View
227
Download
0
Category
Preview:
Citation preview
SECURING A COLLABORATIVE ENVIRONMENT 1
Securing a Collaborative Environment:
Corporate Cloud Risk for the Non-Technical Leader
Joseph Pidala
University of Texas
December 7, 2014
SECURING A COLLABORATIVE ENVIRONMENT 2
Abstract
Cyber risk looms over the corporate world with staggering statistics released daily; yet somehow
it still feels invisible – “hacks” carried out by criminals using processes no one understands. As
we open up business to the cyber world, incredible opportunities await us, but malicious intent,
abuse, and exploitation come along for the ride. By design, cloud collaboration means quick,
open, and efficient, while corporations still lean on a safer conservative culture (Diffin,
Chirombo, & Nangle, 2010). The million-dollar solution not only finds the perfect balance
between security and open collaboration but also presents the information in a way that a non-
technical leader can easily begin implementation. The following paper addresses these concerns
and makes every effort to inform managers of best practice for securing their collaborative cloud
environment.
Keywords: cyber security, cloud computing, corporate, collaboration, infosec
SECURING A COLLABORATIVE ENVIRONMENT 3
Securing a Collaborative Environment:
Corporate Cloud Risk for the Non-Technical Leader
In 2014, online crime affects everyone in some form, whether something small like an
email address or something more drastic such as a credit card number. While breaches happen
daily, hackers have yet to cause serious harm to individual consumers (Lee & Lee, 2010).
However, what does a cyber security breach mean to a large corporation? According to the
Ponemon Institute’s 2013 Cost of Cyber Crime Study, the average cost of online crime increased
78% in the past four years totaling to $11.56 million annually per company (LeClair & Pheils,
2014, p.3). Unacceptable statistics puts heavy stress on corporations that live and breathe off
shareholder return. Though the paper assesses many risks, one goal always stays in mind; keep
the corporation’s crown jewels safe. A company’s sensitive information can vastly vary
depending on the company (LeClair & Pheils, 2014, p.9). For instance, a retail store may
consider customer credit cards as its most crucial information while a technology company may
consider intellectual property as its main concern. A successful corporate cloud environment
requires a combination of the right technology, culture, and administrative policies (Vacca, 2011,
p.160); the subsections below address finding the balance between these controls.
Cloud Computing
Securing a corporate cloud environment begins with fully grasping the different aspects
of cloud computing and understanding all the moving parts. Before cloud computing,
corporations utilized on-site servers to store company information for employees to use
(Goundar, 2012, p.217). A local datacenter takes many resources such as time, space, and power
to operate. In addition, most corporations do not need the same amount of computing power and
data storage due to seasonal production (Goundar, 2012, p.218). For example, toy companies
SECURING A COLLABORATIVE ENVIRONMENT 4
foster much more traffic to their websites during holiday times than they do during non-peak
periods of the year. With cloud computing, the toy store can change how much power and
storage they need at any given time by a simple call to their provider (Pauley, 2010, p.33).
The intangibility of cloud computing makes the practice difficult to grasp, but a cloud
provider simply takes the same role as a cell service provider. When a customer needs more
minutes, he or she simply calls the provider to scale the plan. When a corporation needs more
storage space, they simply call their provider and bump up their plan as well. A cell service
customer does not purchase the cell towers used to provide the service just as a corporation does
not purchase the hardware from a cloud provider (Jalaparti, Ballani, Costa, Karagiannis, &
Rowstron, 2012, p.1).
