Research

After a short break, the boys are back and here to talk about Apple. No, not the new wrist-mounted toy, but the first mobile payment system you might actually use. Or so says Rich’s Macworld editor, based on his article title. The audio-only version is up too. Share:

You read the series, now it’s time to download the collected works. Okay, maybe you read the series of blog posts. And by “collected works” I mean “white paper”, but you get the idea. This is one I wanted to do a year or two ago, but the market wasn’t ready. Fortunately the services have advanced significantly and enterprise adoption is rapidly increasing. Before I link to the paper, an important note. I call these Cloud File Storage and Collaboration services, but Enterprise File Sync and Share is more commonly used. Sync and Share is limiting as a term, and includes non-cloud options I don’t consider in this paper. So I broke my usual rule and used a not-quite-universally-accepted term – hopefully I won’t regret it later. This paper covers all the basics: how they work, core security features, and advanced security features. You can download the paper here: The Security Pro’s Guide to Cloud File Storage and Collaboration (PDF) Landing Page Thanks to Box for licensing the content. Share:

Sometimes life sneaks up on you. Often when I am introduced to new clients and professional contacts, it is as “Analyst and CEO of Securosis; he used to be at Gartner”. I am fully cognizant of the fact that not only is Gartner where I started my analyst career, but also that my time and title there are the reason I was able to start Securosis. Not only did I learn how to be an analyst, but the Gartner name (as much as it pains some people) still carries a lot of weight. Leaving as a VP carries even more (a gift from my former boss, who knew he could never get my pay where it needed to be). It still carries weight to this day. We have a hell of a good brand in Securosis, but large swaths of the world have never heard of us. “Former Gartner” still helps open those doors. Even though the kind of work we do today carries very little resemblance to what I did back at the G. To be honest, I’m not even sure we are analysts anymore. It’s still part of what we do, but only one facet. Recently I have run into more of my former colleagues at various events. Black Hat, Boxworks, and other random analyst days and conferences. Most of them still work there, and all are shocked when I mention that I have now been running Securosis longer than I was at Gartner. This summer we passed the 7-year mark as a company. That’s exactly as long as I was at Gartner, and I wasn’t even an analyst for my first year. It’s longer than any other professional job I have held, and almost as long as I spent at the University of Colorado (8 years for my undergrad – it’s a Boulder thing). I still remember the first few months of the company. How I could barely sleep at night because I was so excited about what the next day would hold. Waking up early and jumping on my computer to blog, research, and spend entirely too much time on Twitter. Seven years is a long to maintain that enthusiasm. Since then I have added three children to my family, been through two major medical challenges, and built up the stress and overhead that comes from moving from a one-person shop with no clients… to one with partners, contributors, software platforms, and dozens of active clients (not counting all the one-off projects). I now literally lose entire days purely to dealing travel plans, invoices, and expenses. And really, no one with three kids under the age of five ever wakes up, on their own, with enthusiasm. But despite the overhead, chronic sleep deprivation, and stress of deadlines and commitments, this is the single most exciting time of my career. I may wake up a little rough around the edges, and feel like there is never enough time in the day, but I am engaged in my most compelling and challenging work since I first entered the workforce as an underweight security guard. About four or five years ago I placed a bet on cloud computing, and later on what is now known as DevOps. Those bets are paying off bigtime as those entangled disruptive forces trigger massive changes in how we deliver and consume technology. Aside from paying off financially (apparently there still aren’t that many people who really understand cloud and DevOps security out there), the work is… exciting. It’s a hell of a lot of fun. Every day I wake up not only with something new to learn, but with the confidence that I can use it to support my family as I gain and expand that knowledge. It is really hard to imagine a better job (without zero gravity or secret lairs). Although being interviewed by the Wall Street Journal on celebrity nudes was still kind of a surprise. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in the Wall Street Journal on the celebrity hacks. Rich’s article on the same issue at TidBITS. And a zillion other articles on the story. Mike quoted on context-aware security in SearchNetworking. Mike quoted on Wendy Nather being named a “Power Player” in Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted in the piece. Mike’s “Change Agent” – Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” that had an impact on how security has evolved… Check it out. Mortman Quoted about DevOps by the Hulminator. Chasing consistency across the wild seas of enterprise IT Favorite Securosis Posts Let’s be honest: we only had three posts by Mike this week, so we’ll call them all favorites. Other Securosis Posts Feeding at the Data Breach Trough. Incite 9/3/2014: Potential. PR Fiascos for Dummies. Favorite Outside Posts Mike Rothman: Infosec is a strange industry. Gunnar is right. There are many parallels between security and finance (another ‘strange’ industry). I’d add another to the list. Success in security is when nothing happens. If that’s not strange, I don’t know what is… Adrian Lane: 11 Reasons Email Is the Worst. This is fascinating – not for the insights into the limitations of email, but for its astute examination of human behavior. Worth the read! Rich: Not Safe for Not Working On by Dan Kaminsky. Dan really addresses the root issue here, at both psychological and practical levels. Must read. Gunnar: Hacker Breached HealthCare.gov Insurance Site. “If this happened anywhere other than HealthCare.gov, it wouldn’t be news,” a senior DHS official said.” Not the best excuse. Mortman: Bringing new security features to Docker. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of

