Business is increasingly taking place outside the corporate firewall. Employees are using their own devices and turning to consumer-grade cloud file sharing services to allow for access across multiple devices and to collaborate with each other or with outside partners, consultants, prospects, and clients.
Even when the use of services such as Box, Dropbox, SkyDrive, and other similar services is sanctioned by the IT department, businesses have nearly zero assurance of confidentiality when their employees store documents in the cloud. Not only are there few publically documented vendor controls, there is no way for a business to continuously audit the cloud vendor’s entire infrastructure and administrative procedures to ensure that documents remain private.
A troubling example was recently brought to light by WNC Infosec (Western North Carolina InfoSec Community), which found that the Dropbox file sharing service opens certain files after they are uploaded.
While it may be fine for individuals to trust cloud vendors with their everyday material, businesses must adhere to a higher security standard if they are to retain control over sensitive data and meet regulatory compliance requirements. What can be done?
Cloud security requirements
In order to enforce corporate security policies in the cloud, IT needs to know (1) who is accessing and sharing (2) what documents (3) in which cloud storage service, and (4) that the cloud provider cannot override policies established by the business or access the data itself.
Here are four steps for implementing a cloud security strategy:
a) Take a risk-based approach: It is not realistic to “secure everything”. Look at business processes and quantify the risk associated with each one, then match them up with an appropriate level of security and controls.
b) Clearly document the policy and communicate it to employees.
c) Make the security solution easy to use, so that employees will not try to circumvent it in order to get their jobs done. The days of forcing staff to accept whatever IT deems acceptable are long gone!
d) Implement content-based security to eliminate the risk of the cloud provider failing to implement proper security protocols and controls.
Putting security in the object
To eliminate risks associated with limited or defective cloud provider security, businesses are being forced to consider different security constructs, in particular embedding security into the object (data) itself. This approach renders security portable and helps reduce or even eliminate concerns about the integrity of the infrastructure where the data is being housed. It also provides more flexibility by allowing companies and their employees to use the cloud storage service that best suits their needs.
The most fundamental element of this approach is to encrypt the content. Without encryption it’s next to impossible to protect the data from various snooping techniques. However, in order to be effective, the encryption system must satisfy four core requirements.
1. Encryption must be applied to the content, not to the container. Examples of container-based encryption are disk-based (that is, encrypt anything written to a disk drive), or IPsec VPNs (encrypt anything pushed into a virtual tunnel). Applying encryption to the content involves applying cryptography directly on a file or other data object at the source.
2. Encryption must be end-to-end, meaning it must be applied as the content is created and prepared for transmission to the cloud. If any of these elements are missing, security gaps and vulnerabilities will exist.
3. Encryption must be properly implemented. Even with the recent NSA revelations, there is no evidence that core encryption technologies are vulnerable. What is clear however is that if encryption is not properly configured, or if weaker options are used, data privacy cannot be guaranteed.
4. Key management must be both secure and operationally viable. It is a well-known fact that key management is the most difficult aspect of implementing encryption. Carefully research the operational workings of the technology chosen, and ask to speak privately to other companies who have used the candidate products.
Beyond encryption, content-based security can include a variety of other controls. Documents can be given an “end of life”, or timeframe beyond which the content can’t be opened. Modification and access to the file can be logged and reported back to the owner. Also, encryption key adjudication can be used to unlock content under emergency conditions, without the consent of the document owner. This can be critical during a security investigation, or if someone leaves the organization.
The onslaught of cloud and BYOD is forcing organizations to rethink and retool data security systems to regain control. By attaching security to the content, it’s possible to secure and audit data in the cloud regardless of the cloud-based storage and collaboration service being used.