A corporation will most likely utilize all three tiers of the cloud: Infrastructure as a
service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS) (Sowmya,
Deepika, & Naren, 2014, p.4477). Infrastructure incorporates computer hardware such as
servers, storage drives, and networking components (Julisch & Hall, 2010, p.299). When
management pays for IaaS, they purchase time to use the physical hardware similar to the cell
service example (Armbrust et el., 2009, p.2). PaaS represents the middleware and operating
system of the cloud (Julisch & Hall, 2010, p.300). Installing Windows 8 on a personal computer
compares to what PaaS provides a corporation. The operating system serves as the intermediary
between the physical equipment and the consumer application providing instructions so both
sides work as designed (Sowmya et el., 2014, p.4479). Lastly, the type of service most people
think of when speaking of cloud computing, SaaS provides the useful applications every
corporation needs to operate (Sowmya, Deepika, & Naren, 2014, p.4480). Instead of purchasing
and installing thousands of copies of Microsoft Excel, corporations can now subscribe to Office
SECURING A COLLABORATIVE ENVIRONMENT 5
365 and have every corporate computer running Excel instantly through the Internet (Julisch &
Hall, 2010, p.300). In this way, cloud computing has transformed corporate IT into a more
efficient streamlined process.
Types of Data Breaches
While the cloud boasts more centralized data, it also opens itself to more access points
(Udhayakumar, Jawahar, & Ramasamy, 2014, p.235). Corporate data breaches range from
political activism to million-dollar heists, but regardless of motive, a hacker must first gain
access to the corporate system. Surprisingly, the most common way of gaining unauthorized
access uses little technical prowess (Workman, 2008). Social Engineering, the act of
manipulating someone to gain confidential information, provides criminals with unlimited
attempts to gather passwords to user accounts (Abraham, & Chengalur-Smith, 2010, p.183).
Social Engineering includes posing as a company’s IT department asking for passwords, sending
fake emails meant to trick employees into downloading malicious files, and setting up fake
wireless access points so employees connect to the wrong network. When an employee makes a
simple mistake giving information, consequences can be as vast as a technical attack (Workman,
2008).
A technical technique of gaining unauthorized access scans network ports for
vulnerabilities and uses programming to exploit insufficient code (El-Hajj, Aloul, Trabelsi, &
Zaki, 2008, p.105). A burglar checking for unlocked doors of an individual’s home represents a
prime non-technical example. Once the hacker finds a hole in the system, he or she executes
code to give themselves authorized credentials. At this time, the hacker may roam and download
whatever he or she pleases (El-Hajj et al., 2008, p.105). The most common attack on a database,
SQL injection attempts to ask the server for information it was not expecting, resulting in the
SECURING A COLLABORATIVE ENVIRONMENT 6
system crashing (Kindy & Pathan, 2011). For example, if a form asks for a username, what
happens if you type in computer code instead? A hacker can talk directly to the server through a
simple text box if the system is not set up securely (Kindy & Pathan, 2011).
A hacker will always find the weakest link in a security system. Often times with very
large corporations, corporate partners leave holes that the company does not actively assess. If a
partner has the same confidential information due to a joint-operation and their system lacks
necessary security controls, the hacker will just go after them instead (Badr, Biennier, & Tata,
2011, p.244). Lastly, most employees set simple passwords making cracking them easy. In a
brute force attack, a powerful computer attempts every single combination of letters, numbers,
and symbols until the computer cracks the password (Workman, 2008). Hackers advanced the
method even further by developing processes such as the dictionary attack. In this method, the
computer starts with words found in a dictionary to speed the cracking process (Vykopal,
Plesnik, & Minarik, 2009, p.23).
With the multitude of ways hackers gain access to corporate systems, cloud computing
poses an additional risk. In cloud computing, people across the globe can connect and access the
same cloud files. With an insecure cloud, hackers can gain access to more information with less
effort. Because of this, system admins need to stress a security mindset and strictly regulate
employee accounts, passwords, and permissions (Udhayakumar et al., 2014, p.235).