A few days after returning from DEF CON my family experienced an inevitable life-changing event you cannot really prepare for. Kindergarten. That’s right. If you have been following this site since it started 8 years ago, you have watched as I went from a newly married dude in his 30’s traipsing around the world, to a… and I find this really hard to say… responsible parent with school-aged children. My life schedule is now officially defined by the State of Arizona and the Paradise Valley Unified School District. So long off-week Disney trips; hello PTO, early dismissal days, and parent/teacher meetings. To be honest, it’s pretty exciting. For some reason American society thinks that if you manage to keep your kids alive for the first five years, then the state should step up and provide a little support and education. Those of you who ran through the private daycare gauntlet know exactly what I am talking about. The thing my daughter is most excited about? The idea of a teacher sticking around for more than three months. We actually went ahead and got our 5-year-old accepted to a charter school that’s closer to our home than the school she would normally go to (due to the vagaries of subdivisions). It’s actually a normal public school, but they get a little extra funding and have a STEM program, and it is considered an in-district transfer. We got our 3-year-old into the pre-K program at the same school. I have already experienced some highs and lows with the STEM program. It was very important to me – even if my kids go into non-technology careers, a solid technical foundation will help in whatever they do. Also, I hoped going to a STEM-enhanced school would help compensate for the many issues with technology and science education for girls. I wasn’t certain how often they had STEM class, but quickly learned they attend every week. Not bad for a group of kids who generally cannot read yet. Then again, last week our conversation went like this. “How was school? What did you do?” “We did this thing called STIM?” “Awesome! That’s STEM! It’s science and technology! What did you do” “We colored a picture of a scientist.” “Oh.” This week they talked about what scientists do. It wasn’t terrible, and she learned that science is about asking questions. On the other hand, over the weekend we played Robot Turtles and started learning about how that board game teaches programming. And how we can use it to program our Lego robot. And the next day the kids begged me to do science, so I pulled out our polymer lab kit and we experimented with making fake snow, absorbing water, and making goo. The weekend before they asked to go the the Arizona Science Center and we had a total temper tantrum pulling them out of the paper airplane exhibit because her helicopter design wasn’t working. Heck, I took them to HacKid and they loved it, even the 3-year-old. I really hope the classes go hands-on soon, because talking about something is no way to foster lifelong interest. We live in a golden age for science and technology education. Instead of learning to program to move a fake turtle on a screen (let’s be honest, it was barely a pixel), our kids can move real robots in the real world… without knowing how to read. 3D printers, microscope lenses for phones, cheap bio sensors, drones, microprocessors – technology has never been more accessible (at least if you live in an affluent area – let’s be honest). My kids will get this all at home. Those are my hobbies, and I hope my love of science and technology influences them. It will be nice if school reinforces that, but I will not rely on it. There is one exception to my golden age comment – it’s a crappy time for chemistry sets thanks to terrorists and meth dealers. Or an overly-paranoid government and stupid DHS rules. Or something like that. On to the Summary: Favorite Securosis Posts Adrian Lane: CISO’s Head Asplode. Mike Rothman: Firestarter: You Can’t Handle the Gartner. I’ll admit it. I don’t watch other folks videocasts or listen to their podcasts. But I would watch/listen to ours. Mostly because it’s entertaining, and even helpful. And yes, we actually have a good time recording it. Rich: APT hits the ER. There is much more to this than you think. I know of some big healthcare breaches that originated overseas but haven’t been made public. Other Securosis Posts Incite 8/20/2014: Better get a Bucket. 21st Century Shakedown. Favorite Outside Posts Adrian Lane: 96% decline in NYC car theft. Interesting how a single innovation can thwart an entire class of security issues. Mike Rothman: Visualization for Security. We (as an industry) aren’t very good at visualization. So check out this deck from Raffael Marty, who is one of the leading visualization dudes in the industry. And learn some stuff. Rich: Apple begins storing user data in China. It’s going to be interesting to see how Apple handles user privacy overseas, considering their intense focus on privacy as a competitive differentiator here in the US. The fact is you simply cannot offer these services in some countries without opening them to the local government, in ways you don’t have to here, even with all our recent NSA concerns. Gunnar Peterson: Michael Daniel’s Path to the White House: CyberSec Coordinator Tells Why Lack of Tech Know-How Helps. What’s next? A Treasury Secretary who brags about not knowing about banks? You can’t make it up. I get that execs (a czar counts as an exec, right?) cannot be down “in the weeds” but you have to be able to tell a weed from a flower or a vegetable. Rich adds: this astounds me. It shouldn’t but it does, and the fact that he sees this as an advantage means he is completely unqualified for his job. Dave Lewis: The Puerile

