Blog

As more and more organizations migrate their data to the cloud, IT teams discover a new world of useful cloud apps, from cloud-supporting hardware to new software and services that promise to make business processes easy and efficient. However, every cloud app you add to your arsenal needs its own protection, even if the data itself is locked up tight.

Cloud migration also introduces another concern: shadow IT. Moving to the cloud can inspire employees or departments to use software and services that aren’t always approved by the usual channels beforehand. Employees can also use personal technology at work “or niche technology that meets the unique needs of a particular business division and is supposed by a third-party service provider or in-house groups, instead of by corporate IT,” according to TechTarget’s definition of shadow IT. Once these tools (including Dropbox, Google Docs, or instant messaging services) are implemented, it’s not always easy to root them out—but it doesn’t have to be hard to secure them, either.

Whether you’re using IT approved apps or have shadow apps hiding in the corners, always make sure they’re protected. Not sure where to start? Here are four understated tool categories you should use for cloud app security, as well as a few matching products or services that address each one.

DDoS Protection Tools

A DDoS (Distributed Denial of Service) attack happens when a malicious user or group floods a service with traffic from multiple sources, intending to cripple the business and make it unusable for an extended period of time. When the service goes down, people can’t access it. The situation becomes a complete nightmare for everyone involved.

DDoS attacks can be devastating to an organization’s bottom line. A single successful attack can cost upwards of $2.5 million, and DDoS disruption alone can cost around $100,000 an hour in lost revenue. What’s worse, the number of DDoS attacks per year only continues to rise, with Neustar reporting that a whopping 84% of companies have experienced an attack in the last year, compared to 73% in 2016.

It’s imperative for businesses to take DDoS attacks seriously and implement tools that will thwart their efforts. Here are a couple DDoS protection tools you can use to secure your cloud apps:

AWS Shield

Amazon Web Services offers AWS Shield, “a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS.” AWS Shield works with Elastic Load Balancing, Amazon CloudFront, and Amazon Route 53 to detect DDoS attacks and provide automatic mitigation whenever needed.

Do you currently use AWS as your cloud services platform? According to their website, “all AWS customers benefit from the automatic protections of AWS Shield Standard,” which protects your applications from network and transport layer attacks.

aiProtect

Microsoft Azure offers aiProtect Denial of Service Protection, a service that “automates the identification and mitigation of Denial of Service (DoS & DDOS) attacks, while providing detailed reporting necessary to end the attack.” aiProtect can protect your cloud applications by reviewing incoming traffic requests and blocking ones that are suspicious, giving you time to act before the attack takes down your network.

Cloud Access Security Broker (CASB) Tools

CASB tools give you the power to retain control of your cloud apps while simultaneously monitoring them for threats and vulnerabilities. TechTarget’s definition of CASB states, “CASBs use auto-discovery to identify cloud applications in use and identify high-risk applications, high risk users and other key risk factors,” which is a great asset for organizations that have shadow apps.

Cloud Access Security Broker services act between an organization and the cloud to make sure all network traffic abides by set security policies. They can provide valuable insights into where data is going, what cloud apps the business uses, what actions users and accounts are taking in their daily work environment, what threats exist in the infrastructure, and more.

Knowing what apps your business uses and what threats they may pose is also an important part of protecting your data, and your cloud processes. Here are a couple CASB tools you can use to secure your cloud apps:

CipherCloud

CipherCloud is a CASB solution that helps “monitor and rate over 15,000 cloud applications, and [the] intuitive drill-down dashboard lets you identify all clouds and block risky apps.” With a tool like CipherCloud implemented, you can assess business risks and vulnerabilities, then address them using available policy actions (notify, quarantine, user self-remediation, etc) without interrupting regular business processes.

Skyhigh

Skyhigh is another popular CASB platform you can implement on a single cross-cloud platform to “gain visibility into cloud usage and risks, meet compliance requirements, enforce security policies, and detect and respond to potential threats.” It offers a variety of key features for governance, threat protection, compliance, and security throughout their solutions and products.

