Posts

Easier Sharing of Google Docs; Watch Your Permissions

/in

google drive
Google is making it easier to share Google Docs, Drawings, and Slides (not Sheets) with people outside your Google Apps for Business domain.

  • Files shared outside your domain to an email address not linked to an existing Google Account can be viewed without having to sign in or create a new Google Account.
  • If a file is shared with edit or comment permissions, the recieving user must still sign in with a Google Account in order to edit or comment on that file.

This change actually reflects a new “invitation” model.  When a user directly shares with individuals who do not have Google Accounts, those recipients will be able to view the file without signing in. Because no sign in is required, anyone may view the file with this sharing link until the person who the file was explicitly shared with creates a Google Account and expends the invitation.

Once the person creates a Google Account two things happen: (1) the sharing link will no longer work for new users to access the file and the sharing dialog will indicate that the invitation has been used; (2) any user who accessed the file using the sharing link while it was open and signed in using their Google Account will be added to the sharing access list for that file and will continue to have access. Users with permissions to change sharing settings can revoke this access if desired.

While you can prevent this behavior by disabling sharing outside the domain to people who are not using a Google Account via settings in the Admin console, the change makes monitoring of Google Drive permissions more important to maintaining a secure ecosystem.

Tools, such as CloudLock, provide a means for monitoring and managing permissions, helping ensure that sensitive data remains secure.  Contact us if you would like more information.

 

 

Google Apps, PRISM, and the NSA

/in

With media attention and hype, leaked documents, Congressional hearings, and a great deal of explanation and back-peddling, the world now knows that the United States government spies on people.

Okay, we already knew that.

So, we learned that about a secret “FISA” court that can issue secret subpoenas letting the government look at information about us.

Okay, we already knew that, too (many of us just did not pay attention or really seem to care very much).

So, we learned that the Government had issued subpoenas for huge amounts of data about phone calls from Verizon as part of secret program called PRISM.

Now must be the time to panic?

As our 24-hour, instant, news machine struggled to find alleged experts on this top-secret program, we began hearing reports that the National Security Agency has direct, unfettered, complete access to all of the data on all of the servers of all of the major public cloud providers, and that they were capturing, recording, and saving all of this information.

Unfortunately, the cloud service providers are prohibited by law from disclosing the the number of FISA subpoenas and/or the number of users subject to those subpoenas.  We do know, however, that all of the service providers deny any direct connection between their systems and the NSA.

Without accurate information, myths become ‘facts’.

For those of us that promote and rely on the cloud, including those of us running Google Apps for Business, Education, or Government, we want assurances that our data remains private.

Google Apps and Your Privacy

On June 7th, Google posted this statement on the Official Google Blog regarding the matter.  In short:

  1. The NSA and other agencies do not have unfettered access to customer data
  2. Google was not participating in, nor aware of the PRISM program
  3. Google actively works to limit the number and scope of FISA requests

Coincidentally, CIO Magazine reported on June 4th (before the FISA/PRISM revelations in the media) about Google’s efforts to modify or restrict FISA subpoenas.  You can see the article here.

Media reports have been largely inaccurate about the scope of the PRISM program and FISA warrants and its use on American citizens on US soil.

Google is not allowed to release the numbers and scope of the requests by law.  On June 11th, Google made public an official request to release that information so that Google customers will have a more accurate picture and will understand that their data remains secure.

Conclusion

The Terms of Service and Privacy Policy for Google Apps for Business, Education, and Government have very specific rules for how private Google keeps your data and how Google responds (and lets you respond) to subpoenas Google receives for customer data.

There is no evidence, or any indication, that Google has acted outside the bounds of these terms and conditions, even as Google vigorously defends the privacy of customer data in court.

 

Moving to the Cloud: Internationalization

/in

 

Green_GaugeThis post is the eighth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Cloud computing is global and a growing number of cloud solution providers are global as well.  Data stored in the cloud can end up in data centers in other countries and jurisdictions with differing laws and level of privacy protection.   In addition, organizations may be subject to laws or regulations that restrict data from being stored across national boundaries or in other jurisdictions.

Some risk exists in national or local laws related to data privacy and ownership.

Learn Before You Leap

Before signing on with a cloud provider, ask the questions about where data is stored and how the provider is protecting your data from foreign governments and other interests.  Review all contracts, agreements, and vendor policy statements to ensure they are consistent with the message you hear from the sales team.

