Category Archives: Cloud

HIPAA Compliance and Office 365

 

Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngHealthcare organizations have to share patient information but they also have to keep that information private. The two requirements are in direct conflict.  Add the Cloud and things get really “interesting!”

Cloudy with a chance of breach

Everyone wants to move to the cloud – especially for file sharing use cases. For larger healthcare organizations the motivation to move to the Cloud is often to consolidate enterprise users to a common platform (as opposed to the scattershot “shadow IT” approach that exists today). Smaller companies often just want to get off servers. Regardless of why HIPAA covered entities are moving the Cloud or how big those entities are, the reality is they have patient privacy and security needs beyond what Office 365 and other platforms provide. When it comes to HIPAA covered entities Microsoft’s Office 365 is better than most (more on that later) but organizations need to approach Cloud adoption with a clear understanding of what your hosting provider can do from a security standpoint and what the end-user organization is responsible for. The scary thing is that users are adopting Cloud file sharing platforms far in advance of the enterprise actually being able to manage risk of a breach of patient information associated with those platforms.

Carry a big stick

When the Obama Administration included patient privacy enforcement in the HITECH Act, many of us in the privacy business noted that HIPAA finally got some “teeth.” The HITECH Act and other related changes resulted in very impactful provisions relative to breaches of patient data including

  • The establishment of fines for losing unsecured electronic patient healthcare information
  • The notion of shared risk for companies that provide services (aka Business Associates) to a HIPAA covered entity.
  • The use of data at rest encryption as a form of safe harbor from the breach notification requirements

The Haves and the Have Nots

In the first paragraph I mentioned that Office 365 is better than most offerings. The reason I say this is because of what’s called a Business Associate Agreement (BAA). A HIPAA Business Associate (BA) is any organization that provides services to a HIPAA covered entity that traffic in patient information. A BAA is an agreement that a Business Associate signs to share risk of a breach of patient information relative to the BA’s services. SaaS and other Cloud providers are clearly delineated into two camps: those that will sign BAAs and those that won’t. Microsoft will sign a BAA. Google, Dropbox and many others will not. This dynamic is wreaking havoc with organizations that have patient information. At best they can get existing providers to sign a BAA. At worst, they have to track down rogue usage of services like Dropbox and threaten employees with serious consequences.

Common Threads

In the past several months we’ve talked to a lot of enterprise security leaders in the healthcare space about their patient privacy needs relative to Office 365. They tell us that they do not want to be in the business of controlling who can collaborate with whom but they do need to get a level of central control over patient privacy. These healthcare providers, payers, and other covered entities need to identify patient information in Office 365, encrypt that information at rest (to get Safe Harbor), and track who accesses it. Microsoft’s willingness to sign a BAA just means that Office 365 is on the short list of options. These healthcare systems and other organizations recognize that they, not Microsoft, are responsible for how the enterprise users consume Office 365.

Don’t rock the boat

The reality is there are collaboration platforms built explicitly for regulated or high security use cases. The problems with these platforms are that they are much more expensive than Office 365 and, maybe more important, users don’t want to adopt them. The right way to approach the problem is to make the platforms like Office 365 secure for patient information.

Securing Office 365 so that you can safely store patient information on the platform translates to encrypting the data, applying access controls, and auditing access to the data. With these three technical security controls in place, you’ll be in good shape to prove to auditors that you’re protecting your ePHI as required by HIPAA security requirements.

Data Encryption in a Post-PRISM Cloud

 

Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngThe recent exposure of PRISM and the role that Cloud providers played in that program changes how businesses need to think about Cloud data encryption. These conclusions reduce to two bullet points:

  1. Implicitly trusting your Cloud provider is not a wise move when it comes to storing your sensitive and confidential data in the Cloud. Enterprises must maintain strict control of their information even while it resides and is consumed in the Cloud.
  2. Highly sophisticated organizations want your data. Enterprises need to adopt Cloud data encryption technologies that follow encryption and key management best practices.

Maintain Control

The Cloud provides great economies of scale for both the consumer of the Cloud service and the provider. For example, Microsoft, Google, and Amazon can buy more and better security technologies because they can split their cost-basis across a huge customer base.

The security challenge, then, relates to maintaining control of your information. As someone in one of my recent presentations said, “once you put your data in the Cloud it becomes the property of your Cloud provider who allows you the right to access it for a monthly fee.” With non-commodity Cloud offerings, enterprises can put the Cloud provider through months of due diligence and contract negotiations. That approach doesn’t work with offerings like Office 365 and the like. The best way to maintain control of your data is to encrypt it before it hits the Cloud and then maintain physical ownership of both the data encryption keys and the encryption/decryption functions.