Data Loss Prevention Tools

Are you worried about losing control of your data? Most people are. When you move your data to the cloud instead of having it in your internal network, it’s hard to imagine letting go of your assets—which is why we suggest using a data loss prevention tool. A DLP tool helps you keep control of your data during migration, protects it while it’s at rest in the cloud, and can alert you to any data placed in the cloud that shouldn’t be there.

Knowing exactly where your data is and if it’s vulnerable or not can give back some of the control you need and let you rest easy at night. Here are a couple DLP tools you can use to secure your cloud apps:

McAfee

McAfee Total Protection for Data Loss Prevention “safeguards intellectual property and ensures compliance by protecting sensitive data wherever it lives.” It gives you a detailed look at where your data is being used, allows you to pinpoint and address any leaked data you might have, and uses “flexible file tagging to set up time-saving data security policies based on location and application types.”

Digital Guardian

Digital Guardian’s Data Loss Prevention solution works to protect your assets by tagging sensitive data as classified whenever a user requests it. If the user then attempts to send the data outside of the network or to the cloud, the solution blocks the transmission. Digital Guardian for Data Loss Prevention also automates classification of sensitive data and stops leaks without affecting employee productivity.

Cloud Backup Tools

Backing up company data is often listed as a security best practice, and it’s very true: you should have a plan in place for creating frequent cloud backups. But are you storing your backups off-site, or is everything kept in one place or accessible from the same account?

Code Spaces, a company that once offered source code management tools to developers, met a dismal end at the hands of a hacker, in part because their backups were controlled from the same control panel as their data. “An attacker gained access to the company’s AWS control panel and demanded money in exchange for releasing control back to Code Spaces,” writes Paul Venezia, Senior Contributing Editor at InfoWorld. “Code Spaces had replicated services and backups but those were all apparently controllable from the same panel and, thus, were summarily destroyed [when they tried to take back control].”

Implementing a tool that places your cloud backups off-site is a simple way to save your organization a lot of potential heartache. It may cost time and resources to put every piece in place, but you’ll be two steps ahead of any security disasters you face in the future, as your data will be protected.

Sadly, Code Spaces didn’t have a chance without off-site backups. But you can. Here are a couple backup tools you can use to secure your cloud apps:

Azure Backup

Microsoft Azure’s BaaS solution, Azure Backup, protects your data wherever it’s at rest (the cloud, your data center, your office locations) by providing six offsite backup targets of your applications stored in two different Azure datacenters. Azure Backup can also integrate with Azure Site Recovery, which orchestrates protection and recovery of private clouds.

Asigra Cloud Backup

Asigra Cloud Backup is a cloud-to-cloud backup and recovery service that can help you control the data you’ve entrusted to SaaS and PaaS providers. It “enables you to manage the recoverability of cloud-based application data in multiple ways,” including backing up your cloud environment to the data centers of your choosing, deploying backup policies to cloud app users for consistent protection, and scheduling backup activities from a single interface.

These four tool categories can absolutely kickstart your cloud app protection, but they’re not exhaustive. Is there a tool you use that we missed in this post? Leave it in the comments below!

Temporary and permanent storage of data in the cloud has grown in popularity over the years. Companies like Land O’Lakes and Boeing moved their information to the cloud last year to simplify the technology they used. Video-streaming behemoth Netflix finished their journey to the cloud in early 2016 after seven years of moving systems and customer services to Amazon Web Services (AWS).

What inspired this change from on-premises storage to the cloud? Ease of use and implementation, the cost-effectiveness of the cloud over having to maintain physical servers, and worldwide access to cloud storage without being dependent on a single network or location are just a few of the positives that encourage companies to migrate. Some cloud providers, like AWS, can even scale in either direction to support growing business needs—meaning you only pay for what you use.

