Posts

Google Vault: What It Is Why You Should Consider It

Google VaultWhat Is Google Vault?

Google Vault is a cloud-based information governance, compliant archive, and eDiscovery tool that allows organizations to manage, retain, search, and export their data across various Google services. Historically, Vault is an add-on for G Suite Basic and is included with G Suite Business and Enterprise. It provides a secure and centralized platform to manage all your organization’s data, including email, chat messages, and Google Drive files.

As Google transitions to the new Google Workspace, Google includes Vault in Google all Workspace Enterprise subscriptions and Google Workspace Business Plus.  Vault is not available as an add-on for the Google Workspace Business Starter and  Standard subscriptions at this time.

Overall, Google Vault provides a powerful and efficient way to manage and protect your organization’s data, giving you greater control over your information and helping you stay compliant with industry regulations.

To decide if you need, or want, Vault, you need to understand the What, How, and Why below.

What Google Vault Does

Vault is a compliant archive/e-discovery service for Google Workspace.  The service captures all email, documents, and chats, even if they have been deleted by the user.  As such, Vault meets federal and state regulations for legal discovery.  Vault features include:

  • Archive:
    • Inbound, outbound, and internal email messages
    • Documents
    • Internal and external chat messages
  • “Matters”:
    • Search and gather all relevant materials
    • Save searches and results
  • Legal Holds:
    • Retain relevant data regardless of retention period
    • Prevent removal of data until a “Matter” is resolved
  • Audit Trails:
    • Capture activities
    • Document searches and exports
  • Reports:
    • Export data related to a “Matter” for delivery
    • Documentation that validates data integrity

How Vault differs from Backup

While Vault and backup systems both preserve and protect data, they serve very different purposes and functions.

Vault is intended to keep, find, export, and deliver data in a way that complies with Federal and State laws for legal discovery.

Backup systems are designed to preserve and restore information that has been lost or damaged.

In Vault, you can retrieve individual items and small batches of data. Doing so, however, does not restore the data to its prior location. Nor does Vault preserve meta data, such as date last modified and permissions.

Backup solutions and systems cannot guarantee that you have preserved all of your data.  Most backups are configured to remove deleted items from backup files after set periods of time.  Backup systems also prune data into weekly and monthly snapshots, resulting in a potential loss of versions.

Why You May Need or Want Google Vault

The driving factor for most businesses and organizations is regulatory compliance.  A range of laws and industry regulations require businesses to maintain records, including but not limited to:

  • Sarbanes/Oxley
  • Freedom of Information / Public Records
  • SEC-17
  • FINRA
  • PCI-DSS
  • HIPAA

If you are not subject to these regulations, you may want Vault in order to maintain data for:

  • Policy enforcement
  • Contact and legal negotiations
  • Personnel matters
  • Quality control

We recommend that your Google Workspace (G Suite) subscription is protected  by a backup/recovery solution.  You may not need or want Vault.  If you do not have a regulatory need, assess the value proposition of the added business protection and cost.

FAQs

Is Google Vault Free?

You can add Vault from your Google Admin console if you purchased Google Workspace online and your edition supports add-on licenses. You’ll begin with a free 30-day trial. Vault is also included at no extra cost with Google Workspace Business and Enterprise editions.

How do I access Google Vault?

Sign in to your Google Workspace account at https://vault.google.com. If you are unable to sign in to Vault, contact your Google Workspace administrator and request that Vault be enabled for you.

Learn more about Cumulus Global’s data protection and security solutions, contact us with any questions, or schedule a complimentary Cloud Advisor appointment.

The Cost of Downtime Explained in 7 Ways

A recent survey found that 40% of small and midsize businesses (SMBs) experiences 8 or more hours of downtime due to a severe security breach within the past year. According to the National Cyber Security Alliance, 60% of SMBs who experience a significant data breach go out of business within six months. The highest cost of an unplanned outage is more than $17,000 per minute. The average cost per minute of an unplanned outage is nearly $9,000 per incident. These statistics are sobering. For many SMBs, however, the risks still feel foreign and not something that warrants action. To protect your business requires some knowledge and good advice, intent, action, small investments.

It is easier to rely on myths such as, “We are not a target for cyber attackers”, “We can run on pen and paper until we recover”, and “Our customers will understand” than it is to assess your risks and take action. Nevertheless, the risks are real and the number of SMBs hurt by downtime continues to rise.

