Birth of the enterprise messaging & collaboration platform .... For example, it enables support staff to collaborate
SECURE ENTERPRISE COLLABORATION
NURO White Paper
2017
CONTENTS Introduction & Executive summary Messaging: Shadow IT is the biggest enterprise challenge Enterprise collaboration: legacy systems suffer user fatigue Birth of the enterprise messaging & collaboration platform Use cases
Professional services Engineering field services Construction Logistics Retail Banking/Finance Legal Healthcare 5 Principles of secure messaging & collaboration Secure Private Controlled Compliance Customer-friendly Conclusion & recommendations
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
2
Introduction & Executive Summary The following White Paper sets out the market backdrop to enterprise messaging and collaboration as it stands today. Many firms have actively embraced Bring Your Own Device (BYOD) as a strategy for its unquestionable productivity benefits. Others may have taken a more passive route but ultimately every company has begun to recognize the fresh risks to the business to emerge from this phenomenon. In the words of Professor Alan Woodward, leading cybersecurity expert at Surrey University, U.K., “it is tantamount to throwing away all of your perimeter security.” The objective of this document is to identify some of the key pain points that enterprises have to wrestle with in relation to BYOD – with particular reference to cloud-based messaging and collaboration apps, also known as Bring Your Own Cloud (BYOC) or Shadow IT. The paper discusses the risks involved and makes a number of recommendations for CISOs that point to a potential solution. In compiling this paper we have undertaken extensive desk research and consulted the views of distinguished individuals connected with this market including respected industry journalists, analysts and academics whose contributions and expert insight have been invaluable. The results of this research can be summarized in a number of key observations as follows: 1. The number of employees sharing company sensitive information via cloud-based apps is growing exponentially 2. The market is crowded with many startups and a few industry giants offering everything from general consumer freeware to industry-specialized solutions 3. Current solutions do not meet enterprise security requirements and are outside the organization’s control 4. Buyers are technical and skeptical of the need to invest in another layer of security 5. Enterprise solutions suffer from the misconception that security can only be obtained at the cost of the end customer experience For a more detailed appraisal of this market, along with the risks and how best to eliminate them please read on.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
3
Messaging: today’s biggest enterprise challenge Messaging apps are taking over our business lives. Not only do they provide a convenient, real-time way to stay in touch with friends and colleagues while in the office or on the move they also replicate much of the functionality of first-generation corporate collaboration systems. According to Radicati messaging in the enterprise is growing at a higher rate than its use for consumers. Industry observers call this trend Bring Your Own Cloud (BYOC) or Shadow IT and it’s bad news for CIOs because personal, cloud-based messaging apps like Snapchat, WhatsApp and Facebook Messenger are totally outside the IT department’s control. Many companies are not yet willing to accept the premise that personal messaging apps pose a significant risk and it may take a high profile data breach before they sit up and take notice. Already there are plenty of warning signs that attackers are turning up the heat on mobile devices with phishing attacks and malware designed penetrate corporate defenses. For example, the SpyNote RAT (Remote Access Trojan) allows attackers to gain remote administrative control of devices while the recent Gooligan attack breached over a million Google accounts. Facebook Messenger has also been the subject of a scam capable of stealing passwords and hijacking accounts. Reports also linked it with spreading the Locky ransomware virus. The implication for enterprise is that sooner or later a similar attack may lead to a data breach that discloses sensitive customer information, competitive advantage, intellectual property or financial figures. Of course, the risk may also come from inside. There is nothing to stop employees sharing confidential information, maliciously or unwittingly, with friends and associates outside of the organization. By 2020 one third of security breaches will come in through shadow IT services (Gartner). Many CISOs today have yet to resolve the BYOD messaging conundrum in a way that satisfies the conflicting needs of the organization and its workforce. For this reason messaging is today’s biggest enterprise challenge.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
4
