A healthy approach to file security balances the ease of user access with appropriate protections. Essentially, the goal is to minimize the number of hoops employees and customers have to jump through to get what they need, while at the same time ensuring that unauthorized access is completely prohibited.
The best file security solutions do both: they streamline user access and add multiple layers of protection.
No matter how your infrastructure is deployed, these 13 tips will help you secure every single file.
1. Architect securely
It’s essential for all companies that work in the cloud to understand their responsibility for securing the perimeter, and building up appropriate defenses. Misconfigurations, open ports, mislabeled buckets can all lead to private files becoming public.
Companies share responsibility for cloud security with their providers. For SaaS apps, the provider handles much of the security, but IAM and file security still reside with the customer. For IaaS, customers are typically responsible for the OS layer and above.
Oracle Cloud Security, Azure Security, and other platforms walk customers through how to architect their infrastructure so as to keep it secure. Protecting networks and protecting compute resources are foundational for file security.
This is an ongoing battle. Companies need to continually update operating systems, router firmware, applications, and other resources to make sure that all vulnerabilities are patched. Every gap in security is an opportunity for an attacker to exfiltrate sensitive files.
2. Leverage IAM
Identity and access management (IAM) refers to the overall strategy a company employs to monitor and control user activity across their IT environment. No matter what platform your company is working on, IAM is a foundational element of file security, and the overall safety of the organization.
The best method of securing files with IAM will depend on the suite services you have, but generally speaking, it works by authenticating the identity of users and devices. That identity is then bound by administrator-set permissions. Users may only be able to access certain resources. Devices may only be accessed by certain users, or with specific encryption keys.
A well-organized IAM strategy gives your IT teams visibility and control. It creates base-level boundaries between resources that allow users to move freely without discovering something they shouldn’t. If users mistakenly move a resource to an unsafe location, the action will be flagged or outright prohibited.
There are many tools designed to ease the process of identity creation and management. Microsoft Groups 365, formerly Office 365 groups, and Security Groups from AWS security represent two IAM solutions that streamline the process of creating new identities and controlling access at scale.
3. Enable SSO
Single sign-on (SSO) allows users access multiple cloud and on-premises resources with one secure login. Instead of having to remember (and rotate) passwords for dozens of services, employees use SSO to authenticate a single, cross-platform identity.
SSO makes it easier for employees to be productive by smoothing their access to files. It reduces the cognitive and organizational burden of password management, and places them on the network in a highly monitorable fashion.
Like any time-saving feature, SSO introduces security risks of its own. If an account becomes compromised, an attacker can gain access to far more than the individual endpoint or application. To ensure that SSO is not a double-edged sword, use it in conjunction with other security services, such as MFA.
4. Enforce MFA
Multi-factor authentication (MFA) requires two different types of identification before access is granted. In addition to a knowledge factor (password, PIN, security question), MFA may authenticate possession factors (device, one-time passcode), inherence factors (fingerprints, eye scans), or the device’s geolocation.
MFA prevents unauthorized access to resources in a similar fashion to an ATM card (possession factor), which is useless without the PIN (knowledge factor).
Enabling MFA for SSO means that compromised passwords won’t result in a breach. By using secure factors like one-time passcodes and biometric recognition, a hacker in possession of a password or device will be unable to proceed further.
You can also apply additional layers of MFA to sensitive resources within your environment, making it impossible for those inside your perimeter (malicious or benign) to access, corrupt, or misplace these important files.
5. Establish secure connectivity
Companies need to ensure a secure connection between employees and resources, no matter where they are. This promotes the safe exchange of files by preventing eavesdropping, tampering, and hacks.
Using virtual private networks (VPNs) is one way to establish an encrypted connection between devices, which secures any data that travels between them. Like SSO, VPNs should be protected by MFA because, were a VPN to be compromised, an attacker would gain access to all connected resources.
There are ways to establish secure connectivity without a VPN, such as Zscaler Private Access, which enforces zero trust network access (ZTNA). With ZTNA, all traffic is treated as malicious, which means it is continuously re-authenticating, preventing authorized users from moving across the network.
With so many employees working remotely today, ensuring that private connections are truly private is an essential step for secure file sharing.
6. Configure DLP policies
Data loss prevention (DLP) refers to the technologies and policies that block inappropriate data transfers. DLP works in real time to monitor data at-rest, in-transit, and in-use to ensure that it isn’t accidentally or criminally exposed.
DLP prevents files from being shared, moved, copied, printed, or downloaded onto removable storage devices. Administrators classify files, folders, and drives so that DLP works continuously to ensure that sensitive information and intellectual property are not leaked.