Leave Encryption to the Professionals

While the US Government is the focus of attention these days (for obvious reasons) don’t forget that there are other nations trying to peek at your Cloud data. Like any other group of competitive organizations, if one is doing it the others are, too. This means that your organization is likely to face determined attackers with plenty of resources.

Here are some top concerns when it comes to the landscape of Cloud data encryption vendors:

  1. Proprietary Encryption Algorithms are the one thing that you never, ever want to use. If an encryption algorithm hasn’t been created, vetted, and accepted on a global academic and government scale then don’t use it. Period.
  2. Usability at the cost of security is an approach that vendors take when they don’t have the expertise and experience to devise a Cloud data encryption system that is both secure and usable. There will, of course, always be an impact to usability for securing your data but remember the first bullet. Cutting corners is as good as doing nothing at all.
  3. Encryption and key management requires a pedigree. Encryption and key management are highly specialized disciplines. Few organizations have the talent and experience necessary to make encryption and key management both secure and usable. There are a lot of moving pieces like Initialization Vectors, sources for random numbers, encryption key storage, key rotation, and key expiration just to name a few. We’ve touched on this topic in previous blog.

Challenges Securing SharePoint Against Privileged Insiders

 

Editor’s note: Contributor Mike Fleck is Co-founder of CipherPoint Software, Inc. Follow him @mfleckca

2013-08-27-SharePointSecurityImpact-01.pngIt is well documented at this point that some leaked Wikileaks data came from SharePoint sites. Details have emerged regarding how the data relating to the PRISM breach was obtained, and this breach, like Wikileaks, also involved SharePoint.

To provide some structure for this discussion, we’ll break the discussion into three types of collaboration platforms: legacy file servers, on-premises SharePoint sites, and cloud collaboration platforms such as Office 365 and SharePoint Online.

Legacy file servers

Insider security threats in legacy file server environments include classic systems administrator issues (excessive permissions, inability to enforce need to know, lack of separation of duties). Third party products exist that can help add a layer of security control to these environments. These products enforce need to know by using an independent access control and encryption capability, which is usually managed by IT security or by the business manager (data owner).

On-premises SharePoint

Purpose-built collaboration platforms such as SharePoint bring a multitude of security issues, many of which depend on the use case, and the deployment model.

For example, SharePoint when deployed as an intranet collaboration system presents a different set of potential security threats versus SharePoint as an extranet collaboration platform. Regardless, however, it’s hard to argue that the SharePoint platform, out of the box, has sufficient security controls to prevent insiders from accessing sensitive information that they have no valid “need to know” of.

Even if you implement background checks and other process-based controls to mitigate insider threats, consider that administrator credentials are among the most prized targets by external attackers. Given the porous nature of perimeter-only security defenses today, implementing technical security controls that limit the damage that can be done from compromised system administrator accounts is just smart security (and part of a defense in depth strategy). It’s also worth acknowledging that systems administrators frequently take the path of least resistance, by combining service accounts and privileges. This can easily lead to a situation where the sysadmin’s credentials are literally the “keys to the kingdom.”

Locking down premise SharePoint sites requires an additional layer of access control and encryption.

Cloud Collaboration (Office 365, SharePoint Online)

Cloud collaboration systems bring a different set of security issues. Whether SaaS or IaaS, it’s impossible to ignore the fact that in external cloud services, outsiders (in the form of cloud service provider system administrators) are your new insiders (and insider threat).

Here’s an article that describes the havoc that can be brought by a rogue cloud service provider system administrator.

As with premise file servers and SharePoint sites, applying encryption and access control to data stored in cloud collaboration systems is the only way (from a technical control standpoint) to protect access to sensitive data. There are a number of different technical approaches to securing cloud data. Future articles will explore the various ways to do this.

SharePoint *cloud* terminology is confusing market


You may also be interested in: The SharePoint Shepherd’s Guide for End Users from SharePoint Shepherd


 

The industry is still buzzing about the cloud and in the SharePoint World there are plenty of different terms thrown around. I think it is important to define a terminology for SharePoint servers outside of “on-premise” where the assumption is full control of the servers to deploy full-trust solutions and “online” or “cloud” where the assumption is only control of site collection downwards and no full-trust solutions. This is essentially because offerings such as fpWeb, Rackspace and the new Windows Azure Virtual Machines (IaaS) also provide the ability to have full control and aren’t “on-premise”. There are also plenty of SaaS type offerings in the cloud for a multi-tenant environment with sandboxed control such as Office 365 SharePoint Online.

