How to Keep Terrorists, Hackers and Other Bad Guys From Stealing Your Data
The sheer volume of digital information that businesses produce and collect
today offers a greater incentive than ever for hackers to break into private
online communications and company files. Recent revelations that the National
Security Agency (NSA) successfully used digital snooping to foil real-world
terrorist operations serves as a glowing reminder of life in the digital
information age.
The dramatic leak is also a somber reminder of the fragile nature of computer
security. Even disregarding concerns over NSA surveillance, small businesses
need to ask themselves if their IT infrastructure can withstand potential
intrusion attempts from foreign governments or organizations with deep pockets
and no qualms about hacking into their networks.
How-to: Build Multiple Layers of Security for Your Small Business
One way to significantly increase your security may be to reduce your companys
reliance on third-party cloud providers. Given an inherent lack of oversight
over external vendors, businesses have no viable means to accurately assess a
particular cloud providers' security posture or competence.
Moreover, cloud services may make an appealing target for sweeping,
state-sponsored hacking attempts by foreign governments. And these cloud service
providers could conceivably be compelled to reveal information via a secret
federal subpoena.
With this in mind, here are some strategies that your businesses can consider to
tighten the bolts on security and reduce your risk.
Bringing IT Home: Better Security, But at What Cost?
Bringing everything in house is the easiest way to ensure that no data can be
secretly accessed. This is relatively straightforward task for popular
collaboration platforms such as Microsoft Exchange Server and SharePoint, both
of which are available in both cloud and onsite flavors. In some instances, a
hybrid deployment model that puts highly sensitive data on an onsite server, but
more generic information at a cloud location, may serve you well, too.
While the initial cost of a non-cloud approach will almost always be more costly
than a cloud deployment, the maturity and available expertise in virtualization
infrastructure deployment means that mid- to long-term costs should not be
significantly more expensive. Moreover, the availability of more powerful
computer hardware, not to mention cheap storage and RAM, means that even a
relatively low-end server today is capable of running more virtual machines
simultaneously than ever before.
Unfortunately, the proliferation of online services means that an onsite
deployment may not always be possible. Security-conscious businesses may want to
reevaluate if online-only services such as QuickBooks Online and FreshBooks are
really necessary.
Related: How to Set Up a Business-Grade Wi-Fi Network
If that answer is "Yes," then you should at least ensure that all communications
with the online service is always conducted over an encrypted channel such as
secure sockets layer (SSL). This can be set up with the appropriate
configuration at the company gateway or proxy server to prohibit non-SSL
connections.
Add Encryption Services to Cloud Storage
Cloud storage has garnered a big following among businesses and end users-and
for good reason. The benefits are real: You can back up data to a remote
location with nothing more than an Internet connection, then access this data
regardless of your geographic location.
You can use cloud storage reasonably safely, provided you adhere to certain
precautions-specifically, encrypt all data and perform all uploads over SSL.
While practically all cloud providers say they encrypt uploaded data, many also
hold the decryption key, which renders any benefit moot. Ideally, the cloud
storage provider should have no access to the unencrypted data at all. This is
referred to as having zero knowledge of the data.
SpiderOak is one vendor that encrypts data at the block level. If your business
has already invested in a cloud storage service such as Google Drive, SkyDrive
and SugarSync you may want to look at Boxcryptor, which works on top of these
services to add AES 256 and RSA encryption to uploaded files.
Another option is Mozy, which offers the optional capability to encrypt data
with a private key. You can even nonsecure services such as Dropbox if you
ensure that data files are separately encrypted prior to being uploaded.
Analysis: Does Encryption Really Shield You From Government's Prying Eyes?
In addition, small and midsized businesses will be glad to know that offsite
backups are possible without having to resort to cloud services, because
network-attached storage (NAS) appliances from vendors such as Lenovo Iomega and
Synology offer the capability to perform device-to-device replication.
With the appropriate network infrastructure in place, there's no reason why
businesses can't deploy redundant units at branch offices to add real-time
synchronization or backup capabilities without having to invest in expensive
SANs.
Protect Instant Messages by Establishing Private Networks
Unprotected IM communication is also vulnerable to interception. Workers used to
conducting chats via public IM networks such as AIM, Google Hangouts and Windows
Live are essentially transmitting confidential discussions, passwords and other
privileged information with no guarantees of their privacy. Moreover, many IM
services also support video calls or voice chats, which serves as additional
risk vectors vulnerable to snooping by unauthorized parties.
Sidestepping these glaring security shortcomings entails circumventing public IM
networks entirely by establishing a private network-typically with a private IM
server deployed within a corporate network. Options include Microsoft Lync
Server or an open source alternative such as Cisco Systems' Jabber. (Note that
Lync may entail additional licensing costs, while Jabber and others may require
more effort to deploy.)
Getting users to adopt a new IM service may be a bigger challenge than most
businesses anticipate. AIM, Google Hangouts and Windows Live are popular for a
reason. Also note that many popular IM chat clients on both the desktop and
mobile devices may not support open standards such as Jabber, while a closed
platform such as Lync is typically accessible only on official clients.
Use VPN to Encrypt All Data Transfers
The virtual private network (VPN) is another commonly ignored security component
that businesses should hasten to implement. For remote workers, the capability
to encrypt data communications from their laptops and desktops back to the
office not only protects them from snooping at insecure Wi-Fi hotspots, it also
grants remote access to resources on the corporate network.
The complexity and cost of setting up a VPN has declined significantly.
Moreover, support is offered on a variety of tablets and smartphones. That said,
you will need to do some research to determine what will work best. (Most
leading VPN services will plug into existing directory services such as Active
Directory for authentication.)
Feature: Top SSL VPN Tools
Depending on the number of VPN users your company expects at any given time, it
may be necessary to deploy a beefier appliance or increase the specifications of
the virtual machine to deal with the workload.
Traditional physical and virtual solutions aside, outlier offerings such as the
iTwin Connect may work well for smaller organizations, too.
The iTwin makes it childs play to create an encrypted VPN tunnel back to the
corporate network. It leaves one end of the two-piece device plugged into the
office desktop, with the other end plugged into a laptop outside the corporate
firewall.
Businesses Must Stay on Their Toes
Allegations of snooping on government officials at the 2009 G20 summit, along
with the high-profile RSA hack in 2011, offer additional insight into what
governments and highly skilled hackers can pull off. Even SSL encryption may not
be as foolproof as once believed, given how hackers are stealing secret
encryption keys and successfully attacking digital certificate authorities.
No one is immune from hacking attempts and digital harassment. With so much at
stake, the onus is on businesses to raise their security baseline by eliminating
risky behaviors and implementing sound security measures. With diligence and
awareness, there's no reason for even small businesses on a modest budget can't
achieve greater security.