Many DLP policies can be enabled within the cloud application and compute services companies already use. Google Cloud Security, for example, provides an extensive range of DLP tools, as well as tutorials that explain how to get the most out of them.
7. Deploy endpoint security
In addition to their core resources, companies have to protect the user devices in order to ensure file security. With remote access and BYOD (bring your own device) the norm for many organizations, deploying a quality endpoint security solution is a must.
The best endpoint security tools discover, monitor, and defend every device, no matter where it is. Security administrators can ensure that every device is up to date and free of threats. If a device is compromised, it is automatically flagged. Admins can usually remediate the problem within the endpoint security console, quickly preventing an attack from spreading.
8. Deploy a CASB
A cloud access security broker (CASB) discovers all of the applications that employees are using. Administrators can whitelist and sanction applications, and enforce granular DLP policies in distributed and BYOD environments that would be impossible with traditional security tools.
The increased visibility and management capabilities lower the risk of Shadow IT, which can jeopardize file security as users share data across unknown programs.
Different CASBs allow different levels of control. With Microsoft Cloud App Security, for example, you can discover infected files and suspicious user behavior, such as unusual file download quantities.
CASBs can be standalone products, or included as part of a cloud security gateway that monitors and inspects all traffic.
Products like Forcepoint Cloud Security Gateway function as a CASB, secure web gateway, DLP tool, and provide remote browser isolation (RBI). With RBI, users can access the internet without exposing any of their files or other company resources.
9. Use document security features
Many PDF, spreadsheet, and word processing applications have user-friendly features to secure sensitive documents. Sometimes these are available directly within the app, like password protect, watermarking, and document expiry.
What’s nice about these features is that they are on top of your CASB, IAM, and network security architecture, and largely controlled by end users. This is important because administrators can’t be responsible for the fine-grained discretion that goes into sharing files on a day-to-day basis.
A sales manager, for example, needs such flexible controls to meter customer access to company resources (demos, bids, and other intellectual property). With password protection, document tracking, and document expiry, they have oversight over which files each customer can access, and how they are sharing them.
10. Degauss and destroy old drives
Data erasure should be deliberate and baked into your workflow to protect sensitive information from being shared accidentally. Overwriting data is a good first step, but it may no longer be enough. The reason is that data recovery techniques are fairly good at retrieving overwritten data, and unfortunately this can be repurposed by hackers.
For companies with hybrid cloud security concerns, it’s imperative to degauss and destroy old drives, which prevents sensitive files from ever being recovered.
11. Proper offboarding
The final investment you should make in an employee who is leaving your organization is a comprehensive offboarding. There are a number of things that need to happen in order to make sure that file security is maintained throughout the process. Some of the key steps are:
- Recover all of their company devices
- Terminate their SSO access
- Change all passwords shared with them
- Revoke SaaS licenses and email accounts
- Back up all their data
By taking these actions, a company protects itself from the continued access of someone who no longer works there. If they dispute their termination, you will have all of their information saved as reference for the decision, and they will have no recourse to cause harm on their way out the door.
Make sure to notify everyone that the employee is leaving so as to decrease the risk that one of their colleagues continues to share files with them.
12. Test your backup solution
Every company should have a robust disaster recovery solution, and that solution should be tested routinely. Many companies draw up a strategy, schedule automatic backups, and assume that all their files are secure. This is incredibly risky.
Run full-scale scale tests of your backups that demonstrate everything you want saved will be fine during an actual emergency. “Sample” tests that only include a few files as proof of concept are not enough to know that entire applications, directories, and servers are adequately sheltered.
IBM Cloud Security and other providers have solutions for backup and disaster recovery that make it easier for companies to maintain copies of all their information. You can also use the best server backup tools, which are cost-effective, dedicated solutions from trusted vendors.
13. Create a security-conscious culture
All the tools and services in the world will not promote file security without the buy-in of the employees who use them.
Proper onboarding is key. Employees should have a complete understanding of their security responsibilities and role as the human layer of the company’s defenses. Continuously encourage individuals and teams to practice smart behavior, and make sure they are aware of all the document security features they have.
If someone forwards a phishing email to IT instead of clicking on the malicious link, share the information across the company and congratulate the employee. Small steps like this keep the persistent threat of cyberattack at the front of everyone’s mind.
Promoting a culture of security is critical, as people have hundreds of choices to make each day as they share files with clients, customers, and colleagues. Leaving a link open or failing to enable file security features begs disaster.