Even when the use of services such as Box, Dropbox, SkyDrive, and other similar services is sanctioned by the IT department, businesses have nearly zero assurance of confidentiality when their employees store documents in the cloud. Not only are there few publically documented vendor controls, there is no way for a business to continuously audit the cloud vendor’s entire infrastructure and administrative procedures to ensure that documents remain private.
A troubling example was recently brought to light by WNC Infosec (Western North Carolina InfoSec Community), which found that the Dropbox file sharing service opens certain files after they are uploaded.
While it may be fine for individuals to trust cloud vendors with their everyday material, businesses must adhere to a higher security standard if they are to retain control over sensitive data and meet regulatory compliance requirements. What can be done?
Cloud security requirements
In order to enforce corporate security policies in the cloud, IT needs to know (1) who is accessing and sharing (2) what documents (3) in which cloud storage service, and (4) that the cloud provider cannot override policies established by the business or access the data itself.
Here are four steps for implementing a cloud security strategy:
a) Take a risk-based approach: It is not realistic to “secure everything”. Look at business processes and quantify the risk associated with each one, then match them up with an appropriate level of security and controls.
b) Clearly document the policy and communicate it to employees.
c) Make the security solution easy to use, so that employees will not try to circumvent it in order to get their jobs done. The days of forcing staff to accept whatever IT deems acceptable are long gone!
d) Implement content-based security to eliminate the risk of the cloud provider failing to implement proper security protocols and controls.
Putting security in the object
To eliminate risks associated with limited or defective cloud provider security, businesses are being forced to consider different security constructs, in particular embedding security into the object (data) itself. This approach renders security portable and helps reduce or even eliminate concerns about the integrity of the infrastructure where the data is being housed. It also provides more flexibility by allowing companies and their employees to use the cloud storage service that best suits their needs.
The most fundamental element of this approach is to encrypt the content. Without encryption it’s next to impossible to protect the data from various snooping techniques. However, in order to be effective, the encryption system must satisfy four core requirements.
1. Encryption must be applied to the content, not to the container. Examples of container-based encryption are disk-based (that is, encrypt anything written to a disk drive), or IPsec VPNs (encrypt anything pushed into a virtual tunnel). Applying encryption to the content involves applying cryptography directly on a file or other data object at the source.
2. Encryption must be end-to-end, meaning it must be applied as the content is created and prepared for transmission to the cloud. If any of these elements are missing, security gaps and vulnerabilities will exist.