The cost of downtime can vary depending on the size of the organization, the industry, and the nature of the downtime. Downtime can be caused by various factors such as power outages, network failures, software issues, or hardware failures. In today’s world, it’s essential to streamline security if you’re a SMB, and understand the consequences downtime can have on your business.

Here are seven ways downtime can damage your business:

1. Monetary Cost

Downtime leads to lost sales and lost productivity impacting top-line revenue and your bottom line. These costs hit your pocket in addition to the cost of recovery and returning to normal operations. If you need to calculate the average cost of downtime, our specialists can help.

2. Customer Trust

When you are unable to serve your customers, they lose faith in your business. While downtime for natural disasters is understandable, today’s customers have little tolerance for disruptions due to cyber attacks and breaches. Lost trust means lost customers.

3. Brand Damage

Your brand identity and reputation drives customer loyalty and growth. Service disruptions from technology failures or breaches sends a message that your business may be poorly managed and is unreliable. These messages lead to loss of goodwill and create negative impressions of your business in the minds of your customers.

4. Employee Morale 

Disasters due to data loss or breaches means employees need to perform double duties. Employees spend time on recovery while working to keep the business operational. It often requires additional work hours. Recovery can be stressful and demoralizing.

5. Business Value 

Businesses that suffer data breaches and service disruptions are perceived as poorly managed. With the potential financial liability, public companies can see stock prices fall. All companies can suffer a loss of business value.

6. Legal Action

Downtime creates the risk of legal action. This is particularly true for downtime that is perceived as preventable. System failures, data loss, security breaches, and other incidents can put your business in breach of contract. You may also be in violation of state and federal regulations, making proper data protection and security vital.

7. Compliance Fines & Penalties 

As information privacy and security regulations expand, data loss and breaches create the real potential for fines and penalties related to regulatory compliance, privacy, and data retention requirements.

These risks carry the potential for lasting damage. Whether by increased financial burdens or winning back customers, the impact of downtime extends well beyond getting yourself up and running again.

Is your business worth protecting?

Protecting your business will not break the bank. We offer practical, affordable cloud infrastructure solutions that help you and your team understand the risks, prevent problems from happening, and continue operating in the event something bad does happen.

If your business is worth protecting, contact us for a complimentary Cloud Advisor session to discuss how we can improve your business’ resiliency.


 

G Suite Security: Advanced Security for Modern Threats

G Suite Security
In multiple blog posts over the past 2+ years, we have covered the changing and growing nature of threats to your organization, systems, and people. G Suite security offers advanced measures to protect user data, including encryption, 2-step verification, phishing protection, and admin controls.  For us the answer is CPR

Communicate and Educate;

Prevent & Protect;

Recover & Review. 

Once you have these basics in place, the challenge becomes keeping up with the times.  As the nature of threats change, the protective capabilities of our key systems should evolve as well. This includes thinking about managed cloud services, which are being driven by modern security needs.

For those of us running G Suite, we may understand that Google has expanded the security footprint and capabilities, but have we altered our configuration to properly protect ourselves?

G Suite Security Best Practices

The first step in assessing your data protections and security is to understand the risks.

  • 91% of attacks start with a phishing email
  • 66% of malware was installed via malicious emails or attachments
  • 90% of all reported breaches caused by employee negligence, extortion, and external threats

These statistics, while not unfamiliar, point to the change in risk from physical devices to data and human interactions.

As people can be your greatest risk, the best protections compensate for human behavior.

Versions of G Suite Security to Protect Your Business

Step two is mapping your security needs to the right version of G Suite. Each version adds additional protections, allowing you to move up to the version that best meets your needs and priorities. Understand what each version offers and map them back to your regulatory and business requirements.

