June 2013 - The Privacy Post

0

Setting Standards for the Murky Cloud Market

Posted by on Jun 28, 2013

Individual users and enterprises have flocked to the cloud for convenient and cost-effective storage and sync solutions. From home computing to a wide range of business sectors, the cloud has significantly changed how users interact with the web. For the average user, cloud storage offers a cheap and easy way to safely backup files, photos, and any other important data. For enterprises, the cloud offers significant savings through reduced need for large IT staff, hardware, onsite servers, and maintenance. But the lack of regulatory standards for the cloud market has created a situation in which many popular third party cloud services are actually unsafe.

Cloud Adoption

Image courtesy of zdnet.com

In response to the glaring lack in regulation, CEO of the World Wide Web Consortium (W3C), Dr. Jeff Jaffe, has called for tighter cloud standards. At a recent W3C talk, Jaffe said, “Identifying future trends and needs for standardization is an important focus…we now need a richer conversation between core web standards and the cloud.” But Principal Analyst at Ovum, Roy Illsley, doesn’t predict that such a universal standard will arise any time soon. As Illsley said, “The best we can hope for is a standard on workload transport so that businesses can move cloud provider with minimal effort. Businesses are not moving wholesale into the cloud because of a number of issues, and the lack of portability of workloads between different cloud standards is just one. It’s an important issue, but it’s still just one of many….It’s like the browser wars of the 1990s, when mass adoption by enterprises only happened when there was a single standard. However, cloud is coalescing around a few main approaches and standards, for want of a better word, and the mess of supporting this is mainly felt by the service providers who have different solution stacks, such as OpenStack or VMware, to support different customers.”

Dr. Jeff Jaffe

Photo courtesy of messe.de

Leaving regulation entirely up to cloud service providers has created a situation in which companies with better practices are starting to garner more attention from users and enterprises looking for cloud convenience while ensuring their data privacy. Third party cloud service providers already have to contend with confusing data residency laws that vary from place to place. So a global hodgepodge of different cloud standards could create an even more chaotic situation, in which floating data must be protected by different measures and means depending on which country’s servers are located in.

Ruy Carneiro

Photo courtesy of extranews.com.br

One country that has controversially paved the way for such national cloud standards is Brazil. Presented by representative Ruy Carneiro, a new Brazilian bill addresses the lack in cloud regulations and privacy protections while enacting international agreements to monitor and regulate data flow between countries. According to Carnerio, “Brazil should have the ambition of becoming an important player in the cloud computing space as it has the potential to increase national competitiveness and productivity…So an adequate regulatory environment – which doesn’t isolate the country, but offers security to citizens, enterprises and the government – is fundamental to foster the industry, bring more foreign investment in that field and allow Brazilian providers to expand internationally.” And as enterprises continue to flock to the cloud, lack of regulation can lead to unintentional non-compliance due to the fact that some services may store data on servers in countries like Brazil with their own unique regulations and data export requirements. Rather than being hit with a penalty, fees, or having to deal with a breach of data, enterprises should only trust their sensitive data to cloud service providers that offer data privacy and user anonymity.

The SpiderOak Blue Solution

But selecting a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space.

SpiderOak Blue protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private as unreadable blocks of data. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s cross-platform private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

June 2013 - The Privacy Post

0

Crunching Big Numbers in the Cloud

Posted by on Jun 27, 2013

Big data has transformed everything from manufacturing to the service sectors. But as companies rely more and more on big data, secure storage has become vitally important. Don’t let your enterprise’s sensitive data fall victim to hacking or exfiltration! With a truly private third party cloud service, enterprises of all sorts and sizes can take full advantage of the cloud without having to worry about outsourcing security or losing control of their most important data.

Cloud Computing & Big Data

Image courtesy of wikibon.com

The cloud offers enterprises more flexibility and greater cost savings through reduced need for large IT staff and functions. And the cloud also gives businesses the choice over whether or not to host data onsite through expensive servers, or offsite through a secure cloud storage service. This trend continues to grow as enterprises opt for flexibility, cost savings, and easy scalability. According to Gartner, traditional OEMs on the server market have seen shares decline by 5 percent in the first quarter of 2013. With the rise of mobile technology around the world, IDC predicts a 44-fold growth in data from 2009 through 2020. And according to the Canadian bank, CIBC, information-generation growth is expected to increase by 50 times in the next ten years. CEO of Mixpanel, Suhail Doshi says, “Data is the next design. Products that don’t consider data will founder.” Big data allows enterprises to store and analyze relevant company and consumer information in terms of velocity, volume, and variety.