Collaboration: legacy solutions suffer user fatigue Over the years some of the technology industry’s biggest brands have invested millions of dollars developing internal systems for facilitating collaboration between teams working on projects together from different locations or even countries. Today these legacy systems have evolved beyond the confines of internal use by the organizations that created them into fully-fledged platforms they can package and market for use by other businesses. Over 40% of all platforms used within financial organizations today fall within the collaboration arena (Skyhigh Networks). The $50b Enterprise Collaboration Market is made up of many solutions covering a great many functions from file sharing & synchronization to portals & intranets and from unified messaging to enterprise video and social networking. Enterprise collaboration platforms are ideal for fast, controlled communication between teams and departments. In many firms such platforms have replaced email as the preferred method of communication and workflow management. First-generation enterprise collaboration systems are almost exclusively used to communicate with people inside the organization. They are less well suited to exchanging information with external suppliers or industry partners. Other limitations such as a disappointing messaging experience and their slow transition to mobile has led to a degree of user fatigue. This has led to the widespread appeal of second-generation team collaboration apps. These mobile-first and cloud-delivered apps feature notification timelines, project statuses, document sharing and team chat-rooms or channels. As with messaging apps this trend has again arrived by the back door with Shadow IT. For these tools security is not a first priority. Take up has for the most part been among individuals and small businesses rather than as part of an approved, corporate-wide rollout. In other words users of second-gen collaboration apps tend to be individuals left frustrated with their experiences of legacy collaboration systems.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
5
BIRTH OF THE ENTERPRISE MESSAGING & COLLABORATION PLATFORM CISOs are experiencing a perfect storm. Shadow IT is introducing a series of personal, cloud-based apps that replicate and in some cases converge aspects of traditional messaging and collaboration applications. Hundreds of millions of dollars are invested annually on mail, voice, data storage and business platforms as well as the management, protection and regulation of each. These all sit protected behind the corporate firewall. None of this exists for collaboration and messaging. According to a recent Gartner survey, by 2018 50% of all group communication will occur via mobile group collaboration apps. Already over three billion people use consumer grade group-messaging and collaboration platforms. A Nielsen study in 2015 found 97% of these do so in the workplace and of these, 75% have admitted to sending important and confidential work-related documents and 87% indicated their employer has no group-messaging policy or solution for the workplace. The key issue for CIOs and CISOs is that regardless of function these mobile-first, cloudbased apps lack enterprise-grade security, privacy or control. This view is supported by a recent study by Egress Software study that showed 87% of CIOs believe they are exposed by legislation around protection of data shared with third parties while 77% are frustrated that current simple encryption solutions are not sufficient and aren’t being used effectively. It is a concern that affects all industries but especially those in heavily regulated sectors like banking, finance, government, legal, retail and healthcare. Through our conversations with security professionals the evolving threat landscape and stricter regulatory requirements are putting CISOs under pressure to urgently find a way to assure the security, privacy and control of messaging and collaboration within the enterprise. And so the enterprise-grade messaging and collaboration platform is born.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
6
Use cases Banking & Finance
In spite of all the regulation – Sarbanes-Oxley, Basel II and so on - the banking sector is not entirely immune to security breaches. Banks are increasingly aware of the vulnerability of cloud-based personal apps and have started to clamp down on consumer chat apps at work. At the start of 2017 Deutsche Bank AG banned text messages and communication apps on company-issued phones in an effort to improve compliance standards. Elsewhere a former investment banker was given a fivefigure fine after he used a communications app to leak information and "impress" a friend. Even the SWIFT messaging network has found itself at the center of sophisticated hacker attacks. Enterprise-grade messaging and collaboration platforms allow bank employees to share sensitive business information on their own personal devices in real time in a safe, private and controlled environment. APIs integrate the platform with core IT systems. Details of all information exchanges are recorded and stored an encrypted central database. Data may be retrieved and decrypted at a later date by authorized parties as part of scheduled compliance checks. Legal Most companies have a duty to keep client information confidential but this is especially true for lawyers and law firms. It is estimated that 80% of the largest law firms in the US have experienced a malicious data breach, giving cybercriminals access to private business strategies, intellectual property and pending M&A deals. Indeed, it is often easier for cybercriminals to steal information from law firms than from corporations because they tend to be slower than most at adopting advanced security measures. With an enterprise-grade messaging and collaboration platform legal counsels and solicitors can gain immediate, private access to fellow professionals, clients and third parties via their own personal devices to help arrive at decisions faster and achieve better results. This type of platform is highly adaptable, blending a familiar customer experience with assured privacy, centralised IT administration and enterprise-class security. Legal professionals can rest easy knowing colleagues are communicating internally or with clients risk free via a secure, fully-compliant messaging platform.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