G Suite Basic Security Features

  • Encryption in transit and at rest, including policy-based TLS enforcement
  • 2-Step Verification via prompt, SMS, Security Key, or Authenticator app
  • Single Sign-on (SAML 2.0)
  • OAuth 2.0 and OpenID Connect
  • Restrict emails to authorized recipients
  • Drive audit logs

G Suite Business Security Features

  • Vault for compliant archiving and e-discovery for Gmail, Drive, and Hangouts Chat
  • Team Drives for centralized access controls and permissions management
  • Domain white-listing for Drive with alerts
  • Basic Information Rights Management (IRM) to manage scope of sharing by Organizational Units

G Suite Enterprise Security Features

  • G Suite Security Center with a unified security dashboard
  • Advanced Data Loss Prevention for Gmail and Drive files
  • Email content compliance and objectional content filters, with OCR
  • Security key enforcement
  • User S/MIME Certificates for Gmail encryption
  • App white-listing to control 3rd party data access
  • Sandboxing (pre-delivery deep scanning) or email attachments

Moving to the right version of G Suite security has never been easier

While no one product or service will meet all of your security, privacy, and data management needs, moving to the right version of G Suite improves your security footprint and can mitigate the need for 3rd party solutions. To help you move, we are partnering with Google to offer pricing incentives.

Your next step is to contact us to schedule a complimentary Cloud Advisory Session to assess your needs, priorities, and options.

FAQs

How secure is G Suite?

G Suite is a highly secure platform that offers a range of advanced security measures to protect user data. It uses encryption to protect data in transit and at rest, and offers features such as 2-step verification, phishing protection, and admin controls. Google also undergoes regular security audits and certifications, and has a dedicated team of experts to monitor and respond to any security threats. While no system can be 100% foolproof, G Suite’s security measures are among the most advanced and robust in the industry, making it a trusted choice for businesses of all sizes.

How do I make my G Suite more secure?

There are several steps you can take to make your G Suite more secure:

  1. Enable 2-step verification: This adds an extra layer of security by requiring a second form of authentication, such as a code sent to your phone, when signing in.
  2. Use strong passwords: Use unique and complex passwords for each account and change them regularly.
  3. Enable mobile device management: This allows you to monitor and manage access to G Suite on mobile devices.
  4. Enable security key enforcement: This adds another layer of protection to your account by requiring a physical security key to access it.
  5. Use data loss prevention (DLP) rules: DLP rules can help prevent sensitive data from being shared outside of your organization.
  6. Regularly review your security settings: Make sure your settings are up-to-date and in line with best practices.
  7. Educate your users: Train your employees on security best practices and provide them with regular updates and reminders to help keep your organization safe.

Is G Suite more secure than Gmail?

G Suite and Gmail both offer advanced security measures to protect user data, but G Suite is generally considered to be more secure than Gmail. This is because G Suite is designed for business use and offers additional security features such as mobile device management, data loss prevention, and advanced administrator controls. Additionally, G Suite undergoes regular security audits and certifications to ensure the highest levels of security. While Gmail also offers strong security measures, it is primarily a personal email service and may not provide the same level of security features required for business use.

 

 

 

Echo of Non-Compliance

Everyday, we hear about new ways we can use our smart speakers. Retailers, radio stations, product companies, and others remind us that we can use our Amazon Echo or Google Home to buy, listen, or learn. The term “smart speaker”, however, is misleading.  These are microphones and they are always listening. They are also likely recording everything they hear.

If you are covered by HIPAA or other privacy regulations, do not talk about protected information within earshot of Alexa.

This warning stems from a 2015 murder case in Arkansas. Believing that the Amazon Echo may have “heard” a murder, the District Attorney subpoenaed any recordings that Amazon may keep from the device. Amazon fought the decision on First Amendment and privacy rights, not by claiming that it was not recording. Amazon did not deny having recordings.

The issue for data privacy compliance is that your smart speaker may be listening to and recording conversations you have about protected information.  Allowing this is a violation of HIPAA and other regulations protecting personal identifying information (PII).

When is your Amazon Echo recording?

The short answer is: we are not sure, but maybe always.

Looking at the Alexa Terms of Use, Amazon tells us “Alexa streams audio to the cloud when you interact with Alexa” and “Alexa uses recordings of your voice to create an acoustic profile of your voice characteristics.” Alexa use is also covered by the Amazon Privacy Notice, which states, “We receive and store any information you enter on our Web site or give us in any other way.”

While Amazon tells us they are recording your “Hey, Alexa” commands, the Terms of Use and Privacy Notice are a bit more ambiguous. Neither document tells us that Amazon records only when listing and processing commands. Nor do the policies limit Amazon’s recording to those commands. We do not know, for sure, when Amazon is not recording what it hears on your Echo.

Better Safe Than Sorry

When speaking about sensitive or protected information, stay away from your “smart speaker” or manually mute the device.


