Cloud Security in Collaboration and File Sharing
How you protect your company data with cloud security when using collaboration tools
Collaborative work is gaining more and more importance in everyday work. Not only the restrictions of a pandemic have contributed to remote work and new work becoming increasingly popular. Whether it's the lonely cabin at the mountain lake, the camper on the beach or simply the cozy office in your own four walls: Employees prefer a self-designed workplace to the office.
Digital collaboration offers even more advantages. By using jointly used tools, you can work with service providers and partner companies, for example, who have exactly the required skill set for a corresponding project - no matter if there are hundreds of kilometers between them. Thus, even the times of impersonal project apartments are over.
And: Efficiency can be immensely increased through collaboration work. For example, you can easily work on a document for an article with all colleagues at the same time, without having to send different versions and cumbersomely merge them. Everyone is always and at any time on the same level.
Of course, each technology always involves some security risks. We want to address these risks - and how you can defuse them - in this article.
Risks of Collaboration Tools
If data is to be processed across companies using collaboration tools, they, or the tools used, must also be accessible via the Internet. This also applies, for example, if client VPN solutions are to be dispensed with, which allow limited access from the home office.
Sharing with external parties carries the risk of data being inadvertently made available to a too broad circle of potential users. The marketing pitch for a new product should of course be shared with colleagues in the marketing agency, but not with the broad mass before the product launch.
It must also be ensured that certain data is not passed on to uninvolved third parties or is still unnoticed after a project.
The possibility of a large circle of people accessing data and working with it naturally also carries the risk of data being deliberately manipulated. All these risks mostly arise through the uncontrolled use of such collaborative tools.
Cloud Security Measures
To prevent data from leaving the company unhindered, they must be protected from indiscriminate access and the circle of people entitled to access should always be clearly defined. In addition, it must be ensured at all times that the data cannot be manipulated.
The large and complex field of cloud security offers a range of possibilities to defuse such risks. You can find a selection of options in the following section.
1. Connection to Identity Provider
If you want to guarantee that only certain personalized users can access data in a collaborative tool, you should use an identity provider, i.e. a central database of users. Users or accounts can then be managed or blocked in the identity provider.
Especially if you use a variety of different collaboration tools, a central identity provider has another advantage:
If a project is finished and an external service provider no longer needs to access the required data, he*she can simply be blocked in the central identity provider. If several collaborative tools were used for the project, all data accesses are stopped by the central blocking.
Some tools also support the simultaneous use of several identity providers at the same time. Providers for this are Microsoft with Azure Active Directory, Okta, Google, RSA and SecureAuth. If single sign-on can be implemented with the identity provider, it allows users to transparently carry their login from one collaborative tool to the other after they have logged in to their central identity provider once.
2. Google Workspace
Google Workspace includes a wide range of individual services. So you can edit, receive and send e-mails via Gmail. Google Docs, Tables and Presentations allow you to work on documents, process data in tables or create presentations.
Using Google Drive, files can also be shared directly with colleagues in the company or external partners. To discuss a project, you can communicate via chat or make an agreement via Google Meet in video conferences.
To give all stakeholders access to project data, a central identity provider can be linked to the Google Workspace. You can then grant the individual users dedicated rights to certain project data or files.
3. Microsoft OneDrive for Business
With Microsoft OneDrive for Business Microsoft offers a central functionality for collaborative working with data in Microsoft 365. Files can be synchronized across devices and edited from any device - even via a web browser. If the New-Work workplace is located in a place where there is no internet available, files can also be edited offline and then automatically synchronized.
Microsoft 365 or Microsoft OneDrive for Business bring a central identity provider.
Due to the wide distribution of both tools in the professional working environment, there is another advantage here:
Users from an external Microsoft 365 instance can be authorized as guests in your own Microsoft 365. This allows not only dedicated rights to data for a personalized user to be granted. The guest user also no longer has access to the data in your own Microsoft 365 environment after a blockage.
4. ownCloud
With the open source software ownCloud files can be synchronized between different end devices of the users. In this way, teams can work together on files. Unlike Google Workspace and Microsoft OneDrive for Business, ownCloud can be operated either as a SaaS solution or even on your own IT infrastructure.
Also ownCloud offers the possibility to connect central identity providers in addition to locally created users. However, the technical possibilities differ significantly in the respective versions used. For example, you can use LDAP integration only in the on-premise versions. Single sign-on (SSO) is only supported on-premise in the Enterprise version.
How to regulate data sharing
As already mentioned, it would be fatal if important data is accidentally shared with an indeterminate group of persons. Even worse if this data is unprotected on the internet. Of course, sharing with people outside your own company can be completely prevented. But this again speaks against the approach of collaborative work. Especially when using ownCloud in your own data center, behind your own firewall or other perimeter protection, sharing with other people can simply be prevented.
1. Setting up restrictions in Google Workspace
In Drive from Google Workspace it is possible to regulate the sharing of data with certain groups of people both outside and within the company.
Within a company, groups determine which groups of people are allowed to share data with each other and which are not. For instance, it can be determined that files of one team can be shared with a second team, while the second team is not allowed to share data within the company.
Across company boundaries, you can restrict the sharing of files to a certain group of people from another company. Also, you can prevent already shared files from being shared with further persons or incoming shares from other companies from being used.
