FTC Warning on Sharing Files in the Cloud
by Andy Green, Varonis
As part of a research project I’m doing on data breaches, I came across some great practical advice about file sharing in the cloud, courtesy of the Federal Trade Commission. By the way, the FTC also has extensive information on security incidents. In any case, this 2010 report warns businesses to carefully review the risks of sharing data outside the corporate intranet via cloud services.
The FTC reminds medical and financial organizations that they are under special obligations to protect social security and bank account numbers, healthcare data, and other personal information. But any business that has PII that can potentially leak out of their IT infrastructure will find their guidelines very useful.
It’s not that the FTC is against external data sharing in the cloud—which they refer to in the report as P2P file sharing—but they ask companies to consider the risks. Here’s a key section that nicely summarizes the drawbacks:
People who use P2P file sharing software can inadvertently share files. They might accidentally choose to share drives or folders that contain sensitive information, or they could save a private file to a shared drive or folder by mistake, making that private file available to others. In addition, viruses and other malware can change the drives or folders designated for sharing, putting private files at risk … Once a user on a P2P network downloads someone else’s files, the files can’t be retrieved or deleted. What’s more, files can be shared among computers long after they have been deleted from the original source computer.
And for those companies that do use P2P, the FTC suggests a few measures to improve security:
•Bring the P2P software in-house and only give access to authorized users
•Delete sensitive information you don’t need, and restrict where files with sensitive information can be saved
•Use appropriate file-naming conventions that are less likely to disclose the contents
•Monitor your network to detect unapproved P2P file sharing programs
If you’re currently looking for an in-house solution that satisfies the requirements above, check out DatAnywhere. DatAnywhere offers the cloud experience without the cloud. It’s a no-compromise security solution that uses your organizations existing file sharing infrastructure to provide file sync services, mobile device access, browser access, and 3rd party collaboration.
Contact your NCA trusted advisor at firstname.lastname@example.org or 1.800.604.6536 to learn more.