When using cloud services, it is important to balance the need to ‘open up’ access to information (to allow collaboration) with the need to ‘lock down’ to protect sensitive information.
We often hear of organisations making access controls too strict, preventing effective collaboration. Understandably, frustrated users with jobs to do will then be more likely to use shadow IT services. This blog post explains how collaborating via cloud services can deliver security benefits over traditional methods.
Traditional and modern collaboration practices
The traditional way to collaborate with external organisations involves sharing copies of information, for example by using emails and email attachments. This kind of collaboration creates multiple copies of information in multiple locations, which makes managing access to the information difficult.
Rather than sharing copies, modern collaboration in a cloud service works by sharing access to information that’s stored in a single location (the cloud). Users can then collaborate in different ways, which include:
- reviewing files in a cloud storage service
- participating in conversations in an instant messaging service
- checking availability in a cloud calendaring service
Security benefits of the modern approach
Using modern collaboration, information primarily stays in the cloud service. This means security controls in the cloud service can:
- keep control over who has access to the information and what they can do with it
- use greater auditing and visibility to see how the information is being handled
By sharing access to information (rather than sharing the information itself), permissions can be changed and revoked when necessary. For example, access to information can be revoked when a project ends. This also helps in responding to a security incident, such as when a user is wrongly added as a recipient, or a partner organisation reports a breach of their own IT. With traditional collaboration, it is much harder to recall (or delete) information after it has been shared.
Diagram shows information flow comparison for traditional and modern collaboration
When information stays in the cloud service, its activity logs can be used to see how it is being handled. This includes actions performed by users in other organisations. If an incident does affect shared information, these logs can be used to investigate what unauthorised access was made. With traditional collaboration, activity logs would have to be collected from each recipient.
Putting it into practice
The NCSC recently worked with the Central Digital & Data Office on a project to improve interoperability and effectiveness of collaboration in the civil service. Our involvement aimed to help government organisations understand and realise the security benefits of modern collaboration using cloud services.
During this project we strongly advocated for a ‘default-allow, explicit-deny’ approach to authorising recipients. This approach means that a user is allowed to share access with a given recipient as long as they are not covered by a deny list1.
We recommended this approach because we believe it:
- increases efficiency, as users are trusted to get on with their job without being obstructed or delayed by unnecessary restrictions and processes
- maintains confidence in security, as the organisation can verify that users are not accidently abusing this trust using activity audits in the enterprise-governed service (rather than shadow IT)
- reduces the management overhead, as administrators do not need to maintain an explicit allow-list of external collaboration partners
As a result, government departments will be able to collaborate more flexibly, effectively, and securely with each other and their partners. Sometimes you have to decide between more security and better usability. Fortunately, in this case we think organisations can have both.
Of course, when collaborating, there is always some risk posed by a malicious insider, but this applies whether you’re sharing information by email attachment or using a cloud service’s native sharing capabilities. We believe that security good practice can pragmatically reduce this risk (such as using secure mobile devices that mitigate the risk of a malicious app intentionally stealing information) without obstructing effective collaboration.
For more information about securely sharing access in enterprise cloud services, keep an eye out for the NCSC’s upcoming guidance on securing use of a Software as a Service (SaaS) application.
Cloud Security Researcher, NCSC
Original Source: ncsc[.]gov[.]uk
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon using the button below
To keep up to date follow us on the below channels.