The Security Mindset
To succeed in a collaborative cloud environment, employees must understand the
importance of collaborating securely. Employees will not change their actions based purely off
policy and finding rule-breakers proves an impossible task (Siponen, Pahnila, & Mahmood,
2010, p.64). If a large corporation has a policy to refrain from emailing sensitive documents
SECURING A COLLABORATIVE ENVIRONMENT 7
without encryption, no reasonable system exists to catch someone in the act. This shows
technologies key flaw even today: computers do not understand context. A system admin could
easily block all unencrypted email, but encrypting every single message would limit productivity
and possible recipients (Siponen et al., 2010, p.68). The next option implements a Data Loss
Prevention (DLP) system. DLP software scans outgoing data in-use, in-motion, and at-rest
(Ghorbanian, & Fryklund, 2014, p.2). While DLP easily catches structured data such as social
security numbers, it cannot detect projects with code words, which Research & Development
divisions regularly use (Ghorbanian, & Fryklund, 2014, p.10). R&D divisions actively manage
the most sensitive intellectual property within a company, and if they email out a document
about a codename, Project Houston, DLP will not pick the email out as a threat (Ghorbanian, &
Fryklund, 2014, p.19). The corporate network also limits DLP’s use. While DLP scans data at-
rest within company walls, a data breach renders the software useless (Ghorbanian, & Fryklund,
2014, p.40). These examples support the hypothesis of developing a security mindset throughout
the company. Only the individual employee can know if their actions truly put the corporation at
risk. Therefore, C-Suite members must make it a priority and set the tone from the top so others
follow their actions (Siponen et al., 2010, p.68).
Security Awareness Training
Once a security mindset establishes a baseline, security awareness training targets
misconceptions and prevents employees from making unknowing mistakes. Companies typically
all have security awareness trainings, but not all trainings turn out to be effective (Puhakainen &
Siponen, 2010, p.757). According to a 2010 study by Puhakainen and Siponen, successful
security awareness training encompasses the following traits (p.775):
1) Designing in respect to corporate mission
SECURING A COLLABORATIVE ENVIRONMENT 8
2) Utilizing examples directly relating to the audience
3) Acknowledging audience’s previous security education
4) Applying training methods that promote positive mental stimuli
5) Integrating training into everyday business communications
6) Exhibiting visible support of upper management
7) Promoting security discussion through informational gatherings
Based on security budget, implementation of these features through web training, video training,
or in-person training proved to raise awareness after comparing interview notes from before and
after the testing (Puhakainen & Siponen, 2010, p.769).
Fast-paced non-technical roles proved the most at risk for exposing confidential data for
many reasons. In sales, employees often receive tight deadlines where speed of work affects pay.
Employees will frequently cut corners to get the job done quickly, tossing security out the
window first (Puhakainen & Siponen, 2010, p.767). These employees usually do not understand
the technical jargon in trainings or the potential consequences of their seemingly harmless
actions, such as sending an email without encryption (Karjalainen & Siponen, 2011, p.519).
Security awareness training provides these non-technical roles with the information they need to
make knowledgeable decisions.
Password Complexity
Once training develops a security conscious employee, technical controls can then add
assurance to a corporation’s cloud environment. Renowned cryptographer, Bruce Schneier
expressed, “security is a process, not a product” (Wang, Jia, & Shen, 2009, p.1285). Only after
an employee understands the “why” can management expect them to make appropriate decisions
(Siponen et al., 2010, p.68). Implementing a complex password requirement deters social
SECURING A COLLABORATIVE ENVIRONMENT 9
engineering and brute force attacks (Workman, 2008). Examples of password requirements
include: a 12-character minimum; including a letter, number, and symbol; and restricting
dictionary words (Vykopal et al., 2009, p.23). The goal is to make a policy strict enough to
prevent criminals from easily guessing a password and lenient enough so employees can
memorize their passwords without writing them down (Monda, Bours, & Idrus, 2013, p.301).