Growth of Cloud-Based Big Data

Image courtesy of infochimps.com

All around the world, established enterprises and global startups have leveraged big data and the cloud to compete in a rapidly shifting international market. In India, IT investments by EMC started with a meager $100 million in 2000, which is expected to grow to around $2 billion by 2014, making it the biggest Indian investment in data, IT, and the cloud by a multinational company. According to EMC President, Asia Pacific and Japan, David Webster, “ During 2010 to 2020, digital information in India will grow from 40,000 petabytes to 2.3 million petabytes (a measure of memory or storage capacity. One petabyte is enough to store the DNA of a large country and then clone them twice).” And such growth is only expected to continue, as Webster says, “ Companies will have responsibility for the storage, protection and management of 80 per cent of the Digital Universe’s data, and this liability will only increase as social networking and Web 2.0 technologies continue to impact the enterprise.” As it stands, half of Indian digital data goes missing due to lack of storage and the number is predicted to expand to 80 percent in the next ten years. The big data market in India is expected to jump from $80 million in 2013 to over $153 million in 2014. And the cloud computing market is growing right alongside big data. A recent EMC Zinnov study predicts cloud market growth to around $4.5 billion by 2015, with private cloud services accounting for $3.5 billion of the market share.

Collecting Consumer Data

Image courtesy of cloudtweaks.com

Essentially, big data and the cloud offer enterprises the chance to develop customer intimacy. This focus on the relationship with the customer moves beyond transactional models to a long-term model based on understanding both the spoken and latent needs of customers. Through analyzing and securing customer data, enterprises can fill gaps in service, stay ahead of market trends, and anticipate consumer demand. And most important of all, such an approach builds brand value and long-term customer trust, which are vital for enterprises wanting to build and expand through this period of economic uncertainty and rapid technological growth.

SpiderOak Blue for Enterprises

But finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave private company and consumer data vulnerable to third party attacks and even internal exploitation. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak Blue. This service provides enterprises with fully private cloud storage and sync, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server.

SpiderOak protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this a uniquely cross-platform cloud solution.

June 2013 - The Privacy Post

0

IT, Cloud Concerns, & Adoption for Enterprises

Posted by on Jun 26, 2013

The cloud has revolutionized the market for all sorts of sectors. While we’ve already tackled the importance of connecting SMBs to the cloud, enterprises of all sizes can also take advantage of the cloud’s cost savings as well as convenience. In a recent survey, the number of respondents who will move a majority of IT operations to a cloud service within five years jumped up to 29% in 2013 from 27% in 2012. But for some reason, larger enterprises are still somewhat hesitant about moving to the cloud than small to mid-sized enterprises. However, around 59% of companies, from SMBs to large enterprises are still working on IT prep work before selecting the right third party cloud service. From Software-as-a-Service (SaaS) solutions to planned deployments with IT management, third party cloud services present a wide range of options for enterprises looking to leverage technology in their favor.

IT & the Cloud for Enterprises

Image courtesy of Readwrite.com

But before making the switch, CIOs and IT teams must do the work of protecting their data and choosing the right private service for their security needs. According to Richard Dorough, managing director for PwC Forensic Services, before making the switch, “it makes sense to evaluate the data itself, the service level agreement and the cloud service security before moving anything to the cloud.” Clouds can be “better, faster, cheaper, more flexible and more secure” than what many enterprises could do internally. But privacy concerns over sensitive company data have still kept many cautious enterprises at bay. With proper encryption and security procedures, everyone from manufacturers to health care providers can take full advantage of the conveniences and costs savings that the cloud provides. Such benefits serve “as a de facto endorsement of hybrid and private cloud deployments, especially for healthcare and other heavily regulated industries,” for people like Scott Blanchette, senior vice president of information and technology services for Vanguard Health Systems. With HIPPA concerns at the forefront of Mr. Blanchette’s mind, a private cloud deployment offers full control of data, cloud convenience, and ultimate security.

Why choose the cloud?

Image courtesy of Onestopclick.com

As all sorts of enterprises increasingly rely on cloud adoption to compete in a rapidly shifting global market, IT teams have had to proactively seek out cloud security engineers to help manage onsite security and network infrastructure. This can be outsourced through selecting a truly private third party cloud service provider, or IT teams can hire a designated staff member to keep in house. Cloud security engineers should have a deep understanding of host-based systems, IP architectures, IPv4 and IPv6 networking, as well as network security functions on both stateful and non-stateful technologies.

Public vs Private Clouds

Image courtesy of ComputerWeekly.com

As Bill Hackenberger, co-founder and CEO of HighCloud Security, writes, “your data in the cloud is your responsibility, no matter what the cloud provider does or says. If a data breach occurs, you will bear all of the consequences, positive and negative.” The importance of securing data onsite before selecting a cloud is highlighted by the user error in Amazon’s cloud. A security firm found that more than 126 billion files were exposed due to user ignorance of proper privacy settings. Having a cloud security engineer onsite or outsourced and available is essential to enterprises looking to take full ownership of their data and privacy.

