Steel Bars Around Clouds – Secure Content Protection in Cloud-Based File Sharing Systems
Mar 10, 2015
In the 2014 Frost & Sullivan Cloud User Survey, cloud adopters were asked why they adopted the cloud. The top responses were:
- Improve IT flexibility/agility (cited by 80% of cloud adopters)
- Deliver services and applications faster (78%)
- Improve business continuity/disaster recovery (77%)
- Reduce costs (77%)
- Reduce hardware/software maintenance burden (77%)
File sharing is an application that is conducive to cloud delivery. In a cloud environment, for example in construction, amendments to blueprint files can be made through end-user devices, saved to the cloud, and accessed by others immediately, from any location, and from any compatible device. Also, search can be applied to files to find relevant information quickly. Since cloud-based file sharing (CBFS) is an application, other applications can be integrated onto the platform. Lightweight Directory Access Protocols (LDAP) and enterprise content management (ECM) can be attached through an open interface to CBFS systems to define user access and match users to files.
The implementation of robust security has driven acceptance of CBFS. In the first iterations of digital file handling, security was provided in legacy, on-premises environments. The files resided behind a network firewall and were only available to a remote employee through a virtual private network (VPN). In CBFS, the responsibility for securing the environment where the files reside belongs to the CBFS provider.
A benefit of CBFS service is discrete file control. When a file is created, the creator of the file decides who has access to the file. The file creator decides who will be collaborators and their permissions (e.g., view, edit, and download). For additional end-to-end control, each collaborator must register with the CBFS service and download and use the CBFS service application.
File creation is a finely orchestrated and controlled event. Once the file is created and the originator and collaborators are determined, files can be monitored and audited. During collaboration, the newest file revision is presented first, but a history of each file is kept. When files are created, the files are automatically encrypted. Typically, a 256-bit AES encryption key is used to protect data at rest. The central administrator holds the encryption keys.
The group administrator has visibility over all files. Advantageously, files can be monitored and audited. At any given time, a detailed history of file access is available to prove complaint practices and support forensics investigations. CBFS service providers can combine a data loss prevention (DLP) program or file integrity manager to the files.
To prevent file compromise by malicious actors, CBFS service providers maintain an integrated security environment involving firewalls intrusion detection and preventions systems, and anti-virus/anti-malware detection software. Also, CBFS service providers continuously monitor for file contamination and suspicious log-in activities. In effect, all clients of CBFS services receive the full benefits of the protection mechanisms used by CBFS service provider.
At different times, files can reside in diverse cloud environments (public, private, or hybrid clouds) and in on-premises storage. Widely incorporated in CBFS services is a multi-data center strategy. This strategy benefits companies with high volume requirements or have geographically dispersed locations. Supporting data sovereignty (i.e., data remaining in a specific country or region) is also supported with a multi-data center strategy.
It is important to note that not all CBFS services are equal in security. A differentiating feature among CBFS service providers is industry accreditation. For companies working with the US federal government or in healthcare, their data handling platforms must conform to the appropriate regulations. The CBFS service provider must prove it platforms are National Institute of Standards and Technology (NIST), Health Insurance Portability and Accountability Act /Health Information Trust Alliance (HIPAA/HITRUST) or Payment Card Industry - Data Security Standards (PCI-DSS) compliant.
Chris Kissel offers eleven years of research and sales experience in the network security, cellular infrastructure, wireless, telecomm, PCs, semiconductor, and high-definition consumer device sectors. His current field of studies are in information and network security at Frost & Sullivan. More specifically, Mr. Kissel has expertise in knowledge-based network security technologies.: vulnerability management, SIEM, network forensics, network access control (NAC), and Internet of Things.