Multi-Factor Authentication
A further advancement, multi-factor authentication applies a security tactic humans have
used for thousands of years: defense in depth. Just as medieval castles had walls as well as moats
to protect their kings, the cloud needs more than one defense mechanism to protect sensitive data
(Son & Kim, 2012, p.192). To confirm a login identity, multi-factor authentication uses
something a user knows, has, is, and/or does (Kim & Hong, 2011, p.187). Before scaling to a
large corporation, one must first understand the process on an individual level. Large
corporations such as Google and Facebook already allow multi-factor authentication for the
everyday consumer (Van Rijswijk, & Van Dijk, 2011, p.7). Lets start with a user checking their
email. On a standard login screen, a user enters his or her email and password, and then clicks
login. If the user turns on multi-factor authentication, they will see a similar screen to the one the
following page after clicking the login button. On the initial login screen, the user enters
something they know (email and password), and on the second screen, the user uses something
they have (smartphone). Multi-factor authentication eliminates brute force attacks and makes
social engineering almost impossible (Van Rijswijk, & Van Dijk, 2011, p.15).
SECURING A COLLABORATIVE ENVIRONMENT 10
Figure 1. 2-Step Verification. Screenshot from Google. Copyright 2014 by Google.
With online collaboration software, viewing and editing documents in the cloud has
benefits that greatly outweigh desktop applications (Diffin et al., 2010). The cloud completely
revolutionized the way teams collaborate; team members can view and edit documents at the
same time even if across the world (Diffin et al., 2010). Multi-factor authentication ensures the
correct people access the correct accounts (Huang, 2011, p.3-4).
Data Encryption
In an ideal collaborative cloud environment, employees store and share their files in an
encrypted SaaS cloud space. Storing and sharing in an encrypted cloud eliminates the need for
email attachments and multiple copies of a document (Diffin et al., 2010). The appendix shows
an Information Lifecycle Management (ILM) chart with all the possible avenues for a sensitive
document. As shown, a file becomes less secure the farther it gets from an encrypted internal
site. File encryption in the cloud also eliminates the problems of email encryption. When an
employee uploads a file to the cloud, the file encrypts automatically without user action or notice
SECURING A COLLABORATIVE ENVIRONMENT 11
(Wang, Wang, & Ren, 2011, p.282). Unlike email, the document harnessed no restrictions due to
people not possessing encryption software. In the cloud, an employee can send a time-restricted
link for a third party to view the document so the recipient never possesses the physical file
(Badr et al., 2011, p.245).
User Permissions & Data Classification
The last step to securing data in the cloud restricts access to only the users that need to
access the given data at the given time. The common approach uses user permissions and data
classification (Li, Li, Yu, & Xie, 2010, p.3). The CEO needs to access more documents than the
new associate therefore the CEO should have greater rights in the cloud. Moving up the
corporate ladder increases ones stake in the company and results in greater trust of company
assets. However, as numerous stakeholders own a corporation, no single user should have full
access to cloud files (Crampton & Khambhammettu, 2008, p.136). The first organizations to
think in this mindset were militaries. The US military sets permissions by rank and role. For
instance, tank diagnostic access may require a first lieutenant rank and an armory assignment.
Permissions make it much harder for hackers to gain sensitive information (Udhayakumar et al.,
2014, p.235). Hacking a sales employee will not help the hacker gain access to R&D intellectual
property. Similar to user permissions, data classification marks documents on their business
value and their impact if a leak were to occur. Below shows an example of a data classification
policy (Gorge, 2008, p.6):
• Public data: Information already available to the public
• Internal Data: Information related to everyday processes available to most employees
• Confidential Data: Information limited to specific people or roles
SECURING A COLLABORATIVE ENVIRONMENT 12
Data classification and user permissions work together to restrict access to confidential
information, and stop hackers in their tracks.
Penetration Testing
With all the controls in place, how does a corporation ensure the controls work properly?