This transition to the cloud brings a new set of security risks to the table, though. According to Digital Guardian, you lose some control over sensitive company data once you put it in the cloud, since that data is transferred to the cloud provider, versus stored on-premises. To prevent interception of data while stored or transferred within the cloud, companies should ensure they are encrypting files during storage and transit using a managed file transfer solution like GoAnywhere MFT. The cloud also allows personal devices to connect to and interact with data, and this has its own positives (flexibility in cloud use) and negatives (compromised information if a connected device is stolen or hacked).

Amazon Web Services markets itself as a “secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.” As companies move to AWS for their cloud storage needs, they’ll have the opportunity to increase their productivity and reliability as long as they maintain best practices for cloud security.

If you’re getting ready to move your data to Amazon Web Services or already have, here are seven best practices for AWS we recommend to get the most out of your cloud security.

1. Document your AWS processes and procedures, then keep them updated

Imagine you have a very specific file structure set up in the cloud, complete with categorical folders that are protected by different levels of permission. You know that all company sales data should go in a specific folder, but a coworker, though meaning well, doesn’t know and decides to transfer sales data to a different, unprotected folder. Chaos ensues.

To avoid this type of confusion, create consistent cloud practices everyone can follow. Document your AWS processes and procedures. Store them in a common space that the organization can access, like a shared drive on the internal network. And update the document every time something changes in your cloud approach to help coworkers, stakeholders, third party vendors, and trading partners remain on the same page.

2. Use AWS CloudTrail to track your AWS usage

Understanding what actions users take in the cloud is an important step toward keeping your data secure and in the hands of those you trust. Use an AWS service like Amazon CloudTrail to anticipate and prevent security vulnerabilities in the cloud through “governance, compliance, operational auditing, and risk auditing of your AWS account”.

AWS CloudTrail can do the following tasks, and more:

• Create API call history logs
• Record when objects or data are created, read, or modified
• Calculate and give you risk reports on your cloud storage account
• Determine who makes changes to your cloud storage infrastructure
• Track who logs in to your accounts (including successful and failed login attempts)

3. Complete risk assessments as often as possible

Even though the cloud is run by Amazon Web Services, both AWS and your organization are responsible for making sure nothing falls through the cracks. This includes maintaining “adequate governance over the entire IT control environment regardless of how IT is deployed” and having “an understanding of required compliance objectives and requirements,” among other things.

AWS completes and publishes risk assessments for their services, and you should do the same for the data you’ve stored in the cloud. Each time you give a new key player (including third party vendors and trading partners) access to your AWS cloud storage, walk through the following steps:

1. Review the risks you currently know about and ensure they’re still being addressed
2. Identify and add new risk scenarios to your list. Plan for how to tackle them
3. Identify the key players who have access to AWS and ensure they’re following standard security hygiene
4. Assess your AWS account. Make sure your settings, policies, and security are still relevant
5. Consider the steps you should take next to manage your data and prevent future risk

Remember, risk assessment is an ongoing process that allows you to find and address security concerns in your infrastructure. Since storing data in the cloud takes away some of your control over sensitive company information by not being on-premises, it’s vital you complete assessments often to keep on top of potential security gaps and vulnerabilities.

4. Follow standard security hygiene for host and guest systems

Practicing standard security hygiene is one of the easiest ways to keep your data protected. These habits should become second nature, just like washing your hands or brushing your teeth, and will benefit you immensely without requiring much time or resources.

Enable multi-factor authentication for all accounts

Amazon Web Service’s MFA requires a user to provide two pieces of information to prove they’re authentic. The first piece is knowledge (something you know, your login credentials), the second is possession (something you have, an authentication code sent to an AWS MFA enabled device). Just enable multi-factor authentication for your AWS accounts to get an immediate boost in security.

Remove privileges from defunct accounts

When an employee, trading partner, or third party vendor leaves the relationship, clean out their account and delete any privileges they were given. This removes the temptation for a renegade player—or a hacker guessing at passwords and emails—to return at a later date and compromise sensitive company information.

Disable password-only access for guests

Even guest accounts should use multi-factor authentication wherever possible, even if they have limited authorities and privileges.