Another thing that enterprises should look out for is how their third party cloud provider interacts with their data. Onsite encryption should always take place for enterprises dealing in sensitive data, especially before uploading such data to a cloud. Essentially, encryption jumbles the data into something unreadable without an encryption key. Because encryption keys unlock such private company information, encryption keys should be stores exclusively on approved devices. For enterprises wanting to retain control of their data, be sure to find a third party cloud providers that gives you control over encryption keys.

SpiderOak Blue for Enterprises

Finding a truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud storage and sync service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy.

SpiderOak protects sensitive enterprise data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, enterprises that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts any plaintext data). SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this a uniquely cross-platform cloud solution.

June 2013 - The Privacy Post

0

The Cloud & Global Development

Posted by on Jun 25, 2013

Globalization has ushered in a period of shifting dynamics in which new power players are sure to come to the forefront as leaders of the world market. One of the key technologies being utilized by developing nations and global industries is cloud storage and sync. Through the cloud, developing nations and workforces are empowered to leverage technology in their favor, allowing them to not only rapidly develop new products and services, but to market them as global competitors in the digital marketplace.

Cloud development

Image courtesy of CloudAve.com

According to a study performed by Cisco, worldwide cloud computing traffic is expected to jump twelve-fold from 2010 numbers by the year 2015. Much of this growth if pushed by tech hubs like London, New York City, and the Silicon Valley, but the developing world has also been driving monumental cloud adoption around the planet. Cloud computing has granted developing global businesses a flexible, fast, and convenient solution to international competition. In countries where infrastructure is lacking and even electrical grids are unreliable, battery-powered smartphones and third party cloud service providers give developers and enterprises the security and stability they need to thrive.

One of the positives of being an enterprise in a developing nation is that there isn’t a burden of old infrastructures that must be replaced, giving the impression of lost investment doubled by the impact of conversion costs. Instead, developers and enterprises can start off on the cloud using mobile devices. As Chris Haydon, Vice President of Solutions Management for Ariba, says, “Africa has joined the networked economy…it is almost like in some parts of the economy, they are bypassing the PC and going to the device – whether it be a smartphone or tablet. We see that type of uptake, there is a huge demand in being able to get transactions, notifications or alerts via mobile devices to acquire access (to that information). Africa is also predisposed to cloud solutions as well.”

In a study titled, “Unlocking the Benefits of Cloud Computing For Emerging Economies”, Peter Cowhey and Michael Kleeman of UC San Diego assert, “cloud computing can greatly strengthen small and medium enterprises (SMEs), thereby stimulating job creation…One study in Mexico showed typical reductions in total fixed cost of about 3% in a 45 person firm that switches to cloud computing…Lowering costs stimulates growth and jobs, perhaps to the tune of 190,000 new jobs in Mexican SMEs if they adopted cloud computing.”

Cheki

Image courtesy of 1mobile.com

The same holds true for developing enterprises in Africa. The African used car classifieds service, Cheki, has a market that encompasses Ethiopia, Rwanda, Malawi, Kenya, and Nigeria. The site serves a million users and has over a billion visits every month. According to Michael Kleeman, “most dramatic thing in terms of scale is the widespread use of cloud-based services like Google… Two-thirds of the people I work with across Africa use Gmail. Ten years ago they’d have to have in-house email services, and software like Microsoft Office…Now, all of those applications are there with a decent Internet connection.”

In fact, emerging economies like Argentina, Thailand, and Peru already use the cloud more so that more mature economies like Germany, the United States, and France. In a recent BSA study, 33% of global cloud users utilize the cloud for business and 88% use the cloud for personal purposes like emails. And governments from the United States to Australia have committed to making the switch of data storage to the cloud. Ultimately, enterprises of all sizes and developmental stages utilize the cloud for three main reasons. The first is the massive cost savings the cloud enables through cutting the need for big IT staff and onsite servers. The second main reason for switching to the cloud is flexibility through scalability and worker mobility. Finally, the cloud attracts enterprises through the ability to globalize development. Through the cloud, developing enterprises can tap the resources of workers from all around the world regardless of infrastructure.

Cloud adoption

Image courtesy of coresolution.com

Security through a Private Cloud Solution

Whether developing or firmly established, enterprises looking to adopt the cloud must make data security a priority. But choosing truly secure third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One service that sets itself apart is SpiderOak Blue. This service provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy.

SpiderOak protects sensitive enterprise data 256-bit AES encryption so that files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts plaintext data). SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this cross-platform solution perfect for both developing and established enterprises.

June 2013 - The Privacy Post

0

Finding the Right Server Solution for Your Enterprise

Posted by on Jun 24, 2013

Enterprises looking to leverage technology to help stay ahead of the game have turned to secure cloud solutions for both convenience and cost savings. Cloud services can offer public hosting or private servers, depending on the particular needs of an enterprise, but each method of cloud deployment has its benefits and drawbacks. To fully capitalize on the cloud, enterprises must decide which method of hosting makes the most sense for their needs and budget.

