Securing a Collaborative Environment

SECURING A COLLABORATIVE ENVIRONMENT 1

Securing a Collaborative Environment:

Corporate Cloud Risk for the Non-Technical Leader

Joseph Pidala

University of Texas

December 7, 2014


Abstract

Cyber risk looms over the corporate world with staggering statistics released daily; yet somehow

it still feels invisible – “hacks” carried out by criminals using processes no one understands. As

we open up business to the cyber world, incredible opportunities await us, but malicious intent,

abuse, and exploitation come along for the ride. By design, cloud collaboration means quick,

open, and efficient, while corporations still lean on a safer conservative culture (Diffin,

Chirombo, & Nangle, 2010). The million-dollar solution not only finds the perfect balance

between security and open collaboration but also presents the information in a way that a non-

technical leader can easily begin implementation. The following paper addresses these concerns

and makes every effort to inform managers of best practice for securing their collaborative cloud

environment.

Keywords: cyber security, cloud computing, corporate, collaboration, infosec


Securing a Collaborative Environment:

Corporate Cloud Risk for the Non-Technical Leader

In 2014, online crime affects everyone in some form, whether something small like an

email address or something more drastic such as a credit card number. While breaches happen

daily, hackers have yet to cause serious harm to individual consumers (Lee & Lee, 2010).

However, what does a cyber security breach mean to a large corporation? According to the

Ponemon Institute’s 2013 Cost of Cyber Crime Study, the average cost of online crime increased

78% in the past four years totaling to $11.56 million annually per company (LeClair & Pheils,

2014, p.3). Unacceptable statistics puts heavy stress on corporations that live and breathe off

shareholder return. Though the paper assesses many risks, one goal always stays in mind; keep

the corporation’s crown jewels safe. A company’s sensitive information can vastly vary

depending on the company (LeClair & Pheils, 2014, p.9). For instance, a retail store may

consider customer credit cards as its most crucial information while a technology company may

consider intellectual property as its main concern. A successful corporate cloud environment

requires a combination of the right technology, culture, and administrative policies (Vacca, 2011,

p.160); the subsections below address finding the balance between these controls.

Cloud Computing

Securing a corporate cloud environment begins with fully grasping the different aspects

of cloud computing and understanding all the moving parts. Before cloud computing,

corporations utilized on-site servers to store company information for employees to use

(Goundar, 2012, p.217). A local datacenter takes many resources such as time, space, and power

to operate. In addition, most corporations do not need the same amount of computing power and

data storage due to seasonal production (Goundar, 2012, p.218). For example, toy companies


foster much more traffic to their websites during holiday times than they do during non-peak

periods of the year. With cloud computing, the toy store can change how much power and

storage they need at any given time by a simple call to their provider (Pauley, 2010, p.33).

The intangibility of cloud computing makes the practice difficult to grasp, but a cloud

provider simply takes the same role as a cell service provider. When a customer needs more

minutes, he or she simply calls the provider to scale the plan. When a corporation needs more

storage space, they simply call their provider and bump up their plan as well. A cell service

customer does not purchase the cell towers used to provide the service just as a corporation does

not purchase the hardware from a cloud provider (Jalaparti, Ballani, Costa, Karagiannis, &

Rowstron, 2012, p.1).

A corporation will most likely utilize all three tiers of the cloud: Infrastructure as a

service (IaaS), Platform as a service (PaaS), and Software as a service (SaaS) (Sowmya,

Deepika, & Naren, 2014, p.4477). Infrastructure incorporates computer hardware such as

servers, storage drives, and networking components (Julisch & Hall, 2010, p.299). When

management pays for IaaS, they purchase time to use the physical hardware similar to the cell

service example (Armbrust et el., 2009, p.2). PaaS represents the middleware and operating

system of the cloud (Julisch & Hall, 2010, p.300). Installing Windows 8 on a personal computer

compares to what PaaS provides a corporation. The operating system serves as the intermediary

between the physical equipment and the consumer application providing instructions so both

sides work as designed (Sowmya et el., 2014, p.4479). Lastly, the type of service most people

think of when speaking of cloud computing, SaaS provides the useful applications every

corporation needs to operate (Sowmya, Deepika, & Naren, 2014, p.4480). Instead of purchasing

and installing thousands of copies of Microsoft Excel, corporations can now subscribe to Office


365 and have every corporate computer running Excel instantly through the Internet (Julisch &

Hall, 2010, p.300). In this way, cloud computing has transformed corporate IT into a more

efficient streamlined process.

