The following is an excerpt from our brand new Mitigating Collaboration Risk Workbook. To learn how to build actionable plans to mitigate risk when you collaborate, download here!
Collaboration platforms can be on-premises such as SharePoint Server or file shares, or in the cloud-like Office 365, G-Suite, Dropbox, and Box. Either way, not all sources are created equal when it comes to information risk.
Generally, the substantial investment cloud providers make in their infrastructure security makes the cloud more secure than on-premises solutions. Additionally, some cloud providers like Microsoft have invested in more native security and compliance tools than other vendors.
However, regardless of whether your data is in an on-premise or cloud environment, or what vendor you’re using, collaboration platforms have common information risks that can be mitigated. These include:
1. Operational risk through constant usage in multiple daily business processes. The relentless frequency of use by employees across the organization increases the likelihood of inappropriate activities, ignored policies, and inadvertent breaches.
2. Compliance risk through disparate and non-integrated information protection approaches. While each collaboration platform is likely to offer its own approach for information protection, the organization is left without a holistic approach. The sheer number of different services, each with their own unique protection controls, creates a complex and conflicting control space, which surfaces new information risks rather than dissolving current ones.
3. Unquantified privacy, reputational, and compliance risks due to non-classification of data. Collaboration platforms are used to store, share and give access to unstructured data—including confidential, personal, and sensitive data—which is often not classified in collaboration platforms and is therefore without appropriate controls.
4. Operational risk through employee selection and usage of collaboration platforms outside the purview of the organization (shadow IT). The Risk and Compliance department is unaware that cloud services are being used. The Security Operations team doesn’t have the ability to capture and respond to security incidents in unidentified cloud services. The IT department is bypassed and therefore not involved in ensuring appropriate security controls are enacted, such as access controls to prevent a breach.
5. Operational and compliance risks due to an expanded set of locations where data responsive to Data Subject Access Requests and Data Deletion Requests is stored (these actions are required by GDPR which is covered in more depth in Chapter 2). Additional locations increase the cost and complexity of response.
6. Compliance and privacy risks through an ever-expanding set of options for sharing data with other people, both inside the organization and external to it. Newly adopted cloud services introduce uncontrolled ways of sharing data, and even sanctioned services such as Office 365 place many different sharing options at the fingertips of users. The proliferation of sharing options increases the likelihood of inappropriate sharing and therefore can cause breach situations.
7. Compliance and privacy risks due to data sprawl and the increased likelihood of inappropriate access, because copies of controlled data and duplicated information are stored without the appropriate controls in place.
8. Corporate and privacy risks due to third-parties having access to your cloud environments for carrying out system management and administration responsibilities. While personnel from managed service providers, trusted third-party consulting firms, and even the cloud vendor often need administrative access to system controls, they should be prevented by design from having access to the data within the system.
9. Corporate and privacy risks because of having access to third-party data in your environment. Many privacy and data regulations make the entire supply-chain responsible for mitigating information risk. This means you not only need to protect your own organization’s data but also the confidentiality, integrity, availability and legal basis of collection of the data from your supply chain as well.