How does the IT security department prove their spending was worthwhile? Unfortunately, a
corporation often times only learns they have a problem after a breach takes place. Because of
this, corporations now attempt to hack themselves as a reliable way of testing their security
controls. Internal IT departments along with external consultants perform penetration testing,
hacking a computer system with the intent of fixing vulnerabilities, to see if their controls
function properly (Naik, Kurundkar, Khamitkar, & Kalyankar, 2009, p.187). Some large
organizations have entire teams devoted to hacking their own company on a daily basis. These
white hat hackers regularly prepare employees for a real threat by attempting every attack from
social engineering to low-level software exploits (Naik et al., 2009, p.189).
Business Impact
With intrusions taking place daily, corporations can no longer afford to ignore cloud
computing, and developing a secure collaborative environment prevents catastrophic business
impact (Martin, Kadry, & Abu-Shady, 2014, p.149). Data loss in any form can easily put any
corporation in newspaper headlines (Joerling, 2010, p.467). Especially in the case of personally
identifiable information, corporations suffer a substantial setback to their reputation. Just as
Target, Sony, and eBay experiences stock price drops and consumer boycotts, a corporate data
leak could leave customers weary of purchasing corporate brands (Lee & Lee, 2010). Trade
secrets, secret formulas, and marketing strategies in the hands of competitors equates to a worse
scenario. This would then in turn affect speed to market where a competitor could release the
SECURING A COLLABORATIVE ENVIRONMENT 13
exact same product with the exact same strategy before the victim does (Martin et al., 2014,
p.150). While gaining funding for security projects prove daunting, recent breach reports finally
provide evidence to increase security spending. The cyber security firm Symantec estimated the
cyber crime industry at an annual $114 billion affecting more than one million victims per day
(Al-Hadadi & Al-Shidhani, 2013, p.577).
Limitations and Further Research
While this paper has demonstrated the importance of security controls in a collaborative
cloud environment, specific industry trends and data types require further research. No perfect
solution exists to collaborating in the cloud. Many providers push high switching costs and make
it impossible to utilize multiple SaaS brands in a single cloud environment (Abu-Libdeh,
Princehouse, & Weatherspoon, 2010, p.6). Company size and industry also play a large role in
choosing a cloud environment. A retail corporation will have much different types of sensitive
data than a hi-tech firm. The starting point of any cloud security program begins with knowing
the ins and outs of the corporation in question.
Conclusion
Regardless of company size or industry, the mission stays the same: keep the company’s
crown jewels safe. Implementing cloud solutions boost productivity and ease of work. With an
active security program in place, sensitive information stays secure as well (Vacca, 2011, p.160).
A successful security program engrains the mentality into the company’s culture and everyday
business activities. Developing a superior security framework does not help after a breach
occurs, and every company is the crosshairs (Puhakainen & Siponen, 2010, p.769). As
corporations fully transition into the cloud, security as a top priority belongs on every manager’s
mind.
SECURING A COLLABORATIVE ENVIRONMENT 14
References
Abraham, S., & Chengalur-Smith, I. (2010). An overview of social engineering malware:
Trends, tactics, and implications. Technology in Society, 32(3), 183-196.
Abu-Libdeh, H., Princehouse, L., & Weatherspoon, H. (2010). RACS: A Case for Cloud Storage
Diversity. SoCC’10. doi:10.1145/1807128.1807165
Al-Hadadi, M., & AlShidhani, A. (2013). Smartphone Forensics Analysis: A Case
Study.International Journal of Computer and Electrical Engineering, 5(6), 576-580.
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R. H., Konwinski, A., Zaharia, M.
(2009). Above the Clouds: A Berkeley View of Cloud Computing.University of
California at Berkeley, 1-23.
Ashenden, D. (2008). Information Security management: A human challenge? Information
Security Technical Report, 1-12.
Badr, Y., Biennier, F., & Tata, S. (2011). The Integration of Corporate Security Strategies in
Collaborative Business Processes. IEEE Transactions on Services Computing,4(3), 243-
254.
Camenisch, J. (2011). Security and Privacy Implications of Cloud Computing – Lost in the
Cloud. In Open research problems in network security IFIP WG 11.4 international
workshop, iNetSec 2010, Sofia, Bulgaria, March 5-6, 2010 : Revised selected papers (pp.