7
Professional services Professional services companies such as accountants, insurance companies and business consultancies regularly need to share confidential information with their clients and suppliers. They therefore need messaging and collaboration with end-to-end encryption to safeguard privacy and prevent data leakage. They also need to be able to grant external agencies authenticated short-term access to the messaging platform for secure collaboration on temporary projects. No single application currently delivers all of this. Nor do businesses own the data itself which complicates their ability to fulfil regulatory compliance obligations. Engineering field services IT, telco, utility, energy and other services suppliers can use enterprise-grade messaging and collaboration to enhance helpdesk efficiencies. For example, it enables support staff to collaborate securely with service engineers in the field and allows them to share paperwork, images and expertise regardless of mobile device or operating system. In this way service teams can work jointly on tasks, reduce average problem diagnosis times and increase the proportion of customer site call-outs that are resolved in a single visit. Real-time messaging and collaboration between field workers and support colleagues has further benefits. For instance, system outage updates or unplanned schedule changes can be shared in real time while orders for replacement parts can be processed immediately. Exchanges of views on confidential issues can be made in the full knowledge that there is absolute privacy and that compliance is assured. Retail The retail industry is a favorite target for attackers. No retailer wants to be the one who’s sorry for a customer data breach or for failing a PCI-DSS compliance audit. Every year much time and effort is spent trying to lock down all communications. One communications channel, however, is especially challenging to control. That channel is the dozens, if not hundreds, of cheap or free cloud apps that employees have downloaded onto their personal devices – known in tech circles as shadow IT. On top of this retailers regularly hire large numbers of temporary staff to help them through busy times of the year. Too many workers, temporary or otherwise, think nothing of exchanging sensitive database information with colleagues via cloud-based messaging accounts, uploading the data to personal mobile devices, sharing passwords and so on. The risk of a customer data breach is palpable. © NURO Secure Messaging Ltd
[email protected] www.NURO.im
8
An enterprise-grade messaging and collaboration platform ensures such communications remain secure by making sure every conversation or group chat has its own private, encrypted channel. Conversations and information exchanges are provided with advanced data encryption at on the device, while in transit and in storage. All data passing over the platform can be stored in a central encrypted database owned by the organization that acts as a virtual vault. Content in the vault can be viewed and inspected internally by authorized parties for compliance audit purposes. IT administrators have full control of the platform via a centralized admin console. This allows them to manage such issues as policy-setting or role-based permissions as well as integration with other enterprise systems, database activity monitoring and message push notification services. Healthcare Popular cloud-based messaging apps may be putting patient confidentiality at risk. In surveys , up to 65% of doctors have used text messages to send patient information, while 46% have sent pictures involving patients to colleagues. A third (33%) of doctors had used app-based messaging services to share clinical information about patients, with some forgetting to delete the details afterwards. In an environment governed by an enterprise-grade messaging and collaboration platform healthcare CISOs can rest easy knowing doctors and other health professionals can communicate internally or with patients securely and privately using their own personal devices. Centralized administration allows the IT support staff full control over data exchanges regardless of the devices being used. The result is a highly flexible and extremely cost-effective way to boost organizational productivity while adhering to compliance obligations such as HIPAA.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
9
Logistics Private, instant communications is a tremendous boost for the logistics industry. Goods shipments can be monitored every step of the way. Integration with inventory tracking and warehouse management systems triggers real-time alerts of shipment problems or delivery delays. Delivery drivers out on the road can instantly collaborate with warehouse managers using any device or operating system to resolve issues ensuring no time is wasted coordinating a response. Decisions and schedule changes that arise in transit can be immediately shared with colleagues in the supply chain in the form of chat, voice and video updates. Construction Protected messaging and collaboration allows construction companies to streamline effort spent preparing project bids. Information such as cost estimates, risk assessments, planning permissions and availability of plant/labor can be gathered more speedily thereby increasing the number of projects bid for. Enterprise-grade collaboration provides a more secure, feature-rich alternative to SMS texting. Employees can share files securely via their workstation or their own device. The ability to examine drawings, to-do-lists, contracts and photographs immediately in mid-chat is far a more productive, cost-effective to communicate.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