5. Manage and review AWS accounts, users, groups, and roles

Every so often, we recommend you review your AWS accounts, users, groups, and roles to gain a proper overview of the privileges and permissions they have. Are any of these stagnant or similar to other setups? Consider combining them. Are any of them no longer necessary? Limit the clutter. The less overlap there is, the better.

Administrators of Amazon Web Services accounts should pay special attention to the permissions listed for their S3 buckets. Several different types of access can be given to users, including list, upload, delete, view, and edit. A bucket can also be set to viewable for AWS account holders or anonymous users, which may cause high risk depending on the files in the bucket, so make sure to review your S3 buckets and permissions to avoid potential security pitfalls.

The bottom line? Provide your accounts, users, groups, and roles with the least amount of privileges they need to function. If someone needs temporary access, it’s better to add them in as they’re required and remove them right after to avoid information falling into the wrong hands.

6. Protect your access and encryption keys

If you’re using AWS to store your data in the cloud, you’re bound to have access keys and encryption keys. Access keys help AWS verify your identity against your login attempt and give you access to the resources you’ve been given. Users with different access keys may not be able to see the same things you do, so it’s imperative you keep your keys safe.

Similarly, encryption keys are used to encrypt and decrypt data. Since they unlock sensitive information, keep them separate from your data. This best practice is especially important for companies who need to comply with regulations like HIPAA, FISMA, and PCI DSS. “Essentially, the compliance requirements all say the same thing,” writes Luke Probasco for Pantheon, “encryption keys should never reside in the same environment or server as the encrypted data. This is a technical way of saying, don’t leave your key under the doormat a hacker walks in over.”

Here are just a few ways to keep your access and encryption keys safe:

• Periodically delete any unused keys
• Use temporary access keys instead of permanent ones wherever possible. This way, if an attacker compromises an account or discovers a user’s credentials, their access will be time-sensitive
• Watch the encryption key life cycle and make sure new ones are properly saved and secured
• Create procedures for worst case scenarios in the event a key is lost or tampered with

An easy way to protect your keys is to use AWS Key Management Services, the service Amazon offers that “makes it easy for you to create and control the encryption keys used to encrypt your data.” AWS KMS even integrates with AWS CloudTrail, Amazon’s log auditing service, so you can view logs of your key usage.

7. Secure your data at rest and in transit

When moving data between your network and the cloud, always encrypt your files and protect your communication using SFTP, FTPS, or SCP. Furthermore, keep them encrypted even when they’re at rest, sitting in an AWS S3 bucket or on a server. You can choose to encrypt single files or entire folders depending on your needs.

A managed file transfer solution can encrypt your files both ways using modern encryption methods. Good MFT software will help you stay up-to-date as encryption standards change over time, while also making sure your data transfers are easy to manage and audit.

GoAnywhere MFT, our managed file transfer solution, integrates with Amazon Web Services in a variety of ways. To learn how GoAnywhere MFT can meet your cloud needs, check out our Amazon EC2 platform page or request a demo.

HR departments receive, generate, and accumulate substantial volumes of documents such as job postings, employment applications, resumes, reference checks, testing data, personnel files wage and hour records, payroll records, and disciplinary files.

GoDrive by GoAnywhere is a secure file storage and collaboration solution that's ideally suited to the unique document management requirements of today's Human Resources departments.  GoDrive is an on-premises Enterprise File Sync and Sharing (EFSS) alternative to vulnerable cloud-based document storage services.

Even though files are stored using on-site or hosted systems, all data is encrypted in transit and at rest for true file integrity. When single documents or entire folders are shared with individuals or groups, only those authorized users can view the documents.

In compliance with Sarbanes-Oxley requirement DS5.11, GoDrive creates a trusted path to exchange sensitive transaction data.  Detailed audit logs track all activity, including who accessed which documents and from what location. Email notifications can be generated when an individual downloads or uploads a file, providing a receipt confirming each interaction.