Server solutions

Photo courtesy of CloudAve.com

Essentially, public hosting is like sharing an apartment complex with many residents. With public shared hosting, all accounts utilize the same resources like disk space, CPU time, and memory, and any available resources are shared. Public storage servers are very cost effective and diminish the need for a large IT staff. Maintenance and monitoring are handled by third party cloud service providers, which usually provide tech support as well. And enterprises can save even more money by not having to purchase, maintain, and upgrade servers onsite. Such on premise solutions require special attention, security, and expertise that many enterprises would rather outsource. And servers generally take up quite a bit of much needed office space.

Deployment Plans

Image courtesy of BlackIronData.com

But public servers have their downsides as well. Recently, a massive storm took out servers resulting in downed sites for major companies like Netflix, Instagram, and Pinterest. While unpredictable weather can strike onsite servers as well, this example just illustrates the fact that outsourced servers means a degree of outsourced security. One way enterprises can protect themselves while using a public server is by enacting better practices like requiring server administrators to login exclusively onsite. If logging in locally is impractical, procedures should be established that limit access to approved IPs and accounts, and security tokens should be used whenever practical. And of course, tunneling and encryption should be standard security protocols.

Enterprises must decide for themselves whether they would have more convenience and cost savings or more control. As Kelly Clay at Forbes writes, “It’s easy to blame AWS and public cloud services in general for the downtime we occasionally see, but even traditional infrastructures fail. Maybe instead it’s time to think differently about the interconnected nature of the services we rely on. Everything is intertwined.” This intertwining means that enterprises can’t skirt cost and security, and must choose between less costs and more convenience through public servers or more control through an onsite server.

For enterprises looking to retain full control of their data by keeping servers in house, dedicated or onsite hosting is the solution. Such servers don’t share space or resources with anyone else and give enterprises root access to their environments. This way, IT teams don’t have to rely on third party tech support for upgrades and internal tweaks. While onsite servers take up much more space and require dedicated staff for maintenance, upgrade, and security, they also grant enterprises greater flexibility. Many third party cloud services do not support multiple platforms, so enterprises that want to switch platforms or even build their own environments through Linux, might be stuck with one particular platform until the third party service adds cross-platform functionality. Having a private server onsite helps to sidestep these potential issues.

Onsite or public servers?

Image courtesy of tps.unh.edu

As with any deployment option, data security is of primary importance. Data drives most enterprises, so a single security breach could potentially ruin an entire brand. Trusting a third party cloud to secure your data should only be done if the cloud is fully private, otherwise the cloud service’s employees could have access to your enterprise’s valuable data. This is where having an onsite server can bring peace of mind, especially if your third party cloud server doesn’t provide “zero-knowledge” data privacy. Such onsite private servers put security ownership and control back into the hands of IT staff. Ultimately, enterprises must take full ownership of their data security, deciding which method of cloud deployment makes the most sense for their needs and concerns.

SpiderOak Blue

For enterprises looking to the cloud, SpiderOak Blue offers fully private “public” and onsite server options for full flexibility. Choosing the right third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. But SpiderOak sets itself apart from the rest of the market by providing a fully private cloud service featuring all of the benefits of cloud storage along with 100% data anonymity.

SpiderOak protects sensitive enterprise data through 256-bit AES encryption so that files and passwords stay private. Authorized accounts can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts plaintext data). SpiderOak Blue’s private cloud services are available for enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, making this one of the only flexible cross-platform solutions on the market.

June 2013 - The Privacy Post

0

Privacy Blog Roundup

Posted by on Jun 21, 2013

Privacy concerns all web users, from individuals to small businesses and massive enterprises. Hackers don’t discriminate and just about everyone is familiar with at least some degree of security measures against potential third party attacks. But true security online goes much further than changing passwords and trusting websites to guard your information. Depending on your use and needs, the privacy measures you should take will vary. Here at The Privacy Post, we offer our readers updates throughout the week that tackle the latest in privacy issues, security concerns, and cloud solutions for both individuals and enterprises. But we are just a starting point, and those looking to learn even more about protecting their privacy can find a treasure trove of information at some of our favorite cyber security blogs.

Privacy Blog Roundup

Image courtesy of uclaextensionolli.wordpress.com

At Privacy Revolt! visitors can learn more about civil liberties in the digital domain. From CISPA to California’s Right to Know Act, Privacy Revolt! covers issues on technology and civil liberties, government surveillance, data mining, and data security. Privacy Revolt! is an ongoing project of the non-profit Consumer Federation of California Education Foundation. Another consumer rights blog that tackles issues of technology and privacy is the CDT blog. This public policy blog educates the public on issues and concerns related to a free and open Internet. The mission includes preserving the unique nature of the Internet, enhancing freedom of expression, protecting privacy, and limiting government surveillance. According to their mission statement, “CDT fights for the right of individuals to communicate, publish and access an unprecedented array of information on the Internet. We oppose governmental censorship and other threats to the free flow of information. We believe that technology tools—not government controls—are the best way to allow families and individuals to make choices about the information they receive on the Internet.” Ultimately, these blogs focus on putting power back in the hands of users.