Types of Data Breaches

While the cloud boasts more centralized data, it also opens itself to more access points

(Udhayakumar, Jawahar, & Ramasamy, 2014, p.235). Corporate data breaches range from

political activism to million-dollar heists, but regardless of motive, a hacker must first gain

access to the corporate system. Surprisingly, the most common way of gaining unauthorized

access uses little technical prowess (Workman, 2008). Social Engineering, the act of

manipulating someone to gain confidential information, provides criminals with unlimited

attempts to gather passwords to user accounts (Abraham, & Chengalur-Smith, 2010, p.183).

Social Engineering includes posing as a company’s IT department asking for passwords, sending

fake emails meant to trick employees into downloading malicious files, and setting up fake

wireless access points so employees connect to the wrong network. When an employee makes a

simple mistake giving information, consequences can be as vast as a technical attack (Workman,

2008).

A technical technique of gaining unauthorized access scans network ports for

vulnerabilities and uses programming to exploit insufficient code (El-Hajj, Aloul, Trabelsi, &

Zaki, 2008, p.105). A burglar checking for unlocked doors of an individual’s home represents a

prime non-technical example. Once the hacker finds a hole in the system, he or she executes

code to give themselves authorized credentials. At this time, the hacker may roam and download

whatever he or she pleases (El-Hajj et al., 2008, p.105). The most common attack on a database,

SQL injection attempts to ask the server for information it was not expecting, resulting in the


system crashing (Kindy & Pathan, 2011). For example, if a form asks for a username, what

happens if you type in computer code instead? A hacker can talk directly to the server through a

simple text box if the system is not set up securely (Kindy & Pathan, 2011).

A hacker will always find the weakest link in a security system. Often times with very

large corporations, corporate partners leave holes that the company does not actively assess. If a

partner has the same confidential information due to a joint-operation and their system lacks

necessary security controls, the hacker will just go after them instead (Badr, Biennier, & Tata,

2011, p.244). Lastly, most employees set simple passwords making cracking them easy. In a

brute force attack, a powerful computer attempts every single combination of letters, numbers,

and symbols until the computer cracks the password (Workman, 2008). Hackers advanced the

method even further by developing processes such as the dictionary attack. In this method, the

computer starts with words found in a dictionary to speed the cracking process (Vykopal,

Plesnik, & Minarik, 2009, p.23).

With the multitude of ways hackers gain access to corporate systems, cloud computing

poses an additional risk. In cloud computing, people across the globe can connect and access the

same cloud files. With an insecure cloud, hackers can gain access to more information with less

effort. Because of this, system admins need to stress a security mindset and strictly regulate

employee accounts, passwords, and permissions (Udhayakumar et al., 2014, p.235).

The Security Mindset

To succeed in a collaborative cloud environment, employees must understand the

importance of collaborating securely. Employees will not change their actions based purely off

policy and finding rule-breakers proves an impossible task (Siponen, Pahnila, & Mahmood,

2010, p.64). If a large corporation has a policy to refrain from emailing sensitive documents


without encryption, no reasonable system exists to catch someone in the act. This shows

technologies key flaw even today: computers do not understand context. A system admin could

easily block all unencrypted email, but encrypting every single message would limit productivity

and possible recipients (Siponen et al., 2010, p.68). The next option implements a Data Loss

Prevention (DLP) system. DLP software scans outgoing data in-use, in-motion, and at-rest

(Ghorbanian, & Fryklund, 2014, p.2). While DLP easily catches structured data such as social

security numbers, it cannot detect projects with code words, which Research & Development

divisions regularly use (Ghorbanian, & Fryklund, 2014, p.10). R&D divisions actively manage

the most sensitive intellectual property within a company, and if they email out a document

about a codename, Project Houston, DLP will not pick the email out as a threat (Ghorbanian, &

Fryklund, 2014, p.19). The corporate network also limits DLP’s use. While DLP scans data at-

rest within company walls, a data breach renders the software useless (Ghorbanian, & Fryklund,

2014, p.40). These examples support the hypothesis of developing a security mindset throughout

the company. Only the individual employee can know if their actions truly put the corporation at

risk. Therefore, C-Suite members must make it a priority and set the tone from the top so others

follow their actions (Siponen et al., 2010, p.68).