One more thought:  Ever notice how after certain conversations, you see ads on Facebook related to the topic discussed?  Unless you turn off microphone access, Facebook is using your phone to listen to your conversations, analyze what you say, and profile you. Letting Facebook listen is another potential HIPAA and PII breach.


 

Myth-Busting Monday: On-Premise is Safer Than Cloud

Office365-Logo-and-textJust because you can see it and touch it, does not mean it is safe and secure. With the number of successful ransomware attacks up more than 400% in the past year, it is increasingly clear that on-premise systems are not inherently more secure than they would be in the cloud. Many companies are hacked and remain unaware for weeks or months, as the use by cyber criminals of advanced persistent threats continues to rise.

Microsoft Office is secured with technologies and resources beyond the reach of nearly every small and mid-market business.

Large enterprises know that security is a full-time job, requiring a team of expensive experts and advanced technologies. And while large enterprise can afford to make this investment, most small and mid-size businesses do not have the resources to prevent, detect, and mitigate security issues.

Moving to Office 365, you enter an environment designed for security, backed by a team of security experts, industry leaders in regulatory compliance, and the latest security technologies and methods. Office 365 complies with the latest rules and regulations, including but not limited to:

  • HIPAA
  • Sarbanes-Oxley
  • Federal Information Security Management Act (FISMA)
  • ISO 27001
  • European Union (EU) Model Clauses and U.S.–EU Safe Harbor framework
  • Family Educational Rights and Privacy Act (FERPA)
  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

And, with this security, you get a 99.9% uptime guarantee.

Thinking of going cloud — or expanding your cloud use — and remain concerned about security and data privacy, give us a chance to assess your needs and map out a solution.


This is the third of a multi-part series designed to help companies better asses the opportunity and value of cloud-based solutions.  Contact Us for more information or a free Cloud Advisor session.


Moving to the Cloud: Regulatory Compliance

 

Green_GaugeThis post is the seventh in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Moving to the cloud often entails more than switching to an email service or spinning up a some cloud-based storage and servers.  For many businesses — including Small and Mid-Size Businesses (SMBs) — regulatory requirements place demands on IT systems and security.  And, while these requirements impact in-house and cloud solutions, moving to the cloud requires planning.

The most common regulations for SMBs relate to consumer (customer) privacy:  HIPAA, which protects personal health information, and PCI, which protects personal and credit related information.  Many SMBs, however, must also meet the requirements of Sarbanes/Oxley, FINRA, SEC, and various state regulations.

The solution:  Integrating Solutions.

Fortunately, the tools and systems exist to provide compliance with data security and privacy regulations.  Cloud vendors are creating environments and the management controls necessary for customer regulatory compliance and certification.

The challenge is to make sure that all of the pieces work together.

  • Message Archive/eDisovery:  Manages retention of email as official business records and provides the eDiscovery and audit tools necessary to meet federal subpoena requirements.
  • Message Encryption: Encrypts email at the individual message level based on content and rule sets, requires users to authenticate before accessing the message, and prevents forwarding.
  • Two Factor Authorization / Single Sign-On: Provides identity management services and audit trails beyond core products in order to meet regulatory or policy requirements 
  • Third Party Encryption:  Encrypts data in the browser or client before transmission to the cloud, providing a second level of encryption prior to the encryption provided by the cloud vendor.  In the event of a vendor data breach, the exposed data would be encrypted.

These types of solutions, and others, provide cloud environments with the capabilities to meet regulatory requirements.  Vendor contracts and policies should still be carefully reviewed for any terms and conditions that threaten compliance.

And remember, no vendor can ensure compliance.  Compliance exists when the technology meets the technical standards and is used in accordance with policies and procedures that meet the regulatory intent.

Next Post in the Series:  Internationalization

Previous Post in the Series:  Integration with Legacy Systems

Webcasts

Email Security and Reliability

(8/17/2021) – A deep dive look at email security and reliability, with a focus on how DMARC prevents business email compromises, spoofing, and phishing attacks. In addition to protecting you from inbound attacks, DMARC protects your domain’s reputation and helps ensure reliable email deliverability.

Email Security and Compliance

(7/20/2021) – An updated look at email security and compliance. Summarizing risks and trends, we dive into a tiered approach to ensuring your business, data, employees, and reputation are protected.  We also discuss emerging compliance requirements and steps you can take to ensure you operate within regulatory, industry, and policy expectations.