Look for adherence to privacy standards based on international treaties, such as Safe Harbor and EU Safe Harbor. While these programs cannot eliminate all risk, they do set reliable standards and ensure the vendor has a process for managing any issues that arise.

Explore options with your vendor.  Many cloud vendors allow customers to select specific data centers in which their systems will run and/or data resides.

Seek out some knowledge about the privacy laws and regulations in the countries in which your data may reside (many Canadian firms, for example, see the US Patriot Act as a risk when data resides in the US).

With a small amount of due diligence, organizations can judge the vendor’s competency in managing data privacy and ownership across boundaries, and can ensure the cloud solution meets the organization’s needs above all.

Next Post in the Series:  Coming Monday June 10th

Previous Post in the Series:  Regulatory Compliance

Moving to the Cloud: Security

/in

 

Green_GaugeThis post is the first in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

At some point in the evaluation and decision process, the issue of security comes to the forefront as organizations look at cloud computing.  Vendors and resellers, like Cumulus Global, often provide two answers — both of which are correct:

  1. Cloud computing providers need their environments to be secure, and they invest time and money on security.  Most cloud providers deliver environments and systems that are significantly more secure than their customers could provide for themselves.
  2. Standard cloud security may not be sufficient to meet specific business needs.  Just as they would with in-house systems, cloud computing customers should be prepared to add additional security services to meet business requirements such as HIPAA, SEC, FINRA, and PCI compliance.

As a first step, organizations moving to the cloud should review the security capabilities of their solution provider.  Beyond the technology, look for certifications such as SSAE-16 Type I and II, ISO 27001, and FISMA.  Make sure that the provider’s security practices are reflected in their terms of service, contracts, and service level agreements.  Finally, verify if and how you can add security capabilities to meet business or industry requirements.

With a reasonable level of due diligence and planning, cloud solutions can overcome any security concerns.

Next Post in the Series: Moving to the Cloud: Cost Savings

Cloud Solutions Drive Rapid Growth for Cumulus Global

/in

BusSuccess.med

Cumulus Global today announced revenue growth exceeding 300% for 2012 as the company’s cloud solutions business continues to expand. Sales for 2012 surpassed $3.3 million dollars compared to $972,000 in 2011. Net income before taxes jumped over 400%, to more than $200,000 for 2012. This growth reflects increasing demand from Cumulus Global’s core small and mid-size business markets, as well as the company’s expansion into new market segments.

“In the last 18 months, we have helped more than 120 school districts migrate to Google Apps for Education, deploy Chromebooks for Education, and protect their networks and in-house data,” noted Allen Falcon, CEO and co-founder. “We see increasing opportunity in the educational market.”

The company also sees increasing demand from local, municipal, and county governments and agencies throughout New England and nationally. Falcon expects revenues from Google Apps for Government and related services to “more than triple over the next twelve to eighteen months.” Falcon attributes this growth to the migration, education, and support services offered, including the company’s participation in the FCC E-Rate program for schools and libraries.

Serving the needs of small and mid-size businesses, those with 1 to 1000 employees, remains a core market for Cumulus Global. According to Falcon, “Our core SMB market grew by more than 30% last year and we see that rate of growth accelerating.” Falcon attributes this growth to the company’s focus on solutions rather than technology.

“We do not sell hype or technology,” stated Falcon. “We work with our customers to identify if and how cloud solutions can improve efficiency, expand services, drive revenue, and lower costs. We bundle products and services that overcome challenges and enable growth.” Partnering with more than a dozen ISVs and solution providers, Cumulus Global can meet customers’ regulatory compliance, security, data management, and IT administration needs.

For companies, non-profits, government agencies, and schools interested in learning more, Cumulus Global conducts regular webcasts and Q&A sessions.

 

Cloud Security Focus Shifts to Data Protection

/in


This blog post is the first in a series on Data Protection issues and practical solutions.

When companies began moving to cloud computing solution, a great deal of time and anxiety was spent on security.  For most considering the move, the questions were basic: Will my vendor access my data?  Will my vendor prevent unauthorized access to my data? How secure is my connection to my data? With the maturing of security standards (SSAE-16, ISO 27001, FISMA, and others), these fundamental questions are less of a concern to most businesses.  Top tier providers not only create secure infrastructures, but build commitments to customer data security and integrity into their contracts, Terms of Service, and Service Level Agreements, or SLAs. That said, security in the cloud requires thought and planning.  In addition to basic access concerns, organizations need to be as vigilant with cloud-based data as they are with in-house data when it comes to data integrity, exposure, and loss prevention.  Holistically, the focus should be “Data Protection”. As we look at Data Protection in this blog series, we will focus on the areas of greatest risk to your data:

  • User Identity and Account Security
  • User Actions — accidental and malicious
  • Data Leaks /Permission Errors
  • Mal-ware
  • Rogue Applications

For each of these issues, we will look at how the risks change (or not) when data is in a public cloud service, as well as practical solutions for mitigating the risks.