Security Awareness Training

Once a security mindset establishes a baseline, security awareness training targets

misconceptions and prevents employees from making unknowing mistakes. Companies typically

all have security awareness trainings, but not all trainings turn out to be effective (Puhakainen &

Siponen, 2010, p.757). According to a 2010 study by Puhakainen and Siponen, successful

security awareness training encompasses the following traits (p.775):

1) Designing in respect to corporate mission


2) Utilizing examples directly relating to the audience

3) Acknowledging audience’s previous security education

4) Applying training methods that promote positive mental stimuli

5) Integrating training into everyday business communications

6) Exhibiting visible support of upper management

7) Promoting security discussion through informational gatherings

Based on security budget, implementation of these features through web training, video training,

or in-person training proved to raise awareness after comparing interview notes from before and

after the testing (Puhakainen & Siponen, 2010, p.769).

Fast-paced non-technical roles proved the most at risk for exposing confidential data for

many reasons. In sales, employees often receive tight deadlines where speed of work affects pay.

Employees will frequently cut corners to get the job done quickly, tossing security out the

window first (Puhakainen & Siponen, 2010, p.767). These employees usually do not understand

the technical jargon in trainings or the potential consequences of their seemingly harmless

actions, such as sending an email without encryption (Karjalainen & Siponen, 2011, p.519).

Security awareness training provides these non-technical roles with the information they need to

make knowledgeable decisions.

Password Complexity

Once training develops a security conscious employee, technical controls can then add

assurance to a corporation’s cloud environment. Renowned cryptographer, Bruce Schneier

expressed, “security is a process, not a product” (Wang, Jia, & Shen, 2009, p.1285). Only after

an employee understands the “why” can management expect them to make appropriate decisions

(Siponen et al., 2010, p.68). Implementing a complex password requirement deters social


engineering and brute force attacks (Workman, 2008). Examples of password requirements

include: a 12-character minimum; including a letter, number, and symbol; and restricting

dictionary words (Vykopal et al., 2009, p.23). The goal is to make a policy strict enough to

prevent criminals from easily guessing a password and lenient enough so employees can

memorize their passwords without writing them down (Monda, Bours, & Idrus, 2013, p.301).

Multi-Factor Authentication

A further advancement, multi-factor authentication applies a security tactic humans have

used for thousands of years: defense in depth. Just as medieval castles had walls as well as moats

to protect their kings, the cloud needs more than one defense mechanism to protect sensitive data

(Son & Kim, 2012, p.192). To confirm a login identity, multi-factor authentication uses

something a user knows, has, is, and/or does (Kim & Hong, 2011, p.187). Before scaling to a

large corporation, one must first understand the process on an individual level. Large

corporations such as Google and Facebook already allow multi-factor authentication for the

everyday consumer (Van Rijswijk, & Van Dijk, 2011, p.7). Lets start with a user checking their

email. On a standard login screen, a user enters his or her email and password, and then clicks

login. If the user turns on multi-factor authentication, they will see a similar screen to the one the

following page after clicking the login button. On the initial login screen, the user enters

something they know (email and password), and on the second screen, the user uses something

they have (smartphone). Multi-factor authentication eliminates brute force attacks and makes

social engineering almost impossible (Van Rijswijk, & Van Dijk, 2011, p.15).


Figure 1. 2-Step Verification. Screenshot from Google. Copyright 2014 by Google.

With online collaboration software, viewing and editing documents in the cloud has

benefits that greatly outweigh desktop applications (Diffin et al., 2010). The cloud completely

revolutionized the way teams collaborate; team members can view and edit documents at the

same time even if across the world (Diffin et al., 2010). Multi-factor authentication ensures the

correct people access the correct accounts (Huang, 2011, p.3-4).

Data Encryption

In an ideal collaborative cloud environment, employees store and share their files in an

encrypted SaaS cloud space. Storing and sharing in an encrypted cloud eliminates the need for

email attachments and multiple copies of a document (Diffin et al., 2010). The appendix shows

an Information Lifecycle Management (ILM) chart with all the possible avenues for a sensitive

document. As shown, a file becomes less secure the farther it gets from an encrypted internal

site. File encryption in the cloud also eliminates the problems of email encryption. When an

employee uploads a file to the cloud, the file encrypts automatically without user action or notice


(Wang, Wang, & Ren, 2011, p.282). Unlike email, the document harnessed no restrictions due to

people not possessing encryption software. In the cloud, an employee can send a time-restricted

link for a third party to view the document so the recipient never possesses the physical file

(Badr et al., 2011, p.245).