Bruce Schneider

Photo courtesy of QZ.com

For the latest news and opinions by one of the biggest security experts in the world, check out Bruce Schneier’s blog. As a security technologist Schneier has been described as a “security guru” by The Economist. Schneier has testified as a security expert before the U.S. Congress and has written for publications like Forbes, The New York Times, Wired, and The Washington Post. For those looking for the latest cloud news and market trends, the Cloud Security Alliance’s blog features updates that focus on promoting best security practices for businesses and enterprises of all sizes. Another great blog that highlights the latest cloud developments is InfoWorld’s Cloud Computing blog. This market-focused blog helps consumers make informed decision when choosing cloud services and other commercial web applications.

EFF

Image courtesy of EFF.org

One of our favorite privacy blogs is the EFF’s Deeplinks. Since 1990, the Electronic Frontier Foundation has championed consumer rights, free speech, and online privacy. With contributions from digital activists, technology experts, and lawyers, Deeplinks has something for anyone interested in privacy law and the latest developments surrounding digital privacy rights. Another great privacy law blog is Proskauer’s Privacy Law. This blog takes a close look at the latest privacy legislation and legal news concerning online privacy for both enterprises and individual users. Past article titles include, “Protecting Privacy or Enabling Fraud? Employee Social Media Password Protection Laws May Clash with FINRA Rules” and “Shine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act”. And at Abine’s blog, Internet users can learn how to secure their personal information and sensitive data from surveillance, hacking, and data mining. Past post titles at Abine include user-friendly topics like “7 tips to deal with Yahoo’s TOS update that lets them snoop in your emails and chats” and “13 steps to turn on Twitter’s 2-step authentication”.

The Privacy Post & SpiderOak’s Secure Cloud Solutions

At The Privacy Post, we always bring it back to taking ownership of your data and online privacy. One of the best ways to do that is by backing up any sensitive data to a secure cloud service. But choosing the right third party cloud service can be a challenge as many services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud service provider that sets itself apart from the rest of the market is SpiderOak. This private cloud service offers all of the benefits of cloud storage along with 100% data anonymity.

SpiderOak protects sensitive data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, users that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Users store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of passwords or data. And all plaintext encryption keys are exclusively stored on approved devices (SpiderOak never hosts plaintext data). SpiderOak’s private cloud services are available for individuals and enterprises on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

June 2013 - The Privacy Post

0

Protecting Yourself from Ransomware

Posted by on Jun 20, 2013

Malware has infected everything from personal computers to large corporate servers. But the latest malware threat comes with big backers from the movie industry. Ransomware is malware that infects a computer, locking all functions and files until a given action or request is satisfied. Such rootkits and malware hide on computers and are very hard to scrub. Unfortunately, lobbyists are currently urging lawmakers to adopt policies that would legalize the infection of corporate ransomware on suspected pirating devices without proof of engagement in piracy.

Legal Malware

Image courtesy of arstechnica.com

Recent research has shown that one installed, malware can be remotely triggered and controlled through a wide range of methods, from visual cues that tap smartphone cameras to audio triggers. This dangerously turns user devices into spyware that can be used to exploit unsecured private information. And for workers that enjoy Bring Your Own Device (BYOD) policies at work, hackers could use your address book, applications, and GPS to engage in a tailored phishing attack to try to crack corporate desktops and networks. As Marian Merritt, Internet safety advocate for Norton, says, “Information about where you go and who you see – it could have value [to criminals]”.

Jon Huntsman

Photo courtesy of theglobalipcenter.com

Despite the dangers of malware, the Commission on the Theft of American Intellectual Property (TCOTAIP) is recommending the legalization of corporate malware, or ransomware, as a proactive defense measure against pirating. This commission is made up of seven former tech CEOs and bureaucrats including Dennis C. Blair and Jon Huntsman. In a recent recommendation to the U.S. government, the TCOTAIP laid out suggested solutions to combat state-sanctioned hacking from China, but such solutions would ultimately extend to any kind of file sharing of copyrighted material.

Malware Propogation

Image courtesy of Microsoft.com

One of the suggested solutions reads as follows:

Software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.

Ultimately, this means that corporations would be able to preemptively infect suspected devices with ransomware without obtaining oversight or having to prove piracy. This would be just like seizing the house and assets of a suspected petty thief before taking the thief to court.