Microsoft has been spinning the “private cloud” term which encompasses both on-premise and cloud servers that allows full control. I don’t believe this is immediately clear as organizations can have an on-premise server that denies full control due to agreed governance policies around multi-tenancy across departments or business units.

Something I’m going to be consistent on moving forward is using the terms “Full Control SharePoint environments” and “Multi-Tenant SharePoint environments”. I have asked many people if they had terms already here, as this has been relevant all through the SharePoint 2010 wave, and yet hasn’t been clearly defined…please correct me in the comments if I’m wrong here.

The importance of delineating between Full Control and Multi-Tenant is important due to the level of customization available to your SharePoint environment. This clears up the assumption that just because it’s “on-premise” or in a “private cloud” or “co-located”…doesn’t mean that you can deploy full-trust solutions to it.

Please discuss below…

IT vs. End-User

 

Editor’s note: Contributor Chris Riley is a Product Manager & Evangelist for CloudShare, Inc.. Follow him @HoardingInfo

As seen on AIIM Community

Want more arguments? Follow #ECMJam on twitter.
Note, almost none have to do with IT and end-users working together

Box.net vs. SharePoint = End-Users vs. IT
Mobile Capture vs. Document Scanners = End-Users vs. IT
Cloud vs. Physical Hardware = End-Users vs. IT

Everyone enjoys a little argument and no more so than in the technology industries. We love to talk about which technology is better, which are the right methods, and which future concept will be a winning reality. Most recently, and on the AIIM blog especially, the leading arguments have been around Cloud vs. On-Prem, SharePoint vs. Non-SharePoint, Ease-of-Use vs. Professional Services. Usually when there is an argument, I quickly pick a side and start throwing punches. However, I’ve realized that we are ALL WRONG!

Not only are our points completely wrong, we are arguing the wrong thing. Is the contention really SharePoint vs. Box.net or Mobile Capture vs. Document Scanners or Cloud vs. Physical Hardware? Not really. The real contention lies between IT and End-Users.

What End-Users want is to solve a problem, or increase efficiency of a common task. Not only that, they want to solve it without spending time on the solution. Even technical end-users don’t want to waste more brain cells then they have to on technology. Why? Because it’s not their job. We are all spread thin with our day jobs, so adding just one more thing unrelated to core duties is very frustrating.

On the other hand, IT is paid to handle complexity, the more complex the better. IT puts the technology pieces together, and makes things work. Once they build something, their job is to maintain the status quo until a new approach arrives. Not only that, within IT are specialties, those who are great with hardware, those who are great with a particular software package, and those who are great with network security. The more proprietary the technology, the more specialized the admin, the more security. At least for now…

End-Users are left discovering very convenient technologies in the consumer space, and wondering, WHY THE HELL can’t I do this at work? They have an itch, they download an app, and itch is scratched. This makes easy to use applications, limited hardware, and basic UI an ever increasing demand.

So even though I’m sure all enterprise software packages can be formed into an easy to use solution, how long does it take? How involved do the end-users need to be in the process? The answer to these questions is contradictory. The longer it takes, the more end-users hate it, dead on arrival. Avoid the end-users, create something they don’t need. Involve the end-users, increase the deployment time. It’s like one of those metal puzzles I used to buy at “Cracker Barrel” just try to get them apart with ease.

End-users see IT as a hurdle, and seek “underground” technologies to avoid them.

IT see’s end-users as a nuisance, and business use cases a great way to delay deployment.

Yes End-Users vs. IT is cliché. But every year the “underground” technologies available to End-users increase substantially. Ultimately this increases their frustration of “WHY NOT”, promotes slower adoption of heavy enterprise technologies, and makes IT and the vendors they support even bigger enemies.

So in the end who do you think will win? I will go out on a limb and say end-users. Why? Because what they do is more closely tied to the core business activities then IT. Closer tie to business activities means closer tie to revenue. Closer tie to revenue means power.

It does not have to be this way. IT and enterprise software vendors need to focus more on productivity enhancement, and business use case. IT should once again be more cutting edge than their end-users. Solving problems end-users did not even know they had. By doing so transforming their value from a specialty in obscurity into a science of efficiency. And as a community we need to get over ourselves and realize:

Only then can we start considering some startling things. Such as combining on-prem and cloud environments to maximize the benefits of both, picking the most efficient capture method for the job, and integrating “heavy” ECM solutions with ad-hoc collaboration platforms.