Case Study: Google Apps Supports Strategic Growth at Merrimack Mortgage Company

/in ,

The Company

Founded in 1983, Merrimack Mortgage Company (MMC) continues to be a leader in residential mortgage lending throughout the Northeast and is one of the region’s largest independent mortgage bankers.

MMC prides itself for being the company that delivers the same products as the big lenders but with the high quality service levels inherent in a small lender. This winning combination of finesse and strength has led Merrimack Mortgage Company to its exceptional growth during the past three decades. The company’s success is attributed to its core strategy of providing a high level of customer satisfaction at a competitive price.

The Challenge

Merrimack Mortgage Company relies on extending its operations by expanding the size of the company’s geographic market area with new satellite branches. The IT department is challenged with bringing these loan officers located in satellite branches into the company’s processes effectively and quickly to allow them to be up and running as fast as possible.

The Solution

With integrated communications and file services, the transition to Google Apps was part of a strategic initiative to put the company in a competitive position to enable it to expand its operations effectively, from a primarily New England-based operation to cover their expansion outside of New England. This expansion included enabling a homogenous environment to all of the company’s loan officers while still complying with SOX, GLBA, ISO and other internal governance and audit requirements.

“The business side of me saw Google Apps as a slam dunk from a ROI and TCO perspective, and the technologist in me also couldn’t argue against introducing variable costs, scalability, availability, and OS and hardware independence. Cumulus Global recommended and helped us deploy CloudLock and Backupify for compliance, policy enforcement, risk mitigation, and data protection. This allowed us to fully embrace Google Apps and made both my Chief Compliance Officer and CFO very happy.”
— Matthew Seaton, CIO Merrimack Mortgage Company

Integrating Google Apps and CloudLock, Merrimack Mortgage Company extends its security perimeter to the cloud. MMC ensures its use of email, calendars, contacts, and files stored and shared via Google Drive comply with regulations like SOX, GLBA, ISO and other internal Acceptable Use Policies.  Backupify protection data across Google Apps accounts against data damage or deletion due to user error.

“I am not sure if I would have felt confident with my decision to move our company’s communication and collaboration needs to Google Apps for Business without the solutions and assistance from Cumulus Global. The integrated solution has relieved my anxiety over having our company data hosted by a third party,” said Seaton.  “Our management team was relieved by the value proposition.  We pay as we grow rather than making large up-front capital investments.”

Since MMC’s initial Google Apps for Business implementation in June of 2011, MMC has increased sales staff by 15% and the number of physical locations by 26%. Operations staff increases have been minimal in comparison. The greatest benefit, in regards to increased sales staffing and locations, is the ability turn-up new team members literally in minutes. In more recent months, MMC has seen back-to-back monthly company record breaking sales numbers.

To learn more about Merrimack Mortgage Company, visit: www.merrimackmortgage.com.

Friday Thought: Building a Cloud File Service

/in

For many of the companies, non-profits, school systems, and local governments we work with, the desire to use the cloud is expanding beyond email and calendar.  These organizations are looking to move some or all of their file services into the cloud as well.

Motivation:

While the initial motivation is often to improve access to and sharing of information on projects, or in general, the planning process often reveals a greater value proposition. These secondary benefits derive from giving users direct access to data, and include, but are not limited to:

  • Reduced need for SSL VPN services and/or remote access, desktop, or virtual desktop solutions, resulting in lower hardware, software, networking, and support costs.
  • Reduced need for site-to-site links, enabling organizations to replace expensive point-to-point WAN links and MPLS networks with much less costly direct Internet access links.
  • Improved access to information from tablets and smart phones.
  • Reduced backup/restore costs, as physical infrastructure and in-house administration is replaced by cloud-to-cloud data protection services.

In short, cloud file services provide better user access to information, a simpler IT infrastructure, and lower costs.