The current recommendation calls for a change to standing U.S. laws to allow the spread of such legalized malware:

While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

That’s right, the recommendation calls for legislation that would allow a company to “destroy” your computer or network without proving criminality. Even more disturbing is language in the recommendation that seems to suggest that oversight of copyright enforcement be given to the National Security Agency. This would take such matters out of the domain of civil courts, rebranding copyright and patent issues as national security concerns:

Designate the national security advisor as the principal policy coordinator for all actions on the protection of American IP. The theft of American IP poses enormous challenges to national security and the welfare of the nation. These challenges require the direct involvement of the president’s principal advisor on national security issues to ensure that they receive the proper priority and the full engagement of the U.S. government.

BYOD & Ransomware

For businesses, ransomware has the potential to add a greater degree of danger to Bring Your Own Device policies. BYOD policies have become the latest rage for businesses looking to offer their workers greater mobility and flexibility while taking advantage of better workflow and productivity. But non-secure BYOD policies could leave sensitive company information vulnerable to malware infections and even ransomware if the TCOTAIP’s recommendations end up influencing legislation. Imagine a worker that brings a personal laptop full of pirated music or shows to work, only to have the company’s network identified and shut down as a potential source of pirating. SMBs can guard against both malware and the prospect of ransomware by engaging in proper endpoint management as well as using a third party cloud provider for secure data storage.

Choosing the right third party cloud service can be difficult as many cloud services on the market have security gaps that leave private data vulnerable to third party attacks. One cloud service provider that sets itself apart from the rest of the market is SpiderOak. This private cloud service offers all of the benefits of cloud storage along with 100% data anonymity.

SpiderOak protects sensitive data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some financial services that require a PIN as an extra precaution along with a password in order to log in. With SpiderOak, users that choose to use two-factor authentication must submit a private code through text along with their unique encrypted password. Users can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of passwords or data. And plaintext encryption keys are exclusively stored on approved devices. SpiderOak’s private cloud services are available for businesses and individuals on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

June 2013 - The Privacy Post

0

Endpoint Management for SMEs

Posted by on Jun 19, 2013

Businesses of all sizes must quickly adapt to changing security concerns and complex third party attacks. But for small businesses, such concerns are of even greater importance as the rise of Bring Your Own Device (BYOD) policies leave many company networks vulnerable to data mining, security breaches, and exfiltration. The modern workforce is more mobile than ever and SMEs are scrambling to provide greater flexibility without sacrificing security.

Keeping Endpoints Safe

Image courtesy of HealthfortheWholeSelf.com

IT teams have had to find solutions that cover both endpoint and user identity management. As Grant Ho, Director of the End-User Computing Marketing team at Novell, writes, “The convergence of endpoint and identity management becomes even more critical as businesses shift towards more flexible computing architectures using a mix of physical, virtual and cloud environments, it becomes even more critical for the desktop to follow the user.”

Endpoint management is a necessary step in securing onsite information. Through endpoint management systems, server and desktop administrators can manage any networked device, from mobile devices to company desktops and servers. Essentially, endpoint security management involves network policies that require compliance before allowing network access. Endpoint management covers Bring Your Own Device policies for devices like tablets, smartphones, and personal laptops.

Managing Endpoints

Image courtesy of astd.org

Endpoint security management systems, which can be purchased as software or as a dedicated appliance, discover, manage and control computing devices that request access to the corporate network. Endpoints that do not comply with policy can be controlled by the system to varying degrees. For example, the system may remove local administrative rights or restrict Internet browsing capabilities.

Companies that are used to making large investments in network security often leave a security gap when it comes to endpoints. This is troubling when considering the fact that most of the dangerous attacks that have plagued enterprise networks have been traced back to endpoints. As Scott Crawford, Research Director for Enterprise Management Associates, writes, “We’ve seen this advancement in techniques for network-based detection, but we haven’t seen quite that much advancement on the endpoint…And, yet, if you look at what the target is in most of these cases, the strategic target may be the user’s privileges to sensitive data, so the tactical objective in a lot of cases is the endpoint. You’re going to focus on compromising endpoint functionality to gain visibility into the user’s activities and get access to their credentials.” So when endpoints are left unsecured, hackers can exploit this vulnerability by seizing the necessary credentials from users without having to do the time consuming work of cracking into the system. For the sake of data security, SMEs must be able to identify the location of any compromised endpoints otherwise attacks could go unnoticed.

