In today’s connected world, protecting sensitive information and data has never been more significant. The cybersecurity landscape has dramatically shifted due to an increase in cloud storage services, mobile access to work emails, and an ever-increasing remote work environment. While employees download or upload work related documents from the cloud or their own devices, they may also be inadvertently putting their own organization at risk of an influx of cybersecurity threats.
Soda PDF, an easy-to-use PDF editing software, provides businesses with the tools they need to protect their important information and documents. With Soda PDF, files can be encrypted, password protected, as well as digitally signed and archived, which add layers of security to your documents.
In today’s world of cybersecurity threats and data leaks, according to one expert, businesses or devices that are connected have most likely already been exposed or, more specifically, hacked. SourceForge recently chatted with Alexandre Blanc, a LinkedIn Top Voice in Cybersecurity who also recently served as Director of Security for Avanquest Software, makers of Soda PDF. Blanc explains the cybersecurity trends, the problems with the cloud, and offers suggestions for securing crucial data as a PDF document.
Q: One quick glance at your LinkedIn profile and it’s obvious; you’re quite the Cyber Security expert! Can you tell me about your professional background and how you became so passionate about security?
A: It’s been 20+ years of IT management, managing servers online since the very beginning, when cloud was not called cloud, and more.
I’ve been hacked many times before, and I did not like it. (Laughs) I also had a bad experience, having to consider my safety and my family safety first, this did lead me to be very, very privacy oriented.
Only under threat, one really understands how exposed we are. I also worked on a project with critical requirements, with very sensitive information, and this is also a great learning experience. When we are in charge of the crown jewels of critical entities, even when it could impact national security, then this is when we realize what the challenges are in protecting the assets.
Q: Cyber security is nothing new, however, there seems to always be new threats facing businesses and individuals alike. Is this the new normal?
A: It has always been the norm. It’s just that at first, people did not have connected assets or permanent connectivity. It was at first only IT responsibility. Now that we put all our data, and that technology took control over all our lives and critical operation, for sure, the threats grow accordingly.
Criminals, to steal a car, just had to break into, and bypass ignition, nowadays you need to hack some wireless protocols, so all these techniques grow, and they are applicable to everything.
We kind of unified the target and attacks by putting everything in technology.
Q: How can the portable document format (PDFs) be used as a way of document security?
A: PDF (…) allows you to share documents, and being sure it won’t be modified, and readable on most platforms. Yet, it should be signed with PKI to achieve a nonrepudiation goal. When you send a document, you want to prove that what people saw is exactly what you sent (…) which requires digital signatures, which when added verifies the integrity of the document.
PDFs are less likely to be a threat by themselves, unless exploiting reader or software vulnerability through specifically crafted content (…) but it’s less likely. (…) PDF is safer by it’s static nature.
The PDF itself is relatively safe.
Q: In your opinion, what would be the smartest way to protect sensitive data or important documents in today’s remote work environment?
Don’t allow these to get out of the infrastructure, allow data handling in a secured environment, encrypted, at rest and in transit, with proper governance in place, and a lot of automation to detect infringement.
It depends on the platform, like Office 365 if you have it properly implemented, can be a good solution to achieve proper governance. But it’s also a matter of regular training, proper workflows and processes.
The platform is just a tool (…) it’s about due care (…) training, behavior, and technical solutions.
Q: To have the most secure document, would you suggest an encrypted and password protected PDF over an Excel, Word, or something of that nature?
A: It depends. Ideally, even if it’s encrypted, if it’s a static I’d prefer PDF. If it’s a static file, it’s less likely to attack you. There are two goals you want to achieve (…) there is confidentiality and integrity.
Confidentiality, which is why we have encryption, is to not let anyone read your stuff. It’s because you want just you and the people you exchange with to read. That’s the only goal of encryption.
And then you have integrity, which involves the nonrepudiation. You want to be sure that the file that you sent to your connection is going to be the one who is going to be able to see (…) you have a digital signature.