Ecosystem

Many services exist to provide cloud-based file services and organizations are best off if they  review their needs before making a selection.  Beyond methods of accessing the service, be sure to review your permissions/security requirements with the features and function of the service.

Building a file service also means having the necessary components to ensure a robust ecosystem.

  • Affordable storage purchased as used or in flexible blocks
  • Drive letter access (DLA) or Network Place access from Windows desktops
  • Drive type access from Mac desktops, if needed
  • Access from mobile devices, including smart phones and tablets
  • Ability to integrate user identity with your LDAP, Active Directory, or SSO service
  • Availability of cloud-to-cloud backup/restore services
  • Encryption of data at rest and in transit
  • Ability to set permissions in accordance with your business needs, policies, and procedures

Execution

Moving to a cloud file service starts with understanding your requirements and the impact of the change on your computing environment and your end users.  Which aspects of the ecosystem do you need/want?  How will the change effect the user experience?  How will a new file service fit in with your other cloud solutions?  With an understanding of requirements, you can better match your needs to the available solutions and map out a migration that minimizes risk and enhances the benefits of the move.

 

Google Apps and Google’s New Privacy Policy

/in

The cloud world is buzzing as Google announced that effective March 1, 2012, it would consolidate more than 60 privacy policies for different services into a single, simplified policy covering all Google services.  Not surprisingly, we are already fielding calls from our Google Apps for Business / Education / Government customers with questions about the impact of the change.

Rest easy.  Here are the answers.

Not Much is Changing

The consolidated privacy policy is not changing how Google collects or uses information with individual services or across services.  The policy is providing a simpler, easier to understand document that is consistent across all services.  Google has also removed components of its existing privacy policies that are redundant with content in the Terms of Service policy for each service, which are also being updated and consolidated into a single, consistent policy.

Note that the Privacy Policy address how Google collects and uses information about individual users, but that the Terms of Service dictate how Google treats content you place or store using Google services.  To understand how your information is protected, you must review both documents.

Public and Free Services versus Business / Education / Government Services

The new Terms of Service and Privacy Policy provide a baseline for all services.  The Terms of Service clearly states that

“Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.”

Google Apps for Business, for Education, and for Government all have these additional terms and settings.

Confidentiality in Google Apps for Business / Education / Government

The Terms of Service for Google Apps for Business, for Education, and for Government each define Confidential Information as follows:

Confidential Information means information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer’s Confidential Information.

Very simply, the agreement defines all user/customer content in these services as confidential.

The Terms of Service prevent Google from accessing or disclosing customer information without permission and guarantee a standard of care related the security, availability, and privacy of customer information.

Exceptions

There are exceptions when Google may disclose or publicly display Google Apps for Business / Education / Government customers.

  1. A User Marks Content as Public:  If a user marks content as “public” or as “publish on the web”, the user is giving permission to Google and instructing Google to index the content in Google search engine and to make the content available to everyone publicly.   Google Apps administrators can limit user permissions to prevent them from marking content as public.
  2. Required Disclosure:  Per the Terms of Service, Google may “… disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.”

Summary

While Google’s consolidation of privacy policies makes for great, sensational headlines, the reality is that their is no material change in how Google addresses information privacy.  For Google Apps for Business, for Education, and for Government customers, there is no change what so ever.

Tuesday Take-Away: New Security Standards for Cloud Computing

/in

It is common for cloud computing vendors often promote their security credentials, and doing so gives prospective customers valuable information about the vendors’ security operations and capabilities.

If your vendor is still promoting their SAS 70 Type II certifications, however, they are a little bit out of date.

As of June 15, 2011, the American Institute of CPAs replaced SAS 70 with SSAE 16, a much more rigorous standard for service provider security audits and attestations.  SSAE 16 is also in line with a separate, international security audit and attestation standard, ISAE 3402.

If you use Google Apps, Google Postini Services, Google App Engine, and/or Google Apps Script, you are in good shape.  Google is one of the first cloud computing vendors to move to the new, more rigorous, standards.

Google has attained SSAE 16 Type II and ISAE 3402 Type II certifications for these services.  SAS 70 Type II certifications are still valid for audits conducted before June 15, 2011.

While third party audits are part of the security and compliance benefits of Google Apps and Google App Engine products.  Google’s security efforts go well beyond audit requirements.  You can learn more about Google’s security by reviewing the current security white paper and watching this data center video tour.

Want to know more?  Contact us.  We would be happy to discuss your needs.