BYOD policies

Image courtesy of PGI.com

Investing in endpoint management allows SMEs to flag any suspicious activity in order to make any necessary security or user credential adjustments. As John Prisco, CEO of Triumfant, says, “You’ve got to be fighting the battle in the trenches, and the trenches in this case would be the endpoint…You have to have something on the endpoint that isn’t antivirus that’s looking at changes [to the endpoint]. It has got to be looking at everything and making decisions based on normal behavior changes.” Some IT managers have opted for the stricter route of application control, but such a rigid measure runs the risk of lowering employee morale and even halting workflow in the case of a needed download or temporary application. Instead, companies can adopt a hybrid cloud model by securing endpoints onsite with the IT team and closely monitoring user credentials. After that, any sensitive company data should be encrypted onsite through basic hashing and salting. Finally, SMEs can ensure full data privacy and protections through a third party cloud service provider.

From Endpoints to the Cloud

Choosing the right third party cloud service can be a challenge for SMEs as many cloud services on the market have glaring security gaps that leave private company data vulnerable to third party attacks and even internal exploitation by employees. One cloud service provider that sets itself apart from the rest is SpiderOak Blue. This private cloud offers the convenience and cost benefits of cloud storage along with 100% data privacy.

SpiderOak protects sensitive company information through 256-bit AES encryption so that all company and consumer files and passwords stay private. SMEs can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of passwords or data. And plaintext encryption keys are exclusively stored on approved devices, so that endpoint management systems can be incorporated. SpiderOak’s private cross platform cloud services are available on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, giving SMEs flexible solutions to leveraging technology in their favor so they can stay ahead of the competition.

June 2013 - The Privacy Post

0

Social Media and User Privacy

Posted by on Jun 18, 2013

Social media has allowed businesses to tap into consumer data shared by users. In the past, businesses looking for marketing data had to rely on costly surveys. Today, consumers actively and freely share personal information on their favorite products and services across a wide range of social media. On Facebook, users provide advertisers with all sorts of information, from addresses and photos to employers and favorite brands. Users give away their exact location through apps like Foursquare and even share their latest exercise programs on apps like Runkeeper. But with the rampant practice of selling user data to advertisers, users that want to preserve elements of their privacy should be aware of how their data is being used while proactively protecting their sensitive information, photos, and files with a private cloud service.

Facebook Ads

Image courtesy of ClixFuel.com

Recently, Facebook expanded its Like function throughout the web so that Likes across a variety of participating sites will be transferred instantly to user Facebook pages as well as to the pages of their friends. Personal user information is now shared with Facebook’s business partners including Microsoft, Yelp, and Pandora. In a statement by Facebook preparing users for the privacy policy changes that would usher in a new era of social media advertising, the company stated, “In the proposed privacy policy, we’ve also explained the possibility of working with some partner websites that we pre-approve to offer a more personalized experience at the moment you visit the site. In such instances, we would only introduce this feature with a small, select group of partners and we would also offer new controls.” However, like most changed with Facebook, users are automatically signed up for these “voluntary” sharing of user information and turning off the auto-share function while blocking data sharing with third-party sites is so complicated that most users don’t even bother.

Chris Messina of Factory City

Photo courtesy of FactoryJoe.com

As Factory City blogger Chris Messina says, “When all likes lead to Facebook, and liking requires a Facebook account, and Facebook gets to hoard all of the metadata and likes around the interactions between people and content, it depletes the ecosystem of potential and chaos — those attributes which make the technology industry so interesting and competitive. … It’s dishonest to think that the Facebook Open Graph Protocol benefits anyone more than Facebook — as it exists in its current incarnation, with Facebook accounts as the only valid participants. As I and others have said before, your identity is too important to be owned by any one company.” But that’s exactly the situation many users are finding themselves in today, with Facebook monopolizing and capitalizing on what most users think is private and personal information.

Social Media Ads

Image courtesy of Business2Community.com

For soldiers, sharing on social media sites poses an even greater danger than having user data exploited for profit. While users on sites like Facebook are accustomed to posting the occasional inappropriate picture, soldiers that post photos could inadvertently disclose sensitive information that could cost lives. Status updates on military missions are another way that classified information could be leaked. Even soldiers that are off duty must be wary of what they choose to share with social media, as Staff Sergeant Dale Sweetnam of the Online and Social Media Division of the Office of the Chief of Public Affairs stated. Sweetnam said, “Once it’s out there, it’s out there…You can delete it, but if the wrong person took a screen shot, that’s actionable intelligence and you can’t get that back.”

And Facebook isn’t the only social media site that seeks to profit from sharing personal user information. Recently launched, UberAds tracks any shared information from smartphone users across the web, offering customized ads tailored to a given user’s particular interests. The company searches sites and apps like Instagram, Twitter, and Pinterest to determine which ads to send. Brands that have already signed on for UberAds include BMW, Pizza Hut, H&M, and Macy’s.

From Public to Private

Social media users can still take part in the networking opportunities social media provides while protecting their most private information from exploitation. The first step is making sure privacy settings are tailored for your comfort level. Then take down anything you don’t want shared with advertisers or any third parties. After that, find a private cloud service to backup your private photos and files you don’t want getting out. But choosing the right third party cloud service can be a challenge as many cloud services on the market have glaring security gaps that leave private user data vulnerable to third party attacks and even internal exploitation. One cloud service provider that sets itself apart from the market is SpiderOak. This private cloud offers the convenience of cloud storage along with 100% data privacy and user anonymity.