GoDrive supports a distributed workplace, making it efficient to disseminate informational and regulatory documents to in-office and remote employees.  Shared groups might include individual departments or a management team that spans the entire organization. Vendors and contractors can be authorized to access designated documents, and it's an efficient way to accommodate requests by regulatory bodies.  You can also streamline the distribution of documents to job candidates and new hires.

File shares can be expired quickly and easily at any time due to termination, changes in vendor relations or at the completion of a disclosure commitment.  Permission settings on each file share let you define view-only, download, upload and delete rights.  Best of all, version control enables any document in GoDrive to be restored to a previous version and deleted files can be easily recovered without assistance from an IT Specialist.

GoDrive is robust yet cost-effective, flexible in scale to accommodate unlimited storage and is one of the only multi-platform on-premises EFSS solutions.  Talk to your IT administrator about the surprisingly inexpensive security advantages of GoDrive. Download a FREE full feature trial for evaluation on your own on-site or hosted systems.

So you've decided 2015 is the year to finally end your organization's use of high risk cloud-based file sharing services.  Maybe it came from a directive by senior management to reduce the exposure of sensitive company documents, or maybe you've accepted that policy enforcement is simply unmanageable.

Chances are, your requirements include greater control over user access, end-to-end encryption, disk quotas and the ability to wipe files on lost or stolen devices.  At the same time, you recognize that ease of use is paramount or employees will resist giving up their familiar apps.

GoDrive by GoAnywhere might be one way to do just that.  More than a Dropbox alternative, GoDrive is a cloud storage replacement that delivers peace of mind.

For IT Professionals, GoDrive is the on-premises Enterprise File Sync and Sharing (EFSS) solution that gives you the centralized control you need.  Detailed audit logs provide senior management the assurance of knowing who's accessing what files, when and from which device.

End-users will appreciate the intuitive drag-and-drop interface, and advanced file monitoring features are sure to impress.  Desktop sync creates a Windows drive that automatically updates documents for collaboration with both local and remote team members.

It's the new network security initiative that makes perfect sense for everyone who needs a better way to share files. Try it yourself today with a FREE trial download to test on your own on-site or hosted system.

Too many organizations have underestimated the value of mission-critical business documents.  Some employees may take great risks with sensitive or proprietary information and hope that nothing bad happens.

Today, there's a new way for your entire organization to easily store documents and enjoy secure collaboration with GoDrive by GoAnywhere.  What makes GoDrive unique is the underlying technology, which provides powerful security and access management to make sure your data is safe.

Let's look at the four biggest benefits of the GoDrive Enterprise File Sync and Sharing (EFSS) solution:

1. Better Protection. Cloud-based file sharing services are limited in their ability to protect your sensitive business documents. As high profile service providers, they are under increased threat of attack by hackers, as seen in recent headlines regarding security concerns and data breaches. In contrast, GoDrive allows you to store your sensitive documents on your server of choice, providing you with local security and management of those documents.
2. Efficiency and Control. Sending email attachments can be problematic due to file size restrictions or their vulnerability to interception during transmission. The GoDrive EFSS central storage lets you share a document once and continue to make updates, all the while shared users are accessing the most current information.
3. Convenience. The GoDrive EFSS solution eliminates the need for memory sticks to transport data and the risk associated with using them. Your files can be securely accessed anywhere, anytime with a secure Internet connection and browser.
4. Easy Sharing. Network drives can be found in nearly every office for sharing files within your department.  However, it's not so convenient if you want to share files between remote office locations or when working offsite.  EFSS enables you to connect and share simply and easily without boundaries.

GoDrive is built on the proven security features of GoAnywhere Services.  The intuitive interface is simple for employees and trading partners, and project leaders will appreciate the advanced activity monitoring and email notifications. Talk to your IT administrator about the security advantages of GoDrive.  They can even download a FREE full feature trial for evaluation.

Linoma Software announces GoDrive by GoAnywhere, a secure on-premises Enterprise File Sync and Sharing (EFSS) solution that takes document storage out of the cloud and puts IT administrators back in control.

