Main Nav

Have anyone looked at the new SkyDrive Sync app for your PC. It allows remote access to all your shared folders including network shares from any browser. This seems to have a huge security implication  Any thoughts.

 

 

Bruce Marshall

Manager, Network/Server Systems

Valencia College

Orlando, Fl  32811

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

it does provide access to your shared folders...

 

I've been testing/using TrueCrypt. I created a 2gb TrueCrypt blob and deposited it on Skydrive.

 

When using TrueCrypt, you can open the TrueCrypt container that was deposited on Skydrive direct and was able to put files therein with no issues.

 

FYI...I've done the same with Google Drive and Dropbox and works equally well.

 

Regards,

 

Jim

 

James M. Dutcher - Chair - SUNY Council of CIOs

SUNY Cobleskill - CIO: PMP, CISSP, SCP/Security+, CISA

EMail : dutchejm@cobleskill.edu

EMail : jim@dutcher.net (personal)

Office: (518) 255-5809

Cell  : (518) 657-1056 (work)

Cell  : (607) 760-7455 (personal)

Skype : james_dutcher

http://www.cobleskill.edu

 

 

 

 

So, I guess in my mind, this raises the question of what we are trying to protect vs. what we should protect.  The User's information, or the Institution's information?  Perhaps both?

While it's great you can use TrueCrypt or other encrypted virtual drives in these various "Cloud" based storage solutions, that seems at first blush to only protect the users information, not the Institutions.

So, if we can teach an end user to user TrueCrypt of similar technology with whatever CloudDrive service, their personally saved data is definitely more secure.  This is a good thing!

However, let's say we have a 'bad egg' who is harvesting sensitive information and storing it in a Cloud Based Encrypted file to hide it from the Institution (for whatever reason).  Has anyone considered or have had to deal with that scenario yet?  From ANY cloud based storage provider?

It just seems to me that such user based cloud storage systems have some major security risks that most institutions aren't fully considering yet, and are soley focusing on the potential user benefits.  Granted, most organizations also can't stop a user installing and using TrueCrypt or other such software on other devices, but I guess crypto like most things, can be used for good or bad purposes.  Using Cloud Based storage, particularly personal ones like DropBox, seem to open a large security hole... and I doubt very many College's can block DropBox per policy.

Just curious what others are doing....


On 5/1/2012 8:28 AM, Dutcher, James M wrote:

it does provide access to your shared folders...

 

I've been testing/using TrueCrypt. I created a 2gb TrueCrypt blob and deposited it on Skydrive.

 

When using TrueCrypt, you can open the TrueCrypt container that was deposited on Skydrive direct and was able to put files therein with no issues.

 

FYI...I've done the same with Google Drive and Dropbox and works equally well.

 

Regards,

 

Jim

 

James M. Dutcher - Chair - SUNY Council of CIOs

SUNY Cobleskill - CIO: PMP, CISSP, SCP/Security+, CISA

EMail : dutchejm@cobleskill.edu

EMail : jim@dutcher.net (personal)

Office: (518) 255-5809

Cell  : (518) 657-1056 (work)

Cell  : (607) 760-7455 (personal)

Skype : james_dutcher

http://www.cobleskill.edu

 

 

 

 

We are just beginning to look into how to provide remote access to our systems from a secure non college owned device. I am not fond of allowing syncing to a skydrive, for numerous reasons. Has anyone heard of a way to install a version on the local servers for access? We might begin building our own.

 

 

Regards,

Jesse

 

 

 

Jesse Lunt

Network Services Manager

Saint Joseph College

Asylum Avenue | West Hartford | CT | 06117

(o) 860-231-5283

(m) 413-464-2346

 

 

I agree, I am also not good with the syncing of the users network drives and being available from anywhere with no more security whatever userid/password the decided to create the account with. There would be no audit trails and no way to know what user was in at what time. I am less concerned with the way Dropbox works then SkyDrive with access to all the shares. Has anyone looked at ways to not allow the syncing or other means to prevent this. I know it is new but I fell this can be a giant security hole for the colleges. The advantage of VPN is that you can maintain an audit trail of access. Even Microsoft’s Direct Access can maintain security based on AD authentication.

