Protecting Intellectual Property in the Cloud
By Asaf Cidon, Founder and CEO of Sookasa, California, United States
As intellectual property (IP) becomes the heart of the global economy, collaboration is becoming increasingly important.
For most corporations, research organizations and other institutions, that means turning to the cloud. In many cases, the cloud makes mobile work and collaboration easier, offering unprecedented advantages in terms of storing and syncing information across multiple devices. The cloud makes sharing information seamless, boosts productivity and unchains people from their physical offices, enabling cross-border coordination and easy access to files and the insights they contain. According to the RightsScale 2014 State of the Cloud Report (www.rightscale.com), nearly 90 percent of businesses already use the cloud, and that number is only expected to grow. Clearly, the cloud is here to stay.
But for those who work with intellectual property (IP) and need to secure it, these cloud computing trends may raise concerns. After all, part of the cloud’s magic is the necessary proliferation of data across devices and collaborators – which means relinquishing considerable control. And when your life’s work entails handling confidential product designs, source codes, patents, or trade secrets, the last thing you want are vulnerabilities caused by inadvertent leaks or malicious actors in the cloud. The value of IP means the stakes are already high. The cost of patent disputes – especially in the technology sector – can be stratospheric.
Identifying and mediating risks
The key to using the cloud confidently and to harnessing its power to advance new IP is to take charge of what you can control. This really comes down to implementing safeguards and security. In fact, the cloud provides a way not only to share knowledge, but also to protect IP.
When it comes to IP, embracing the cloud is a double-edged sword. It allows the collaboration that business needs, but at a potential risk to sensitive IP information. Every industry is subject to data breaches, and many companies that fall victim are attacked at random by cybercriminals stripping large amounts of usernames, passwords, credit card numbers, or other private information from their databases for quick financial gain. But intellectual property is explicitly desirable. More than a quarter of cybercriminals are intellectual property spies according to Verizon’s 2014 Data Breach Investigations Report (www.verizonenterprise.com). Malicious actors targeting IP are looking for something more specific than numbers or logins – and they know how to get it.
Malware and phishing are by far the two biggest threats when it comes to data breaches at large, but these techniques only get cybercriminals so far, perhaps because they generally come from outside the organization. Another Verizon study, DBIR Snapshot: Intellectual Property Theft from 2012 found that IP spies are more sophisticated, and perhaps even more malicious. In fact, the study found that nearly half of all IP data breaches involve current or former employees, especially in industries such as manufacturing, finance, technology, and government. Moreover, the single biggest reason for IP breaches is the abuse of system access and privileges. In other words, confidential IP tends to leak because of people who have access to information they should not be authorized to see; have retained access after they have left the company or project; or are colluding with an outside criminal or hacker.
User error, however, is not always malicious. Employee negligence is a top concern across many industries, especially as the cloud becomes more and more prominent. For example, take the issue of file synchronization: The cloud allows for syncing across devices, which in turn allows you to access your clients’ patents or blueprints on your smartphone or tablet while traveling or working from home. In many respects, this is a boon: you are able to be more productive, as well as more responsive, even when you are not in the office.
But say you leave your tablet in a taxi, and on it a company’s trade secrets accessible through your email or in your downloads folder. If the tablet falls into the wrong hands and is disseminated to a competitor, your client’s work is essentially rendered useless. A 2012 survey by Microsoft found that nearly 70 percent of professionals nationwide use their personal mobile devices for work and with them the cloud, whether or not their companies allow it (http://blogs.microsoft.com/cybertrust/). That being so, there is no doubt that some devices will be lost, email accounts will be left open, and attachments will be sent accidentally. But if all files are encrypted – whether they are in a cloud folder, in a secure link in an email, or downloaded – it does not matter who finds the tablet in the taxi. If they are not authorized to read the files, they simply cannot.
How can the cloud help prevent intellectual property theft?
The cloud brings risks, but also a big potential silver lining in terms of security: not only are there feasible ways to protect your information, but the cloud may actually prove safer than traditional network servers, which are disproportionately targeted in attacks.
According to Verizon, at least half of all IP theft involves companies’ database servers and file servers. These are more frequently compromised than documents, staff members, emails and web applications, among other company assets. In light of this, a first instinct might be to simply build bigger and better firewalls to provide those servers with additional protection. But another approach would be to remove protected data from the servers altogether and move it to the cloud.
Using cloud-based storage for all your IP information may actually enhance its protection. As a result, your company can remain assured of its security while being able to embrace all the benefits the cloud provides. With appropriate safeguards, IP data stored in the cloud will be safer than on any single physical network. The key to secure cloud-based storage is encryption.
Encrypting data at the file level means it is always encrypted from before it reaches the cloud to after it leaves it. This means that only you and the users you authorize will be able to decrypt the files.
In contrast, it is often not practical to encrypt traditional databases. They are in constant use, and sensitive content is effectively decrypted each time it is accessed, because the key is ever-present. This is not the case with the cloud, where the right solution will keep your IP data separate from encryption keys. In consequence, neither the cloud provider nor the encryption provider can access your data – only you can - ensuring strong security hygiene.
Not only does file encryption ensure security in the event of a breach, it also means that you, your colleagues and clients can share and sync files without putting them at risk, making collaboration and communication seamless. Imagine sharing folders full of sensitive files, keeping all the information your team needs close and safe.
A major advantage of encryption and the ability to control who can decrypt the data is that administrators can provide access on a need-to-know basis. We have already seen how detrimental misuse can be; but if an employee or team member cannot snoop around on a server because he or she cannot open encrypted files, the likelihood of theft decreases dramatically.
Finally, security solutions layered onto the cloud also allow you to maintain a thorough audit trail. The ability to monitor your encrypted files, knowing which users accessed them and when, is key to preventing breaches and theft. If an unauthorized user – whether from inside or outside your organization – gains access to IP data that he or she should not have access to, you will know it and can stop the attack early. Being able to revoke access to people no longer involved in a project, or to lost devices, is also vital. An ex-employee could still access files emailed to a personal account or saved on a home computer unless you take steps to prevent them.
Deploying file-level protection not only protects the data itself, it also reduces overhead on the cloud servers, so you can work with encrypted documents quickly and easily.
In short, the cloud can provide myriad advantages in storing, sharing and collaborating on IP projects. However, with the cloud come vulnerabilities that must be properly preempted. But with the right type of encryption, it is easy to protect your files and to authorize only those users who are meant to see them.
In many ways, IP moves the world forward, and the world is moving fast. But it can only drive the growth of the international economy if it becomes simple, even seamless, to collaborate on the most challenging questions facing our world. A secure cloud can make it easier for people to work together and help the world move forward one good idea at a time.
The WIPO Magazine is intended to help broaden public understanding of intellectual property and of WIPO’s work, and is not an official document of WIPO. The designations employed and the presentation of material throughout this publication do not imply the expression of any opinion whatsoever on the part of WIPO concerning the legal status of any country, territory or area or of its authorities, or concerning the delimitation of its frontiers or boundaries. This publication is not intended to reflect the views of the Member States or the WIPO Secretariat. The mention of specific companies or products of manufacturers does not imply that they are endorsed or recommended by WIPO in preference to others of a similar nature that are not mentioned.