User Permissions & Data Classification

The last step to securing data in the cloud restricts access to only the users that need to

access the given data at the given time. The common approach uses user permissions and data

classification (Li, Li, Yu, & Xie, 2010, p.3). The CEO needs to access more documents than the

new associate therefore the CEO should have greater rights in the cloud. Moving up the

corporate ladder increases ones stake in the company and results in greater trust of company

assets. However, as numerous stakeholders own a corporation, no single user should have full

access to cloud files (Crampton & Khambhammettu, 2008, p.136). The first organizations to

think in this mindset were militaries. The US military sets permissions by rank and role. For

instance, tank diagnostic access may require a first lieutenant rank and an armory assignment.

Permissions make it much harder for hackers to gain sensitive information (Udhayakumar et al.,

2014, p.235). Hacking a sales employee will not help the hacker gain access to R&D intellectual

property. Similar to user permissions, data classification marks documents on their business

value and their impact if a leak were to occur. Below shows an example of a data classification

policy (Gorge, 2008, p.6):

• Public data: Information already available to the public

• Internal Data: Information related to everyday processes available to most employees

• Confidential Data: Information limited to specific people or roles


Data classification and user permissions work together to restrict access to confidential

information, and stop hackers in their tracks.

Penetration Testing

With all the controls in place, how does a corporation ensure the controls work properly?

How does the IT security department prove their spending was worthwhile? Unfortunately, a

corporation often times only learns they have a problem after a breach takes place. Because of

this, corporations now attempt to hack themselves as a reliable way of testing their security

controls. Internal IT departments along with external consultants perform penetration testing,

hacking a computer system with the intent of fixing vulnerabilities, to see if their controls

function properly (Naik, Kurundkar, Khamitkar, & Kalyankar, 2009, p.187). Some large

organizations have entire teams devoted to hacking their own company on a daily basis. These

white hat hackers regularly prepare employees for a real threat by attempting every attack from

social engineering to low-level software exploits (Naik et al., 2009, p.189).

Business Impact

With intrusions taking place daily, corporations can no longer afford to ignore cloud

computing, and developing a secure collaborative environment prevents catastrophic business

impact (Martin, Kadry, & Abu-Shady, 2014, p.149). Data loss in any form can easily put any

corporation in newspaper headlines (Joerling, 2010, p.467). Especially in the case of personally

identifiable information, corporations suffer a substantial setback to their reputation. Just as

Target, Sony, and eBay experiences stock price drops and consumer boycotts, a corporate data

leak could leave customers weary of purchasing corporate brands (Lee & Lee, 2010). Trade

secrets, secret formulas, and marketing strategies in the hands of competitors equates to a worse

scenario. This would then in turn affect speed to market where a competitor could release the


exact same product with the exact same strategy before the victim does (Martin et al., 2014,

p.150). While gaining funding for security projects prove daunting, recent breach reports finally

provide evidence to increase security spending. The cyber security firm Symantec estimated the

cyber crime industry at an annual $114 billion affecting more than one million victims per day

(Al-Hadadi & Al-Shidhani, 2013, p.577).

Limitations and Further Research

While this paper has demonstrated the importance of security controls in a collaborative

cloud environment, specific industry trends and data types require further research. No perfect

solution exists to collaborating in the cloud. Many providers push high switching costs and make

it impossible to utilize multiple SaaS brands in a single cloud environment (Abu-Libdeh,

Princehouse, & Weatherspoon, 2010, p.6). Company size and industry also play a large role in

choosing a cloud environment. A retail corporation will have much different types of sensitive

data than a hi-tech firm. The starting point of any cloud security program begins with knowing

the ins and outs of the corporation in question.

Conclusion

Regardless of company size or industry, the mission stays the same: keep the company’s

crown jewels safe. Implementing cloud solutions boost productivity and ease of work. With an

active security program in place, sensitive information stays secure as well (Vacca, 2011, p.160).