149-158). Heidelberg: Springer.
Crampton, J., & Khambhammettu, H. (2008). Delegation in Role-Based Access
Control.International Journal of Information Security, 123-136.
SECURING A COLLABORATIVE ENVIRONMENT 15
Diffin, J., Chirombo, F., & Nangle, D. (2010). Cloud Collaboration: Using Microsoft SharePoint
as a Tool to Enhance Access Services. Journal of Library Administration, 50(5).
doi:10.1080/01930826.2010.488619
El-Hajj, W., Aloul, F., Trabelsi, Z., & Zaki, N. (2008). On Detecting Port Scanning Using Fuzzy
Based Intrusion Detection System. IEEE, 105-110.
Fokoue, A., Srivatsa, M., Rohatgi, P., Wrobel, P., & Yesberg, J. (2009). A Decision Support
System for Secure Information Sharing. SACMAT, 105-114.
Gorge, M. (2008). Data protection: why are organisations still missing the point? Computer
Fraud & Security, 5-8.
Ghorbanian, S., & Fryklund, G. (2014). Improving DLP system security. Blekinge Institute of
Technology, 1-46.
Google. (2014). [Screenshot]. Retrieved from https://accounts.google.com/
Goundar, S. (2012). Cloud Computing: Understanding the Technology before Getting
“Clouded”. Recent Progress in Data Engineering and Internet Technology, 157, 217-222.
Huang, X., Xiang, Y., Chonka, A., Zhou, J., & Robert, D. H. (2011). A Generic Framework for
Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems.
IEEE Transactions on Parallel and Distributed Systems, 1-8.
Jalaparti, V., Ballani, H., Costa, P., Karagiannis, T., & Rowstron, A. (2012). Bridging the
Tenant-Provider Gap in Cloud Services. SOCC’12, 1-14.
Joerling, J. (2010). Data Breach Notification Laws: An Argument for a Comprehensive Federal
Law to Protect Consumer Data. Wash. U. J. L. & Pol'y, 32, 467-488.
Julisch, K., & Hall, M. (2010). Security and Control in the Cloud. Information Security Journal:
A Global Perspective, 19(6), 299-309.
SECURING A COLLABORATIVE ENVIRONMENT 16
Karjalainen, M., & Siponen, M. (2011). Toward a New Meta-Theory for Designing Information
Systems (IS) Security Training Approaches. Journal of the Association for Information
Systems, 12(8), 518-555.
Khamees, H., Kahlf, J., & Al-sajee, A. (2012). Encryption and Decryption of Data by Using
Geffe Algorithm. International Journal of Modern Engineering Research, 2(3), 1354-
1359.
Kim, J., & Hong, S. (2011). A Method of Risk Assessment for Multi-Factor Authentication.
Journal of Information Processing Systems, 7(1), 187-198.
Kindy, D. A., & Pathan, A. K. (2011). A survey on SQL injection: Vulnerabilities, attacks, and
prevention techniques. International Islamic University Malaysia.
doi:10.1109/ISCE.2011.5973873
LeClair, J., & Pheils, D. (2014). Are We Prepared: Issues Relating to Cyber Security
Economics. American Society for Engineering Education, 1-12.
Lee, M., & Lee, J. (2010). The Impact of Information Security Failure on Customer Behaviors:
A Study on a Large-scale Hacking Incident on the Internet. Information Systems
Frontiers. doi:10.1007/s10796-010-9253-1
Li, G., Li, C., Yu, W., & Xie, J. (2010). Security Accessing Model for Web Service based Geo-
spatial Data Sharing Application. ISDE Digital Earth, 3, 1-10.
Lorey, J. (2011). A Granular Approach for Information Lifecycle Management in the
Cloud. Proceedings of the 5th Ph. D. Retreat of the HPI Research School on Service-
oriented Systems Engineering, 5, 25.