With GoDrive, files and folders can be easily shared between authorized employees and partners with advanced collaboration features including file revision tracking, commenting, a trash bin, media viewing and synchronization with Windows devices.

End-to-end encryption protects sensitive files and, since no data is stored in the cloud, your organization maintains local control to meet compliance requirements.  GoDrive combines:

• Familiar tools like drag-n-drop and image previews, allowing your employees to quickly and easily adopt GoDrive.
• Detailed audit logs giving management and compliance officers the peace of mind that all activity is well documented.
• Proven security features of the GoAnywhere Services administrative tools, with the addition of device authorization and remote wipe capabilities.

GoDrive is an affordable solution ideally suited for enterprise customers. Organizations using traditional private or public cloud services today would likely see a considerable cost savings.

The multi-platform software can be installed using an on-site or hosted server and allows for unlimited scalability of storage.

For more information, or to download a FREE trial, visit the GoDrive page.

In the October issue of IBM Systems Magazine, Linoma Software chief architect, Bob Luebbe, raises concerns about the use of cloud-based file sharing apps in a business environment.  In the Technology Showcase, Luebbe questions the practice of trusting sensitive documents to consumer-grade software.

These file sharing services - like Dropbox - are popular for exchanging photos and documents between family and friends.  The simple and seemingly magical propagation of files through the Internet to dozens of computers and devices makes it ideal for personal use.

In the article, Luebbe talks about the appeal of these free, or low-cost, file sharing services and the real risk they pose to an organization.  He also presents a secure alternative called Managed File Transfer (MFT) that delivers the same results but with greater control, encryption at rest and in transit, and detailed audit logs.

To learn more, check out Bob Luebbe's Showcase in the October 2014 issue of IBM Systems Magazine or explore the on-premises MFT solution GoAnywhere at GoAnywhere.com.

The introduction of smart phones and tablets quickly spawned an industry of mobile apps and cloud storage.  With the rise of Bring Your Own Device (BYOD) in the workplace, the demand for simple and efficient file sharing skyrocketed.  IT departments lacked the tools to satisfy internal customer demands so, in the interest of maintaining productivity, employees found workarounds through unsecured apps and public storage.

Best of Both Worlds

Today, Managed File Transfer (MFT) software is bringing document management full circle.  In addition to flexibility, automation and improved compliance reporting, MFT has dramatically simplified how trading partners and end users interact with documents.  Mobile apps and web-based clients are bridging the gap recently filled by cloud storage providers.

The real advantage lies in returning control to the network administrator.  Data remains on corporate servers so no information is uploaded to the cloud.  Authorized users are restricted to accessing designated folders and administrators control permission settings, such as read-only or upload rights.  Secure Mail functionality allows users to send email messages with a unique link to files that recipients can download securely through a HTTPS connection.

Reducing Risk of Data Loss

Reliance on policy enforcement to control data security was always an uneasy stop-gap solution.  Now, IT personnel can transition resources to focus on strategic initiatives rather than police information flow.

The GoAnywhere File Transfer app is available for download now on iTunes and the Google Play store. It is free to customers licensed for the GoAnywhere Services HTTP/s module.

If you'd like to learn more about Managed File Transfer and it's ability to transform your IT operations, contact a GoAnywhere team member today.

Following on the heels of the InfoSec Conference in Orlando last week, we've crossed the pond to co-sponsor an exhibition stand with longtime partners HANDD Business Solutions at the InfoSecurity Europe conference in London.  This event brings experts from all areas of cyber, network, cloud and data security together to discuss key issues and educate IT professionals on best practices.

No matter where an organization does business, keeping private data protected, avoiding data breach, and implementing appropriate policies and procedures to meet a variety of compliance guidelines are formidable challenges.

On the top of the minds of IT professionals who stopped by our stand, #C95, was how to find a better file sharing alternative than the free cloud-based services that have become popular with employees, but that are virtually impossible to monitor and track to meet compliance guidelines.