This is part 4 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also part 1, part 2, and part 3.

Additional Security Features

The core security features are a baseline which enterprise and business customers should look for when selecting a service for their organization, but the various services also offer a plethora of additional security features. Providers see this as a way to entice enterprise users onto their services, show advantages over traditional storage infrastructure, and create competitive differentiation.

So security is used as both a competitive baseline and a differentiator, which is why we see new capabilities appear consistently. The odds are high this report won’t cover everything available by the time you read it.

Universal search and investigation support

As we described earlier, most cloud storage providers track all files, offer content search, and track every user and every device that accesses each file, including who viewed it in a web browser, downloaded a copy, or synced it with a computer or mobile device.

That single central control point enables fairly powerful security capabilities. Worried a document leaked? Find all copies and the entire access history. An obvious caveat applies: once a file leaves the service it isn’t tracked, but at least you have a starting point to identify where it went. This is often one of the more difficult first steps in any leak/breach/abuse investigation, because traditional storage products rarely track this level of detail.

Enhancing this is full content indexing and search. This isn’t purely a security feature, but enables you to search your entire cloud storage repository for keywords or other specific content. Some providers offer options for more advanced searches, particularly regular expressions. This is also useful for non-security reasons, so we expect indexing and searching capabilities to increase over time, but make sure you understand what your provider supports now.

Another limitation is that providers don’t support every possible document type. For example, the odds are low that your CAD file format is supported today. Typically standard Office and text formats are supported – check with potential providers rather than assuming.

Client-managed encryption

All enterprise-class cloud storage providers encrypt data in their backend, but they manage the keys and can thus technically see your content. There are now third-party security vendors who encrypt cloud data using different approaches, and some cloud storage vendors are adapting their architectures to allow customers to encrypt directly within the service, but control their own keys.

This is a different approach than using a third-party tool. Your cloud provider still handles the encryption in their backend but you have your own encryption keys. There are two major options:

• The cloud platform endpoint agents handle encryption operations synchronized with your enterprise key store. For this to work they need to include the capability in both workstation and mobile agents, and a mechanism for integrating key distribution.
• The cloud platform manages encryption in their backend, but opens mechanisms for enterprise users to provision and manage their own keys. There are a few ways to handle this technically, but typically it involves a Hardware Security Module (HSM) that is located in the cloud provider’s data center yet managed by the client, in a client data center, or at a infrastructure cloud provider. The important part is that the customer rather than the cloud provider, is the only one who can manage keys. Technically they are exposed in the cloud provider’s data center during cryptographic operations, but if architected correctly the risk of key exposure can be minimized.

We won’t be surprised to see other approaches develop over time, but these are the two we know are on the market or soon will be. In both cases the customer needs their own key management infrastructure.

One major warning: encrypting data with your own key breaks most or all collaboration features and any indexing/search, because the cloud provider cannot read your content. So it is something you should generally limit to your most sensitive data. Apply it to everything, and you may see users try to circumvent encryption so they can take advantage of platform features you do not support.

Data Loss Prevention

Full-text indexing and search, combined with a complete audit log of all activity associated with a file, meets our definition for basic content-aware DLP.

In addition, a cloud provider can offer real-time monitoring of all content based on search terms, and tie them to enforcement policies. For example, a cloud storage provider could quarantine a file and alert an administrator any time a credit card number is found. This enables enterprise-wide content policies for the entire cloud storage platform.

More advanced rules can apply by user or group, restricting only certain activities – perhaps “never share a file with PII or this keyword in it externally”, or any other combination of analysis and rules, such as device restrictions. DLP combines full content indexing and search with persistent policies for near-real time content-aware protection.

The market for integrated DLP is still extremely young, and when available its features tend to be limited. Third party integration can provide more capability, and as with everything else we expect to see capabilities expand at a reasonable pace. In discussions with clients this seems to be a popular requirement, which will continue to push the market along.

DRM/IRM

Digital Rights Management, also known as Information Rights Management, is defined as encrypting data and then limiting its usage through rights policies. For example allowing someone to view a file but not email or print it.

Cloud file storage and collaboration services often include in-browser readers, and granular rights policies, they can enable a limited version of DRM. Set a policy so a file can only be viewed in a browser and never downloaded, and you can restrict activity.

But to be truly considered DRM the service should include in-browser protections against actions like Copy and screen capture. Ideally the platform can directly, or through third-party integration, allow document markup and editing – not merely viewing. On the horizon we expect services that define DRM policies at the file level via integration with on-premise enterprise DRM – not that anyone is really using that today.

Device security

At the most basic level, the cloud service should support restricting content only to approved devices and include integration for federated identity. The service should also track all files each device downloads. Content on devices should be encrypted, using either a proprietary mechanism or the device’s native app encryption.

For content security some providers allow remote wiping of the service’s app, effectively destroying the data. Another option is to remotely log out the application, which also restricts access to the data, although depending on the encryption a forensic recovery may still be possible if the data (or encryption key) isn’t deliberately wiped.

Providers are also exploring additional mobile device features, predominantly centered around Mobile Device Management-like capabilities to better understand device configuration and even detect certain forms of jailbreaking or other compromise that could expose data on devices.

API support

Nearly all cloud storage providers support a robust API for integration into other applications and services. It is becoming an essential baseline feature for this market. But not all APIs are created equal. From the security standpoint, all security features should be API enabled to support integration with existing and future tools.

Integrations

While APIs provide the hooks, there are a few common categories of security tools we tend to see pre-integrated. This is often enabled by vendor partnerships, the API support mentioned above, and/or making data from the service (especially security audit logs) accessible in standard formats. Established integrations save time and are officially supported, unlike something you code up yourself.

Some of the most common and useful integrations include:

• Cloud security gateways: This product category has a number of names, but includes products that identify cloud services used by your organization and use multiple techniques to add security – such as more granular controls, inline encryption, better security management, and DLP.
• Encryption gateways: While sometimes implemented as a feature of cloud security gateways, these stand-alone products proxy connections to the cloud provider and selectively encrypt data. We aren’t big fans of this approach due to logistics considerations and its effects on cloud service features, but it is a viable option when encryption is mandated but not supported by your vendor.
• Digital Rights Management: We see very few successful enterprise-wide DRM deployments, but new providers focused on mobile collaboration have emerged to support valuable use cases.
• Mobile Device Management: This integration allows greater granularity and control of which devices and users can connect to the cloud service.
• SIEM/log management: The SIEM tool collects activity directly from the cloud provider and integrates it into consolidated logging, alerting features, and even correlation with other security events.

We also see integrations developing with electronic discovery tools, standard DLP, business intelligence, and others as new use cases emerge. As enterprise adoption of cloud file storage increases we expect to see many more integrations emerge.

Conclusions, and a caution

This biggest concern about using a cloud file storage and collaboration service is the worry of entrusting your sensitive information – sometimes your most sensitive information – to an outsider who mixes it up with everyone else’s data. That can be a tall mental hurdle to leap, especially when your experience is with consumer services with spotty security records.

But using a secure enterprise-class service brings demonstrable security advantages. It reduces file sprawl and provides an overall view of all activity that is effectively impossible with traditional storage paradigms. Add some security features such as content indexing and search, and some creative security solutions emerge. Full visibility and control are very powerful tools.

Despite these advantages you need to be careful. One security fumble can expose all your files to the entire Internet. These providers need to be absolutely best in class, with extensive transparency, strong governance, continuous deep security testing, and dedicated security teams. Even then you might need the occasional dash of encryption to add assurance, especially if you are concerned with government snooping.

Do your homework and choose wisely, and you will gain governance over your files which most security professionals never dream of.