cloud-based file sharing capability, as Hansen explained, “if you look at the marketplace and you look at what customers are using, you can’t help but say that Dropbox is a global, and certainly North American, phenomenon: Dropbox claims 200 million active users and that a billion documents are uploaded and downloaded on its platform every day.” But Hansen also pointed to change in the use of Dropbox — to expansion from strictly personal use of the application towards deployment of the platform for business collaboration. For Dell, this shift represented an opportunity to connect with its core SMB market, which Hansen argued, see Dropbox in turn “as an opportunity to be more employee friendly, and to help employees be more productive and more collaborative.”

As with other examples of the consumerization of IT, however, this shift has given rise to new risk as Dropbox was not initially built with business class security requirements in mind. While Dropbox is inherently secure, IT managers and security officers in larger organizations may have additional requirements around the compliance and control of corporate documents that are not addressed by the platform, and hence concerns over the leverage of Dropbox for sharing company information. In Hansen’s view, IT is looking to maintain control over information — where it goes, who has access and where it gets accessed — especially in industries such as healthcare or finance that must comply with strict security reporting and other compliance requirements.

From the Dropbox perspective, the partnership with Dell provides an additional sales channel (Dropbox will promote Dell cloud security, passing on leads), but more importantly, positions the platform as a business grade solution. According to Hansen, there are certain industries such as healthcare that have been reluctant to use Dropbox due to compliance issues. The Dell Data Protection solution, on the other hand, is HIPPA compliant and its encryption has achieved FIPS 140-2 Level 3 certification, a robust standard when applied to software security. Since Dell Data Protection | Cloud Edition delivers security capability at the device level through a client that lives on the PC, tablet or phone, as well as at the cloud layer, it offers business owners a mobility solution that allows employees to securely connect and share documents in public environments via in the phone — an expectation that has transformed into regular practice in many organizations. And most importantly, the solution offers IT control over company data: with DDP|CE, data is encrypted but the IT administrator retains the key. “The secret sauce,” according to Hansen, “is an enterprise server-based console that maintains key names” which provide authorization allowing an individual, who may, for example, be part of a specified workgroup or domain, or an identified role (a doctor or nurse in healthcare) to decrypt a specific document.

In addition, Dell’s data protection goes beyond full disk encryption that is standard on most devices to encrypt at the file level so that each file or IP set has its own unique key. As a result, files can be securely transferred across devices and cloud environments, an important consideration when employees might be transferring customer data, IP or sensitive financial information. For the customer, the Dell/Dropbox integration means double encryption in which the Dropbox encryption, server and key stay at Dropbox, and customer ownership of a separate enterprise console which retains the keys to controlling data access. If key management in file-based encryption sounds complex, Hansen added that the process is transparent to the user, while double encryption and access control protect the company from accidental device loss or risk associated with user error on Dropbox.

Going forward, the partners are working on other business level initiatives. While Dropbox has deployed Dell storage and server technologies, Dell ships Dropbox preinstalled on all of its consumer devices and is currently rolling out a pilot that will see its sales team use the jointly secured collaboration platform. Dell’s partnership with Dropbox is not exclusive though – the company currently has similar relationships with Box.com and Microsoft’s OneDrive cloud, and will be expanding to Google Drive later this year. In Hansen’s view, Dell’s connection with Dropbox and other cloud providers is born out of recognition that “we have to acknowledge that data is no longer sedentary. Data is going to move to different locations, and our focus is on helping our customers secure data, wherever that data goes.” Human vulnerability means that in this effort the endpoint is critical: “that is where the fight is going to be,” he added, and “Dell will be proactive because we have a whole client business that we can use as an entrée to have that discussion with customers.” Rather than treat the device as an isolated hardware component, Dell’s ultimate goal is to leverage its client business to create customer awareness of security issues and the need do a better job of protecting data — and themselves — an end-to-end approach that is gathering steam in the information age.

 

 

 

 

 

 

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.