A successful security program engrains the mentality into the company’s culture and everyday

business activities. Developing a superior security framework does not help after a breach

occurs, and every company is the crosshairs (Puhakainen & Siponen, 2010, p.769). As

corporations fully transition into the cloud, security as a top priority belongs on every manager’s

mind.


References

Abraham, S., & Chengalur-Smith, I. (2010). An overview of social engineering malware:

Trends, tactics, and implications. Technology in Society, 32(3), 183-196.

Abu-Libdeh, H., Princehouse, L., & Weatherspoon, H. (2010). RACS: A Case for Cloud Storage

Diversity. SoCC’10. doi:10.1145/1807128.1807165

Al-Hadadi, M., & AlShidhani, A. (2013). Smartphone Forensics Analysis: A Case

Study.International Journal of Computer and Electrical Engineering, 5(6), 576-580.

Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R. H., Konwinski, A., Zaharia, M.

(2009). Above the Clouds: A Berkeley View of Cloud Computing.University of

California at Berkeley, 1-23.

Ashenden, D. (2008). Information Security management: A human challenge? Information

Security Technical Report, 1-12.

Badr, Y., Biennier, F., & Tata, S. (2011). The Integration of Corporate Security Strategies in

Collaborative Business Processes. IEEE Transactions on Services Computing,4(3), 243-

254.

Camenisch, J. (2011). Security and Privacy Implications of Cloud Computing – Lost in the

Cloud. In Open research problems in network security IFIP WG 11.4 international

workshop, iNetSec 2010, Sofia, Bulgaria, March 5-6, 2010 : Revised selected papers (pp.

149-158). Heidelberg: Springer.

Crampton, J., & Khambhammettu, H. (2008). Delegation in Role-Based Access

Control.International Journal of Information Security, 123-136.


Diffin, J., Chirombo, F., & Nangle, D. (2010). Cloud Collaboration: Using Microsoft SharePoint

as a Tool to Enhance Access Services. Journal of Library Administration, 50(5).

doi:10.1080/01930826.2010.488619

El-Hajj, W., Aloul, F., Trabelsi, Z., & Zaki, N. (2008). On Detecting Port Scanning Using Fuzzy

Based Intrusion Detection System. IEEE, 105-110.

Fokoue, A., Srivatsa, M., Rohatgi, P., Wrobel, P., & Yesberg, J. (2009). A Decision Support

System for Secure Information Sharing. SACMAT, 105-114.

Gorge, M. (2008). Data protection: why are organisations still missing the point? Computer

Fraud & Security, 5-8.

Ghorbanian, S., & Fryklund, G. (2014). Improving DLP system security. Blekinge Institute of

Technology, 1-46.

Google. (2014). [Screenshot]. Retrieved from https://accounts.google.com/

Goundar, S. (2012). Cloud Computing: Understanding the Technology before Getting

“Clouded”. Recent Progress in Data Engineering and Internet Technology, 157, 217-222.

Huang, X., Xiang, Y., Chonka, A., Zhou, J., & Robert, D. H. (2011). A Generic Framework for

Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems.

IEEE Transactions on Parallel and Distributed Systems, 1-8.

Jalaparti, V., Ballani, H., Costa, P., Karagiannis, T., & Rowstron, A. (2012). Bridging the

Tenant-Provider Gap in Cloud Services. SOCC’12, 1-14.

Joerling, J. (2010). Data Breach Notification Laws: An Argument for a Comprehensive Federal

Law to Protect Consumer Data. Wash. U. J. L. & Pol'y, 32, 467-488.

Julisch, K., & Hall, M. (2010). Security and Control in the Cloud. Information Security Journal:

A Global Perspective, 19(6), 299-309.


Karjalainen, M., & Siponen, M. (2011). Toward a New Meta-Theory for Designing Information

Systems (IS) Security Training Approaches. Journal of the Association for Information

Systems, 12(8), 518-555.

Khamees, H., Kahlf, J., & Al-sajee, A. (2012). Encryption and Decryption of Data by Using

Geffe Algorithm. International Journal of Modern Engineering Research, 2(3), 1354-

1359.

Kim, J., & Hong, S. (2011). A Method of Risk Assessment for Multi-Factor Authentication.

Journal of Information Processing Systems, 7(1), 187-198.

