Wave Systems Corp. (fka WAVXQ)

[awk]

Miles of Files – All of it Unprotected in the Cloud

Bob Thibadeau, November 13, 2012

http://blog.wave.com/thibadeau/miles-of-files-all-of-it-unprotected-in-the-cloud/

Enterprises are incorporating—and even promoting—the use of social networking applications such as Facebook, Twitter and LinkedIn as a key, if not primary, method for communicating and disseminating information. Indeed, social networking could one day supplant traditional email messaging—in large part owing to its instantaneous one-to-many dissemination feature.

Simultaneously, there’s been a trend to move information to the Cloud. It’s more cost-effective and accessible—but introduces the potential for data exposure, leakage and breach, due to the nascent state of cloud “security.”

It begs the question: What assurances does the enterprise have that documents containing intellectual property or personally identifiable data are actually safe in the Cloud?

This uncontrolled—and to this point uncontrollable—usage of social networking and remote storage sites has drastically increased enterprise exposure to a wide range of financial and reputational liability caused by data leakage. It’s a cause of serious concern among my colleagues in the American Bar Association (ABA). Organizations are at risk for exposing trade secrets/proprietary information; sensitive data subject to HIPAA/HiTech (personally identifiable information such as name and address or social security number); financial information (name and account numbers, passwords); and more.

The constellation of potential liability includes the prospect of violation of breach notification laws such as HIPAA and HiTech, which can result in formal investigation and ensuing litigation and notification costs.

This rapid and pervasive adoption and usage of social networking and Cloud computing poses a convergence of significant potential legal liabilities to the enterprise. It’s driven home by some eye-opening statistics: the number of Facebook users exceeds 1.2 billion, with approximately 70 billion pieces of content shared on Facebook each month. There are 190 million Tweets each day!

Here’s the problem: When an individual or enterprise subscribes to a “free” social networking platform, they become “the product,” in the sense that they have given the providers access to and free reign to do pretty much what they’d like to with your information. Just read Facebook’s terms of service which stipulates what it can do with the information uploaded to the site.

Until today, the enterprise has had no meaningful way to control the mass outflow of information. What’s worse, most users of remote Cloud-based file storage services may be lulled into thinking that there are adequate protections in place for their files, given the assurances that their data is “encrypted” when stored on their respective platforms. In reality, and despite these lofty assurances, there is little real user data protection offered by these services.

Leading Cloud storage vendors promote encryption as part of their service, but the fact is they always retain a copy of the user’s encryption key and accordingly, can decrypt and read any information uploaded to its site.

This presents security, compliance and control problems for the enterprise.

First, in the event that the service experiences a catastrophic system compromise, customer decryption keys (and all the sensitive information encrypted by those keys) may be potentially exposed to the world. If that event should occur, the legal consequences rest squarely on the user’s shoulders. Indeed it was reported that Dropbox announced a data security incident during the July-August 2012 timeframe.

The terms of service for these providers raise questions because they disclose that the service collects other information about users that is subject to disclosure. This information is beyond a user’s ability to manage, including IP addresses and email addresses of those with whom you share files.

Enterprise users must now confront the challenge of controlling the mass outflow of information. That challenge can be met with the deployment of scrambls files, a light-footprint application that seamlessly permits enterprises and individuals to encrypt social network and cloud storage information before it ever leaves the desktop, for lasting control over social web conversations, as well as files shared over the cloud.

Scrambls provides an easy-to-use tool for control of social media interaction spanning across the Internet. Scrambls works by encrypting part or all of the text you type, introducing a ‘key’ needed to read a post (or a file/folder to be stored in the cloud). The original content is encoded before being delivered to the web. The key gets stored at a scrambls server (or internally by an enterprise) while only the encoded post ever goes to the service provider. When the post is later displayed, scrambls applies the key to make it readable again—by only the individuals or groups you choose to give reading permission.

As sensitive information is shared over the Web, it’s important that we, as individual authors and more importantly, as liable corporations—own our content and manage the keys to that content. We’ve entered a new age of dynamic sharing over social networks and cloud services, and scrambls now enables control. It’s time to add a layer of security and management for these communications, and to set the policy for who can read these Miles of Files in cyberspace.

Dr. Robert Thibadeau is an active member of the American Bar Association’s eDiscovery and Digital Evidence Committee and co-authored the Data Breach and Encryption Handbook. He also serves as Wave’s Chief Scientist.