Un-doubtabley this post will even start some argument, if not here, on twitter. I can only hope it’s one that is more beneficial than above, gloves are off.

Office 365 vs Google Apps vs HyperOffice vs Zoho: Battle of the Online Collaboration Suites

 

Last week, Alpesh Nakar published a review of Office 365 in which he asserted that “there is no competition for Office 365. Simply nothing.” Sweeping statements like that are catnip to this crochety blogger, so I decided to play devil’s advocate and say: there are a number cloud-based collaboration suites, and presumably most of them have some advantages and some disadvantages over Microsoft’s version.

For the sake of efficiency and my own sanity, I only looked at three of the most popular cloud collaboration suites: Google Apps, HyperOffice and Zoho Collaboration Apps, along with Office 365 Kiosk, SMB and Enterprise editions. I compared each in terms of desktop features, platform compatibility, browser compatibility, system requirements, administration and support offerings. My findings? Not to be all “it depends on your needs” but… it depends on your needs. And on your re$ources. If you want a one sentence recommendation: go with Office365 Enterprise if offline document editing, heavy-duty formatting (especially of PowerPoint presentations) and workflow are integral to your company’s mo, and if you’re all running on Windows. If the above don’t matter so much but hosted project management and versatile web conferencing are vital, go with Zoho. If you have a large mobile workforce requiring editing privileges and well-tuned collaboration, go with Google Docs.  If the term “DNS” gives you the heebiejeebies, go with HyperOffice.

Alors, the breakdown:

Cost:

Assuming you want the four cornerstones of cloud collaboration: interactive document management, team-based sites, email and meetings, the cheapest option of the four is Google Apps, which is $50/user/year. Zoho sells each of the cornerstones separately, so while its Docs and Mail components are only $24-36 and $36-60/user/year, respectively, Project, its team-based site component, is anywhere from an extra $20-80 a month. If you qualify for the basic Small Business edition of Office 365 and don’t need Active Directory Sync or BES, you’re looking at $72/user/year. If you need the enterprise edition, Office Professional Plus and Voice, you’re looking at $324/user/year, the priciest package of any on this list.

Features:

Feature-wise, it comes down to the presence and robustness of 6 things: simultaneous editing, presentation tool, online meetings, project management, offline sync and workflow. Simultaneous editing is one of Google Docs’ claims to fame, but all the suites have it, though Microsoft requires you to also have Lync configured. If you need a high quality presentation tool, 365’s PowerPoint is really your only option. Google Apps is the only suite lacking a dedicated online meeting space (though it does offer excellent video conferencing and chat services), and Office 365 and Zoho are the only suites to offer desktop sharing. Google Apps also lacks a dedicated project management space, but those put forth by the other three contain the same basic features: document upload + share, task management and some sort of project newsfeed. In terms of offline capabilities, Office 365 users who have Office 2007+ desktop suites can switch between the desktop and cloud versions of documents with a click of the mouse, while the other three offer limited and/or third-party dependant tools. Office 365 and HyperOffice both support workflow.  

Platforms:

Good news for Windows users: everyone wants to work with you. For everyone else, especially  mobile users of all stripes: sometimes people want to work with you, sometimes they just want to say they work with you, and sometimes they don’t want to go that far. Windows 7 users fare the best with Office 365, and will fare even better once Mango drops stateside. Also, if all you need is email, calendar,and contacts functionality, Office 365 Active Sync works on all devices. The other 99% of you are best off with HyperOffice, which is OS-agnostic.

Browsers:

Apart from Office 365, all the suites work on the four major browsers (IE, FF, Chrome, Safari). Only IE users get the full 365 experience.

Administration:

All of the suites are easy to install (unless you need to migrate BPOS to 365) via an online wizard, and are administrated via user-friendly dashboards/consoles/settings pages. Zoho and Google Apps have three user roles, HyperOffice has 4 and Office 365 has myriad, depending on which section you’re talking about. Google Apps and Zoho guarantee 99.9% uptime; 365 says it will have 99.9% uptime, but there isn’t exactly a precedent for that. HyperOffice guarantees 99.5% uptime.

Support:

HyperOffice wins this, thanks to its extensive free training program. Most of the suites offer live support (365 for Enterprise users only) and email support. 365 and Google Apps have active community support too.  

As you can see, there isn’t yet a single suite that does everything, so before you blindly buy, figure out what functionalities your workforce needs, what you can afford to pay and try to connect the dots.

Is your company using a cloud collaboration suite? Which one? What do you think of it?