Kindy, D. A., & Pathan, A. K. (2011). A survey on SQL injection: Vulnerabilities, attacks, and

prevention techniques. International Islamic University Malaysia.

doi:10.1109/ISCE.2011.5973873

LeClair, J., & Pheils, D. (2014). Are We Prepared: Issues Relating to Cyber Security

Economics. American Society for Engineering Education, 1-12.

Lee, M., & Lee, J. (2010). The Impact of Information Security Failure on Customer Behaviors:

A Study on a Large-scale Hacking Incident on the Internet. Information Systems

Frontiers. doi:10.1007/s10796-010-9253-1

Li, G., Li, C., Yu, W., & Xie, J. (2010). Security Accessing Model for Web Service based Geo-

spatial Data Sharing Application. ISDE Digital Earth, 3, 1-10.

Lorey, J. (2011). A Granular Approach for Information Lifecycle Management in the

Cloud. Proceedings of the 5th Ph. D. Retreat of the HPI Research School on Service-

oriented Systems Engineering, 5, 25.

Martin, C., Kadry, A., & Abu-Shady, G. (2014). Quantifying the Financial Impact of IT Security

Breaches on Business Processes. IEEE, 12, 149-155.


Monda, S., Bours, P., & Idrus, S. (2013). Complexity Measurement of a Password for Keystroke

Dynamics: Preliminary Study. SIN ’13, 301-305.

Naik, N. A., Kurundkar, G. D., Khamitkar, S. D., & Kalyankar, N. V. (2009). Penetration

Testing: A Roadmap to Network Security. Computing Research Repository, 1(1), 187-

190.

Pauley, W. A. (2010). Cloud Provider Transparency: An Empirical Evaluation. IEEE Security &

Privacy, 8(6), 32-39.

Puhakainen, P., & Siponen, M. (2010). Improving Employees’ Compliance through Information

Systems Security Training: An Action Research Study. MIS Quarterly, 34(4), 767-A4.

Siponen, M. T., Pahnila, S., & Mahmood, M. A. (2010). Compliance with Information Security

Policies: An Empirical Investigation. IEEE Computer, 64-71.

Son, H., & Kim, S. (2012). Defense–in–Depth Strategy for Smart Service Sever Cyber

Security. Computer Applications for Communication, Networking, and Digital

Contents, 350, 181-188.

Sowmya, S., Deepika, P., & Naren, J. (2014). Layers of Cloud – IaaS, PaaS and SaaS: A

Survey. International Journal of Computer Science and Information Technologies, 5(3),

4477-4480.

Udhayakumar, R., Jawahar, M., & Ramasamy, I. (2014). Providing Access Permissions to

Legitimate Users by Using Attribute Based Encryption Techniques In

Cloud.International Journal of Innovative Research in Science, Engineering and

Technology, 3(1), 235-240.

Vacca, W. (2011). Military Culture and Cyber Security. Survival: Global Politics and

Strategy, 53(6), 159-176.


Van Rijswijk, R., & Van Dijk, J. (2011). A Novel Take on Two‐Factor Authentication. LISA, 1-

17.

Vykopal, J., Plesnik, T., & Minarik, P. (2009, March). Network-based dictionary attack

detection. In Future Networks, 2009 International Conference on (pp. 23-27). IEEE.

Wang, C., Wang, Q., & Ren, K. (2011). Towards Secure and Effective Utilization over

Encrypted Cloud Data. IEEE, 282-286.

Wang, H., Jia, Z., & Shen, Z. (2009). Research on Security Requirements Engineering

Process. Industrial Engineering and Engineering Management, 16, 1285-1288.

Workman, M. (2008). Wisecrackers: A Theory-grounded Investigation of Phishing and Pretext

Social Engineering Threats to Information Security. Journal of The American Society for

Information Science and Technology. doi:10.1002/asi.2077


Appendix

Information Lifecycle Management

The flowchart below represents the possible scenarios for a confidential document in a

corporate collaborative cloud environment. The blue represents a secure file location, the

orange: low/medium risk, and the red: high risk (Lorey, 2010).

ConVidential Document

ConVidential Internal Site

Team local HDD


External source

Cloud Viewer/Editor


Local HDD

Email Attachment

Team Member Local HDD


External Source

External Source




Cloud Viewer/Editor


Encrypted External Media

External Soruce

Team member Local HDD


Unencrypted External Media

External Source



Standard Internal Site

Documents

Securing a Collaborative Environment