Martin, C., Kadry, A., & Abu-Shady, G. (2014). Quantifying the Financial Impact of IT Security
Breaches on Business Processes. IEEE, 12, 149-155.
SECURING A COLLABORATIVE ENVIRONMENT 17
Monda, S., Bours, P., & Idrus, S. (2013). Complexity Measurement of a Password for Keystroke
Dynamics: Preliminary Study. SIN ’13, 301-305.
Naik, N. A., Kurundkar, G. D., Khamitkar, S. D., & Kalyankar, N. V. (2009). Penetration
Testing: A Roadmap to Network Security. Computing Research Repository, 1(1), 187-
190.
Pauley, W. A. (2010). Cloud Provider Transparency: An Empirical Evaluation. IEEE Security &
Privacy, 8(6), 32-39.
Puhakainen, P., & Siponen, M. (2010). Improving Employees’ Compliance through Information
Systems Security Training: An Action Research Study. MIS Quarterly, 34(4), 767-A4.
Siponen, M. T., Pahnila, S., & Mahmood, M. A. (2010). Compliance with Information Security
Policies: An Empirical Investigation. IEEE Computer, 64-71.
Son, H., & Kim, S. (2012). Defense–in–Depth Strategy for Smart Service Sever Cyber
Security. Computer Applications for Communication, Networking, and Digital
Contents, 350, 181-188.
Sowmya, S., Deepika, P., & Naren, J. (2014). Layers of Cloud – IaaS, PaaS and SaaS: A
Survey. International Journal of Computer Science and Information Technologies, 5(3),
4477-4480.
Udhayakumar, R., Jawahar, M., & Ramasamy, I. (2014). Providing Access Permissions to
Legitimate Users by Using Attribute Based Encryption Techniques In
Cloud.International Journal of Innovative Research in Science, Engineering and
Technology, 3(1), 235-240.
Vacca, W. (2011). Military Culture and Cyber Security. Survival: Global Politics and
Strategy, 53(6), 159-176.
SECURING A COLLABORATIVE ENVIRONMENT 18
Van Rijswijk, R., & Van Dijk, J. (2011). A Novel Take on Two‐Factor Authentication. LISA, 1-
17.
Vykopal, J., Plesnik, T., & Minarik, P. (2009, March). Network-based dictionary attack
detection. In Future Networks, 2009 International Conference on (pp. 23-27). IEEE.
Wang, C., Wang, Q., & Ren, K. (2011). Towards Secure and Effective Utilization over
Encrypted Cloud Data. IEEE, 282-286.
Wang, H., Jia, Z., & Shen, Z. (2009). Research on Security Requirements Engineering
Process. Industrial Engineering and Engineering Management, 16, 1285-1288.
Workman, M. (2008). Wisecrackers: A Theory-grounded Investigation of Phishing and Pretext
Social Engineering Threats to Information Security. Journal of The American Society for
Information Science and Technology. doi:10.1002/asi.2077
SECURING A COLLABORATIVE ENVIRONMENT 19
Appendix
Information Lifecycle Management
The flowchart below represents the possible scenarios for a confidential document in a
corporate collaborative cloud environment. The blue represents a secure file location, the
orange: low/medium risk, and the red: high risk (Lorey, 2010).
ConVidential Document
ConVidential Internal Site
Team local HDD
ConVidential Internal Site
External source
Cloud Viewer/Editor
ConVidential Internal Site
Local HDD
Email Attachment
Team Member Local HDD
ConVidential Internal Site
External Source
External Source
ConVidential Internal Site
Team Member Local HDD
ConVidential Internal Site
Cloud Viewer/Editor
ConVidential Internal Site
Encrypted External Media
External Soruce
Team member Local HDD
ConVidential Internal Site
Unencrypted External Media
External Source
Team Member Local HDD
ConVidential Internal Site
Standard Internal Site
Recommended