Thoughts on Cloud File Synchronization Security
As the Box IPO shows enterprise cloud file synchronization & sharing (EFSS) is a hot topic. Yet the hottest vendors do not “get” security.
What is Cloud EFSS?
Everybody knows what a file server is. It stores any kind of document an organization needs to work with. As such its importance is similar to email. A file server’s main characteristics are:
- Located on premises
- Reachable over the corporate network
- Directory permissions provide granular control over who can access what in which way
- The files on disk are not encrpyted
The file server concept has worked well for organizations over the past decades. However, it does not provide the flexibility required today. Enter the cloud.
My personal definition of cloud EFSS is file server turned into cloud service. The beauty of the concept is that no server infrastructure is required on the customer side. The EFSS vendor provides the backend as with other cloud services. A cloud EFSS’ main characteristics are:
- Located in the cloud
- Reachable over the internet
- Share group permissions provide control over who can sync what
- Data at rest (the files on disk) may or may not be encrypted
Note: This article focuses on cloud only solutions. Depending on your requirements and use case you may want to take a look at private cloud and hybrid products, too.
Cloud EFSS and Security
Cloud EFSS vendors talk in great lengths about how securely they treat customer data (e.g. Box). They tell you all you want to know about privacy, compliance, auditing, versioning, backup, physical (data center) security and encryption. Reading those descriptions one could think that your data is even safer in the cloud than on premises.
Vendors who implement the relevant processes well might indeed provide a higher protection against common types of data loss than typical on premises file server implementations. Accidental deletions or backup misconfigurations, to name but two, should be less likely to happen or cause data loss.
Data Leakage Prevention?
Many people argue that EFSS helps prevent data leakage. That can be true, but there are caveats.
EFSS vendors typically base their DLP implementation on Microsoft’s Rights Management Services (RMS). If enabled, documents sent to the client are encrypted with the target user’s key. With optional editing restrictions this does make it more difficult to pass documents on to others, which may be good from a security point of view but may hinder the user’s workflow, too.
It should be noted that Microsoft’s RMS works best with Office documents. Other file types can also be protected, but are wrapped in encrypted containers that need to be decrypted with the Rights Management App before their contents can be accessed.
Encryption and Key Storage
Some vendors boast encryption of data at rest stored in the cloud – which is a good thing. But it is worthless without control over the encryption keys used. If the vendor does the encryption and has access to the encryption keys then the vendor can also decrypt the data. It is equivalent to locking the house but leaving the key under the doormat.
Threat #1: EFSS Vendor Has Access
The Box terms of service give their employees permission to access and view your files. Quoting from paragraph 13 (“privacy”):
You further acknowledge and agree that we may access or disclose information about you, including the Content, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Box or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Box employees, customers, or the public.
Please note that I have no intention of hitting on Box specifically. I am simply using them as an example because they target the enterprise and are well-known.
Threat #2: Intelligence Agencies Have Access
In year two after Snowden it seems strangely naive to think that intelligence agencies cannot force cloud vendors in their jurisdiction to give them access to customer data as well as to encryption keys.
Threat #3: Hackers Have Access
As the Sony hack has shown this threat is not specific to data stored in the cloud. However, large amounts of confidential data managed by a small number of vendors constitute a lucrative target for hackers of any kind.
A Better Way: Zero Knowledge
The only protection against voluntary or forced information disclosure on part of the vendor is client-side encryption with client-side key storage. Only if the encryption key never reaches the EFSS vendor can the data be considered secure. Products like Amazon’s Key Management Service explicitly do not help here because the vendor can still be forced (or hacked) to provide access to the keys.
Without keys stored centrally in the cloud collaboration and sharing is more difficult. Key management on all the end user devices is also an issue. Most vendors seem to lack the courage to tackle these challenges. But with many of the easy problems solved EFSS will only become a technology to be taken seriously if the more real hurdles are not ignored.
Who Provides Client-Side Encryption with Key Control?
A number of mostly smaller vendors provide “zero-knowledge” file synchronization and sharing with client-side encryption and client-side control over the encryption keys used.
The following list includes the vendors I am aware of in alphabetical order:
What About Add-on Products?
There is another category of products whose best-known contender is BoxCryptor. They do not provide cloud storage directly but encrypt data locally before it is sent to the cloud.
While the concept is interesting I am not a big fan of the implementation where you have a special drive letter as entry point to the encrypted data. In addition to that there still is the regular Dropbox or Google Drive sync folder. Users can always copy files into the sync folder directly without using the encrytion drive letter. In such a case files are sent to the cloud as plain text.
Conclusion
Zero-knowledge cloud offerings where the client is in control are still too rare. Part of the reason may be that the kinds of concerns voiced in this article are less prominent in the USA than in other parts of the world. According to Gartner’s July 2014 Magic Quadrant for Enterprise File Synchronization and Sharing:
For example, based on the U.S. National Security Agency’s PRISM (electronic surveillance data mining program) activities, some organizations lack 100% trust in cloud solutions for which the supplier holds the encryption keys and data. Some cloud suppliers are working to enable mechanisms to put customers in charge of encryption keys.
Interestingly that does not seem to be true for the 19 vendors covered in the report with the possible exception of Box who announced customer-owned encryption keys ten months ago but have not shown an implementation yet.
The Gartner report’s closing words confirm that EFSS will predominantly be used in the US in the next few years:
We expect revenue to exceed $500 million by 2016, with more than 70% of the total software revenue generated in North America.
9 Comments
Hi Helge, Citrix ShareFile supports a zero-knowledge configuration with “Restricted StorageZones” see http://blogs.citrix.com/2014/11/18/five-new-rules-for-enterprise-file-sync-and-share-service-providers/ and http://support.citrix.com/proddocs/topic/sharefile-storagezones-30/sf-storagezones-about-30.html
Yes, that is a great feature. But if I am not mistaken it is not cloud only because it requires a StorageZones Controller on premises.
Hi Helge,
Great article and glad you challenge the status quo. But in all fairness, define “cloud”… Why does this necessarily has to be the primary vendor (eg Citrix) and not a hosting provider? For instance, a hosting provider could host a ShareFile Restricted StorageZone (on their premises) for customers requiring this level of security and offer it as a cloud -service-. Right?
Ingmar
Helge,
wrt to Restricted StorageZones – while StorageZone servers are managed by “you”, but you can have a customer managed storage zone on Azure. Does that count?
That is an interesting technology and looking good from a security perspective, but in this article I was looking at products that do not have to be managed by the customer.
… for background/info – http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/sharefile-enterprise-security-whitepaper.pdf?accessmode=direct
As a user of backblaze I can tell you that they can be included in your list.
You can configure encryption – they can’t recover or decrypt without your private key which is protected with a very strong password.
Backblaze does backup, not file sync/share.
Great feature you have shared with us. Looking forward to your next posts on file integrity checker and free file encryption.