Bottom line, this seems to be to be a big security hole for all of us to deal with.

 

Bruce Marshall

Valencia College

 

 

 

Dropbox can be blocked via the firewall. The desktop clients can be limited with some antivirus suites and by removing any elevated permissions from users. I would be just as concerned regardless of the software package as it does not separate personal from corporate data, so if someone had any FERPA/HIPPA/HITECH data saved locally and by accident saved it to their Dropbox/SkyDrive folder, now this data is available on any device there account is syncing with. What I keep seeing is a stance of we don’t do that, well guess what it only takes once.

 

 

 

Patrick Goggins

Senior Systems Administrator

University of Wisconsin - Green Bay

 

 

 

A growing concern for us is to keep up with what our students and faculty want but allowing it in a secure manner.  What are your thoughts with an on premise solution like iFolder or VM Octopus? I feel this way at least we would have some control over the security.

 

Jesse Lunt

Saint Joseph College

 

One man’s opinion- they generally want what they want, not an alternative. Either accommodate the real deal or not, but the ‘we’ll provide that for you instead of what you really want’ can be a tough sell.

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Adjunct Instructor, iSchool

Syracuse University

315 443-3003

 

 

Doesn’t TruCrypt create an encrypted “blob” based on the size of the “partition”?  By that, I mean isn’t it always the same size whether there is data in the truCrypt “drive” or not because of the noise?  I know TruCrypt is the standard, but there must be something that encrypts just the files as they get placed in the cloud rather than writing a multi-GB file for something small.

 

These questions aren’t rhetorical.  I am aware of TruCrypt, but haven’t used it so I’m trying to understand the pros/cons.

 

Thanks,

Brian

 

Yup...the blob is static in size...so there is not yet functionality on dynamic space allocation within TrueCrypt...

 

The size limits on the "free" Skydrive, Google-Drive, and Dropbox are also limited so the trade-off is not as limiting overall if using TrueCrypt, Winzip or any other encrypted blob-creation solution

 

Regards,

 

Jim

 

James M. Dutcher - Chair - SUNY Council of CIOs

SUNY Cobleskill - CIO: PMP, CISSP, SCP/Security+, CISA

EMail : dutchejm@cobleskill.edu

EMail : jim@dutcher.net (personal)

Office: (518) 255-5809

Cell  : (518) 657-1056 (work)

Cell  : (607) 760-7455 (personal)

Skype : james_dutcher

http://www.cobleskill.edu

 

 

 

 

Message from sbarnhart@esue.ohio-state.edu

You can set the blog to be dynamically sized and if you uncheck the “Preserve time stamp” option in the TrueCrypt preferences, Dropbox et. al will only sync the changes, it won’t have to reupload the entire file everytime.

 

Steven Barnhart

Systems Specialist

Enrollment Services & Undergraduate Education

The Ohio State University

sbarnhart@esue.ohio-state.edu

 

good tip...thanks for sharing!!!

 

Regards,

 

Jim

 

James M. Dutcher - Chair - SUNY Council of CIOs

SUNY Cobleskill - CIO: PMP, CISSP, SCP/Security+, CISA

EMail : dutchejm@cobleskill.edu

EMail : jim@dutcher.net (personal)

Office: (518) 255-5809

Cell  : (518) 657-1056 (work)

Cell  : (607) 760-7455 (personal)

Skype : james_dutcher

http://www.cobleskill.edu

 

 

 

 

Message from avoelker@email.wcu.edu

I’m actually looking at ways to integrate this into lab images in a secure fashion.  Our labs run deepfreeze and log in with AD credentials to the Windows live cloud.  I’m looking for ways to dump that authentication into the application so it automatically mounts.  This a piece of cake in windows 8, but not in 7.  It seems like it would be great for students to get away from those flash drives that keep dying/getting lost/forgotten.  It’s the floppy disk dilemma all over again.

 

The shared files are a security concern, but it does give you the option in the setup to uncheck this feature. We just need to educate as many students as possible how this operates and of its security implications.

 

-- Andy Voelker

Manager of Student Computing in the Technology Commons

WCU Staff Senator

Western Carolina University

Check the status of your IT requests at any time at http://help.wcu.edu/ !