George MIT xPro – Professional Certificate in Cybersecurity November – 2022
Organizations today need to be very adaptable and look at e holistically global and extensive picture; gone are the days of On-Prem, email, and document services, replaced (instead) by the cloud, SaaS (Software as a Service), and newer platforms as service. The short is that these services require you to have a “device” and a connection to the internet.
I personally view that Cyber Security, IT, and others in the organization need to have an essential shared responsibility. In this case, I would assume that my future organization is heavily engaged with Google’s entire SaaS, including Google Drive and Docs.
For the functional goals, we have to ensure that you and your organization have a solid foundation, a working “device,” and a stable connection to the internet and the cloud app. This is where security starts; every “device” should have some EDR (Endpoint Detection and Response) to ensure that the device is not compromised. The device and network need VPN and SSL to ensure no Man in the Middle or network intercept. These foundations are typically assumed by the end user (s). In my experience, most end-users want to click, and it works! in the years since Apple’s Lunch of the iPhone and iOS; today’s users are fortunate, and there is virtually no waiting for days for replacement equipment and repairs. Together this is the A in the CIA triad for Availability. However, we trust that the cloud provider works on the same availability model and is always operational.
Confidentiality and Integrity is where we must put more trust in the cloud services (google) than above. Today’s professionals should not fully trust the cloud but approach it as a more trust-by-verify model. In the news lately, we hear of data breaches by supply chain vendors using AWS; as more users to the cloud to reduce (CapX) but increase their OpX costs, the target changes from your network to the cloud. In this case, the breach is mainly caused by a misconfiguration of security after the move to the cloud. QA and Security are needed but from internal and external sources.
Testing and Verification are heavily needed in all originations and individuals; I personally use and pay for google drive to store data to share with friends and family. I often review what I have shared and with whom and have removed access when those files are no longer needed or valuable.
Sharing has been a concern since the beginning; you never know who is around the intended recipient when they receive the messages. You can always mistype the recipient and only realize it much later. Two events taught me this lesson the hard way: I outed my best friend to his father. They had used similar emails and told someone else I wanted to procreate with their friend, and that person was standing over their shoulder. While these are extreme examples, it does make a point of sending a document to an untrusted email recipient. Thinking about this in-depth, the US Patent office still recures Faxes; what is assumed is to prevent them from being redirected to the wrong person and losing IP. Medical Offices restrict sending out medical info via emails, and millions of dollars are spent on secure systems not to lose this info to 3rd parties; the examples are endless.
What happens if you share the document with an untrusted email? For starters, you lose control of the data and document; you can’t tell who looked at it, show who or what changed or interacted with the document; their potential isn’t defined by who or what looked at it, but the data contained within the document, losing one’s cat photo isn’t bad, but what happens if it’s your banking info, PII, or blackmailable materials you don’t want anyone else to have.
There is no one answer, Cyber Security needs to be adaptable and changeable, fluid to the ever-changing cyber landscape and the data presented.
The Goals and controls are, at the foundation, the same. Provide a secure defendable device and a way to access Google Docs. Trust but verify the device, pathways, and endpoints, audit often, and review what is sent. Educate the end users on the information being sent and hold your cat photos differently than how you handle your selfies and kids.