SpiderOak protects sensitive user information through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some banking services that require a PIN as an extra precaution along with a password in order to successfully log in. With SpiderOak, users that choose to use two-factor authentication must submit a private code through SMS along with their unique encrypted password. Users can store and sync personal information with complete privacy, because this cloud service has absolutely “zero-knowledge” of passwords or data. Plaintext encryption keys are exclusively stored on the user’s chosen devices, so social media fans can rest easy knowing their data won’t be exploited by the latest ad scheme. SpiderOak’s private cloud services are available on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices.

June 2013 - The Privacy Post

0

DLP Programs for Data Security

Posted by on Jun 17, 2013

In 2012, global data breaches jumped up 117% from 2011. From 2011 through 2012, over 260 million records were breached, highlighting the need for data security standards worldwide. Such massive numbers show the necessity of implementing good data loss prevention programs for businesses of all sizes. For C-Level managers and IT administrators, DLP (data loss prevention, or protection) is the latest buzzword for businesses looking to protect their private data from hacking, seizure, or internal exploitation. Essentially, data loss prevention helps ensure that endpoints don’t become sources of leaked corporate data. To leverage technology in their favor, businesses should secure their sensitive data through strong DLP policies and secure cloud providers.

Better practices for security

Image courtesy of SuccessfulWorkplace.com

Data loss prevention programs accomplish three major things. Implementing DLP protects against unintentional leaks made by ignorant employees. Proper DLP also helps keep companies under compliance while protecting sensitive data from exploitation. And in an era of increased cyber attacks, data loss prevention programs help safeguard against hackers looking to crack company databases.

Causes of Data Loss

Image courtesy of Comsecglobal.com

Before implementing data loss prevention programs, businesses should first fingerprint the data so that it can be tracked throughout the process. Businesses must then decide how monitoring should take place (either through continual host-based monitoring or by scheduled scans), enforcement and alerting measures, what data to evaluate, user access, and participating applications. Data can be monitored at rest, in use, and in motion. At rest, data can be monitored through scheduled scans. Such scans compare any changes between scanned data and the fingerprinted database, which acts as a test. In use, data access must be determined so that DLP tools can determine the context as well as content of the data for identification purposes. As different users will have different access rights, the context for data in use monitoring will shift from person to person. What could be completely valid use and access for one user could entail an attack for someone else. For companies that need to protect their data from internal exploitation, monitoring of data in motion helps identify potential data loss via printing or USB copying.

DLP for Enterprises

Image courtesy of NDM.net

For data loss prevention programs to be successful, businesses will have to tap into a group of IT and HR specialists to establish tailored policies and procedures specific to the needs of the particular company. This is all preparatory work that must take place before choosing a set of DLP tools or services to help manage the risk of data loss. However, as companies turn to data loss prevention programs out of fear of attack or security breach, most still make common mistakes that still leave their data vulnerable. The most common mistake that newcomers to DLP make is attempting to cut costs by using non-trained staff to spearhead the new program. Traditionally, IT projects start with establishing business needs, requirements, and service-level agreements (SLAs). IT then implements and manages any relevant tools while reporting back on SLA adherence. Oversight of data loss prevention programs ultimately lies in the hands of the CFO or CIO, depending on how companies delegate info security. What makes DLP implementation stand out from traditional IT projects is the high degree of technological skill required to navigate the complications of data loss prevention procedures. Companies that don’t engage in cross collaboration to successfully implement new DLP programs are usually unsuccessful as the complicated implementation of DLP requires the skills and expertise of a variety of departments.

DLP and the Cloud

After securing data onsite, companies should finish the job of protecting their data through a private storage and sync solution. But finding the right third party cloud service can be a challenge as many cloud services on the market have glaring security gaps that leave sensitive company data vulnerable to third party attacks and even internal exploitation. One cloud service provider that sets itself apart from the market is SpiderOak. This private cloud offers the convenience and cost savings of cloud storage and sync along with 100% data privacy.

SpiderOak protects sensitive business data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Two-factor authentication is just like the process used by some banking services that require a PIN as an extra precaution along with a password in order to successfully log in. With SpiderOak, businesses that choose to use two-factor authentication must submit a private code through SMS along with their unique encrypted password. Businesses can store and sync sensitive information with complete privacy, because this cloud service has absolutely “zero-knowledge” of passwords or data. Plaintext encryption keys are exclusively stored on the company’s chosen devices, so businesses can rest easy knowing their data won’t be exploited by the latest third party threat. SpiderOak’s private cloud services are available on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for flexible solutions for business of all sizes.