An encryption with a password security is allowing you to achieve that, if you (digitally) sign and you have shown your public and private key. Anyone who sends you something uses that public key to encrypt the file. To decrypt the file, you need your private key.
They will sign with their own public key as well so you know it’s signed and encrypted by them and yours (…) which is the principle of nonrepudiation that I spoke about. So you know that (the encrypted, password protected PDF) is exactly the file that has been sent to you and it’s proven. It’s signed.
(With PDF) you cannot tell someone that they never sent you something. Sometimes we do that with emails. We say: “Well, I never received that email. I’m not aware”. So with an encryption (digital) signature, you cannot say you don’t know.
Q: What’s the advantage to offline storage and how can this be used to curb online storage going forward?
A: The main advantage of offline storage, also called cold backups, is that it can’t be corrupted by an attacker, if it’s not connected. It’s a good way to preserve the data.
You can retrieve this storage when you need without paying crazy bandwidth fees as well. People forget that cloud charges for outgoing traffic. The cloud loves to take all your data, and make you pay to recover it, which to me sounds a bit like ransomware to me. It is free to feed the machine sure, but when you want to restore? The outgoing bandwidth is costly!
The offline storage is a good way to keep your data safe. You should store on encrypted storage and you should place it in a safe and have it in two places. You need to have a risk assessment on that side.
Q: That being said, in your opinion, are companies well equipped today to deal with these threats?
A: Actually, they are. It’s more a matter of implementing the solution and the best practices. One of the principles is called list privileges, which means employees or workers should only be able to run things that belong to their work tasks. No one should run on the system as admin. That’s one of the key points. It’s so complex to deploy yet it’s such a basic principle.
Another is network segmentation, one of the best practices. You should not have, let’s say, accounting systems on the same network as marketing. Obviously, marketing is exchanging a lot more with external people and accessing more sensitive data than the accounting department so it makes no sense having them on the same network.
And then with remote work, where the actual parameter is gone, splitting the network and segmenting it is one thing, but it has to be backed by proper governance and these principles: data notary, data classification, and data access control. SMB’s are not government, because they don’t have all this confidential stuff, but even the threat landscape and the evolution, we have to be aware of this data classification, otherwise you will not be able protect your assets.
Q: Since the PDF format can be encrypted, password protected, as well as archived as a PDF/A, would you say these layers of protection only increase the security around PDFs?
A: Yes, adding more layers of security is always good.
It depends on your setup. If you want to have governance over your file, and you are archiving the file, but the archive is blocking the mechanism and the indexing of the file, then the classification doesn’t work and (the file) will fall out of governance. So it depends.
There is no one-size fits all. It’s just about the use case. It’s the same with the cloud, same with on prem. It’s a use case and a risk assessment. Collect risk, likelihood, impact analysis, and from there you decide.
Q: How are virtual drives and other cloud storage services at risk, if at all?
A: As we spoke about earlier, it’s a matter of risk assessment. Cloud storage is as exposed as you let them. For sure, anybody can try to log on your account and access your file. Unlike in a restricted perimeter, the cloud doesn’t have a perimeter.
The only thing that protects your cloud content are your credentials, and the restrictions you put on your content. There is no firewall, or network to exploit, it’s straight on the internet, fully accessible by cloud provider staff. Someone guess your password and they’ll have your files.
If you have multi factor authentication it’s a bit safer, assuming you did not share your content with “public access” rights, then, no authentication is needed. You’re protected from the external hacker.
If all this is in place, but your restriction on your cloud storage is set to “public”, then it’s wide open and they don’t need to get into your account.
If a cloud provider is hacked, all their customers data is gone, and public. Unless customers are encrypted before sending to the cloud.
Q: Thank you for your time and this critical information. I promise I will keep it secure! Any closing remarks you would like to share?
A: Cybersecurity is a journey, threat landscape and technology change nonstop, the cloud as well. Long gone are the days of “set and forget”, sadly.
Now it is about staying above the others, and hopefully not being targeted, because we must prepare for the worst and hope for the best.
Related Categories