10
5 Principles of secure messaging & collaboration A successful enterprise-grade messaging and collaboration platform is made up of five essential principles. Key criteria are: security; privacy; control; compliance and friendly customer experience. Security Consumer-grade messaging apps are popular with employees because they are convenient and easy to use. Some do have security features, most notably end-to-end encryption. However, this on its own is a far cry from the comprehensive security measures demanded by enterprise CISOs. CISOs talk about 256-bit symmetric AES encryption and Elliptic Diffe-Hellman public key exchange as a basic minimum requirement. They also want messaging platforms to scan for malware in real time and to integrate with third party solutions for additional layers of security. Security officers are also concerned that records of confidential data exchanges between coworkers on their own personal devices should not reside on the device. They also want controls that give them the option to lock down the device remotely if the need arises. Another desired security feature is some form of cognitive behavioral monitoring or abnormality detection of trigger keywords and phrases in documents to flag potential breaches. Finally, for comprehensive security the data should reside on a searchable, encrypted database on the organization’s own premises that acts as a virtual safe. The latter has the additional virtue of assuring the long term privacy of sensitive or confidential information. The data can even be retrieved by authorized personnel and checked during compliance audits at a later stage. Privacy The best way for an enterprise-grade messaging and collaboration platform to safeguard privacy is for a separate secure, encrypted channel to be automatically allocated to every chat or group chat. Authenticated outside third parties may be invited to join but they can only view/contribute to conversations that directly concern them. This ensures only genuine parties are able to participate and helps maintain security and privacy at all times. © NURO Secure Messaging Ltd
[email protected] www.NURO.im
11
Privacy should be further assured by encrypting the data while on the device, in transit and in storage. If possible privacy controls should be flexible enough to allow privileges to be enhanced or decreased in line with fast developing situations. Everyone knows that cloud-based apps downloaded from the Google or Apple stores are wide open. It’s therefore not a good idea if the platform has to send data to the cloud in order to read shared documents. For this reason it’s best that any corporate messaging and collaboration platform should have its own notification system. For the same reason the system should also have its own reader for viewing Microsoft documents, PDFs and images to act as a sandbox that nullifies any viruses or other malware hidden by attackers in these files. Control The single most important principle of an enterprise-grade messaging and collaboration platform is the amount of centralized control it affords to the IT department. For optimized control of information exchanges, it is recommended that platform management and data storage in encrypted form should be located on the organization’s premises, behind the corporate firewall. Controls should enable IT professionals to take charge of policy setting so that the risk of sensitive information exchanges across the platform becoming compromised are eliminated and regulatory compliance obligations can be met. It is desirable for the platform to have APIs to connect it to the organization’s existing systems and platforms. For instance, integration with Active Directory or LDAP systems allows easy management of user credentials and group level policies. A true enterprise-grade messaging and collaboration system should have a centralized console to allow IT support staff to manage a wide range of variables from policy setting and role-based permissions to database activity monitoring and message push notification services. The system must be capable of managing large-scale deployments comprising many thousands of employees each with multiple devices connected at the same time. Flexible deployment is also desirable so as to offer a technical and exacting customer demographic a choice between Software-as-a-Service, on-premise or hybrid deployments. Compliance If the organization has no control over how company confidential information is shared or stored then it is impossible to know if the process used was sufficiently secure or compliant. To meet compliance obligations it is imperative organizations retain full ownership of the data exchanged. Provided it is stored on in-house servers the system should allow the encrypted data archives to be retrieved and decrypted for inspection by compliance teams. © NURO Secure Messaging Ltd
[email protected] www.NURO.im
12