2. Three-tier data release in Microsoft OneDrive for Business
Microsoft OneDrive for Business enables the sharing of data in three stages in a very easy way: First, you can completely prevent the sharing of files outside your company in the settings for managing external sharing. However, if you want to activate this function for your company, which naturally favors the approach of collaborative work, you have the option to configure the sharing in three stages:
- Allow sharing for authenticated guest users with invitations
- Allow sharing with anonymous guest links and authenticated users
- Allow sharing only for existing guest users in the directory
For the last option, users from other companies must be invited, as described in the point "Connection to Identity Provider".
If data is only to be shared with partner companies, this can also be configured company-wide. Files are then shared exclusively with users from other companies whose users belong to a fixed domain.
3. Federated Cloud Sharing with ownCloud
Through the Federated Cloud Sharing function of ownCloud, companies wanting to exchange files can authorize users of the respective other company on their ownCloud instance. This function is available in all versions, whether on-premise or as SaaS. Users of different ownCloud instances can work together on files, while the files themselves are protected.
Cloud Security Measures for Data Loss Prevention
If it is possible to share data with people outside the company, the risk is great that information from the company will flow out unhindered as a result. Thus, when introducing collaboration tools, it is essential to ensure that this does not happen.
One strategy of cloud security that deals exactly with this topic is data loss prevention. It describes measures, security techniques, but also software solutions that protect information from unauthorized access. It prevents the outflow of information and deals with what happens in case of information loss. The continuous monitoring of all measures, security techniques and software solutions is essential.
Since this is a very multifaceted subarea of cloud security, especially in relation to complex cloud solutions, you can imagine a simplified example as follows:
A simple implementation of data loss prevention is the maintenance of a central list of file names that can be shared with people outside the company. On the user's end device, the copying of files with names that are not on this list can then be prevented. If users want to work on a file whose file name is on the central list, across company boundaries, access is permitted. Through clever monitoring, it can then be checked company-wide whether information has unintentionally or consciously left the company.
Data Loss Prevention with Microsoft Purview
Microsoft provides with Purview a solution that allows data loss prevention policies to be implemented on end devices. Using these policies, sensitive information is identified. This information can then be continuously monitored and automatically protected.
If a violation of the company-wide guidelines is detected, various countermeasures are taken. In the simplest case, for example, the users are signaled that an attempt was made to disclose confidential information.
Furthermore, the release can be easily blocked or the data can even be locked for access and moved to quarantine. The option to hide sensitive information can even be configured in Microsoft Teams chats.
Activation of Versioning
When information is overwritten or files are deliberately or unintentionally manipulated, one way of minimizing damage is to restore an old file version. It's then most user-friendly when the collaboration tool allows the users to restore old versions themselves.
In Google Workspace:
In Drive from Google Workspace, old versions of Google Docs, Tables and Presentations can be viewed and restored by the users at any time.
In Microsoft OneDrive for Business:
Microsoft OneDrive for Business offers users the opportunity to view previous versions of files. Once the desired version is identified, you can restore the old version. Thanks to the integration of the functions of Microsoft OneDrive for Business into all Microsoft Office programs, the search in previous versions can also be done in the Office programs themselves.
In ownCloud:
In ownCloud you can only restore individual versions of files.
Monitoring of Collaboration Tools
All the measures to secure data during the use of collaboration tools presented up to this point are already right and important in themselves. However, the security of the data can be much increased if you get a comprehensive overview of all involved users, connected systems and implemented measures.
Any communication should be monitored, logged and restricted in case of threats. For this purpose, cloud security has its own applications, so-called cloud access security brokers. The cloud access security broker can check whether users have the appropriate permissions for the use of cloud applications.
If permissions are not available, the cloud access security broker can prevent use. Through a continuous monitoring of all involved components, the security authorities of a company can be notified. This allows countermeasures to be initiated in time. In addition, it is possible to create regular reports on the relevant functions.
Microsoft Defender for Cloud Apps
Microsoft offers with the Defender for Cloud Apps its own cloud access security broker. Based on the analysis of the logs of firewalls or proxies, the Defender for Cloud Apps always gets a clear picture of any traffic between users and cloud applications. This is the so-called cloud discovery function. Whether it's a firewall on an end device or the central firewall in a company's data center. If intervention in the data traffic is necessary, changes can be made via scripts.
If desired, you can also direct the users' traffic directly via the proxy functionality of the Defender for Cloud Apps.
Through the app connector of the application, the used cloud applications can be integrated per API, such as a collaboration tool. This way, the Defender for Cloud Apps has a transparent insight into the usage of the integrated applications. Through the used API, a reaction in case of a cyber threat is also possible here.
Conclusion
Collaboration tools are indispensable today in order to work efficiently in the future. With the right configuration, for example with the choice of the suitable identity provider, this can even be achieved across company boundaries. The selection of the right applications simplifies processes and great synergies can emerge in projects.
You can find a selection of collaboration tools in the Collaboration Tools and Software Comparison on OMR Reviews.
However, there are some challenges to consider, especially when using collaboration tools in the cloud: In general, the function of sharing information carries the risk that data may be shared contrary to internal guidelines with third parties. Implementing data loss prevention measures and central monitoring of cloud applications can further enhance security.
With Google Workspace, Microsoft OneDrive for Business and ownCloud you have learned three examples of implementing cloud security with collaboration tools.
Der Informatiker hat den für IT-ler berüchtigten Spieltrieb und testet gerne aus, statt lange darüber zu reden. Als Co-Founder der SEQUAFY GmbH ist er Spezialist für Amazon Web Services, Netzwerkadministration, Architektur und Design.