The reason is self-evident. In spite of moves in the U.S. to repeal the Federal Communications Commission’s privacy rules, the long-term regulatory climate worldwide is likely to get tougher. At least one new compliance standard – the EU General Data Protection Regulation (GDPR) - will likely have a global impact. GDPR reflects the EU’s view that data protection is a human right. It will apply whenever organisations, regardless of their geography, handle data about EU individuals or the data has the potential to identify individuals that are living and working in the EU. Organizations that fail to comply can be fined up to Euros 20 million (USD 21 million) or 4% of their worldwide revenue. The EU also has plans for messaging and collaboration apps. In 2016 the EU proposed extending the scope of existing telecoms regulations. The aim is to update the current framework surrounding the encryption, security and confidentiality of text, mobile and landline calls. In future web companies that provide voice calls and instant messaging services over the Internet will also have to comply. Friendly customer experience This last principle is the one most often overlooked. Enterprise-grade platforms are generally regarded with suspicion by employees. Often it’s because they fear the familiar, friendly experience found in consumer-grade apps will be sacrificed in favor of more corporate priorities such as compliance or security. If this is allowed to happen it can have a serious impact on levels of engagement. An enterprise-grade messaging and collaboration system has two customers - the corporate client and the employee (who is in effect the consumer). This means the platform must be intuitive and easy to use, helping to increase productivity by providing access to internal and external systems and other apps as well as allowing people to communicate both internally and externally. It’s important that the group chat environment is familiar and easy. Productivity and collaboration is enhanced plus there is the added confidence of knowing conversations are secure and private. Another way to boost employee engagement is to adopt a platform that allows the organization to add its logo and corporate identity.
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
13
Conclusion & recommendations This paper concludes that the messaging and collaboration market is crowded and confused. The market is saturated with a variety of solutions from Internet messaging giants and from specialized startups, each providing a wide variety of features and functionality targeted at basic consumer messaging (at the low end) to sophisticated fully-functional enterprise collaboration systems (at the high end). Up to this point, no single solution has laid claim to delivering an all-round platform that meets the primary enterprise objectives of security, privacy, and control. Nor have they offered an easy way for enterprises to manage BYOD messaging so that it satisfies compliance obligations and presents a customer friendly experience. At the same time, there is mounting evidence that corporations have a significant challenge on their hands with their employees sharing sensitive information via cloud-based apps. And, the problem is growing exponentially. Already around three billion people use consumer grade group-messaging and collaboration platforms. A Nielsen study found that 97% do so in the workplace and of these, 75% have admitted to sending important and confidential work-related documents, and 87% indicated their employer has no group-messaging policy or solution for the workplace. Messaging in the enterprise, according to Radicati, is growing at a higher rate than its use for consumers. Gartner predicts that, by 2018, 50% of all communication in the workplace will occur as a result of increased use of mobile group collaboration apps. CISOs are aware that BYOD messaging presents fresh vulnerabilities within the enterprise. It can only be a matter of time before a high-profile data breach or a significant penalty is traced back to inappropriate messaging and/or collaboration. This will be the spur for corporations to invest in further layers of security. When that moment occurs, we will reach the tipping point for the marketplace. Unfortunately, however, it may be too late for those CISOs whose organization has the misfortune to be among the early victims. And, finally, one of the most difficult challenges with enterprise-grade collaboration platforms has been a lack of employee engagement due to a poor user experience and acceptance. To date, developers of such systems have failed to successfully balance the corporate need for security and compliance with employees’ desire for a familiar, friendly interface on a par with the leading consumer apps. It is yet another reason why corporations are skeptical about the claims of enterprise-grade platforms. Based on the above analysis, as it applies to the potential purchasing decisions, status, and future direction of enterprise-grade messaging and collaboration platforms, we provide the following conclusions: © NURO Secure Messaging Ltd
[email protected] www.NURO.im
14
Secure enterprise messaging and collaboration solutions must: § § §
§
§
Assure every chat or group chat has its own secure, encrypted channel Provide secure, advanced encryption of data at device-level, in transit, and in storage; preferably within a central database that is owned by the enterprise Deliver IT support with a centralized admin interface that enables easy management and control of tasks such as policy-setting, role-based permissions, integration with other enterprise systems, database activity monitoring, and message push notification services Ensure that the organization retains full ownership of the exchanged information archives and demonstrate that the data can accessed by compliance auditors for inspection Provide a simple and elegant user interface and experience
V1.0
© NURO Secure Messaging Ltd
[email protected] www.NURO.im
15