After our little Black Hat and DEF CON induced hiatus, the boys are back to talk about the latest vendor suing Gartner. Yes, there is a Gartner Tax. No, it isn’t what you think. No, there is no pay for play. Yes, there are better ways to handle this. Yes, end users love Magic Quadrants no matter how much you trash talk them. And yeah, somehow we know a bit about how all this works from all sides. The audio-only version is up too. Share:

This is part 4 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also part 1, part 2, and part 3. Additional Security Features The core security features are a baseline which enterprise and business customers should look for when selecting a service for their organization, but the various services also offer a plethora of additional security features. Providers see this as a way to entice enterprise users onto their services, show advantages over traditional storage infrastructure, and create competitive differentiation. So security is used as both a competitive baseline and a differentiator, which is why we see new capabilities appear consistently. The odds are high this report won’t cover everything available by the time you read it. Universal search and investigation support As we described earlier, most cloud storage providers track all files, offer content search, and track every user and every device that accesses each file, including who viewed it in a web browser, downloaded a copy, or synced it with a computer or mobile device. That single central control point enables fairly powerful security capabilities. Worried a document leaked? Find all copies and the entire access history. An obvious caveat applies: once a file leaves the service it isn’t tracked, but at least you have a starting point to identify where it went. This is often one of the more difficult first steps in any leak/breach/abuse investigation, because traditional storage products rarely track this level of detail. Enhancing this is full content indexing and search. This isn’t purely a security feature, but enables you to search your entire cloud storage repository for keywords or other specific content. Some providers offer options for more advanced searches, particularly regular expressions. This is also useful for non-security reasons, so we expect indexing and searching capabilities to increase over time, but make sure you understand what your provider supports now. Another limitation is that providers don’t support every possible document type. For example, the odds are low that your CAD file format is supported today. Typically standard Office and text formats are supported – check with potential providers rather than assuming. Client-managed encryption All enterprise-class cloud storage providers encrypt data in their backend, but they manage the keys and can thus technically see your content. There are now third-party security vendors who encrypt cloud data using different approaches, and some cloud storage vendors are adapting their architectures to allow customers to encrypt directly within the service, but control their own keys. This is a different approach than using a third-party tool. Your cloud provider still handles the encryption in their backend but you have your own encryption keys. There are two major options: The cloud platform endpoint agents handle encryption operations synchronized with your enterprise key store. For this to work they need to include the capability in both workstation and mobile agents, and a mechanism for integrating key distribution. The cloud platform manages encryption in their backend, but opens mechanisms for enterprise users to provision and manage their own keys. There are a few ways to handle this technically, but typically it involves a Hardware Security Module (HSM) that is located in the cloud provider’s data center yet managed by the client, in a client data center, or at a infrastructure cloud provider. The important part is that the customer rather than the cloud provider, is the only one who can manage keys. Technically they are exposed in the cloud provider’s data center during cryptographic operations, but if architected correctly the risk of key exposure can be minimized. We won’t be surprised to see other approaches develop over time, but these are the two we know are on the market or soon will be. In both cases the customer needs their own key management infrastructure. One major warning: encrypting data with your own key breaks most or all collaboration features and any indexing/search, because the cloud provider cannot read your content. So it is something you should generally limit to your most sensitive data. Apply it to everything, and you may see users try to circumvent encryption so they can take advantage of platform features you do not support. Data Loss Prevention Full-text indexing and search, combined with a complete audit log of all activity associated with a file, meets our definition for basic content-aware DLP. In addition, a cloud provider can offer real-time monitoring of all content based on search terms, and tie them to enforcement policies. For example, a cloud storage provider could quarantine a file and alert an administrator any time a credit card number is found. This enables enterprise-wide content policies for the entire cloud storage platform. More advanced rules can apply by user or group, restricting only certain activities – perhaps “never share a file with PII or this keyword in it externally”, or any other combination of analysis and rules, such as device restrictions. DLP combines full content indexing and search with persistent policies for near-real time content-aware protection. The market for integrated DLP is still extremely young, and when available its features tend to be limited. Third party integration can provide more capability, and as with everything else we expect to see capabilities expand at a reasonable pace. In discussions with clients this seems to be a popular requirement, which will continue to push the market along. DRM/IRM Digital Rights Management, also known as Information Rights Management, is defined as encrypting data and then limiting its usage through rights policies. For example allowing someone to view a file but not email or print it. Cloud file storage and collaboration services often include in-browser readers, and granular rights policies, they can enable a limited version of DRM. Set a policy so a file can only be viewed in a browser and never downloaded, and you can restrict activity. But to be truly considered DRM the service should include in-browser protections against actions like Copy and screen

Side note: we are aware of the site issues and are working hard on them. There were major changes to the platform we use, and they conflict with our high-security setup. I think we should have it fixed soon, and we apologize. That’s what we get for having a non-DevOps-y legacy site. Right now it is 68F here in Boulder, with an expected high of 89F. A little toasty. It’s 92F in Phoenix, with an expected high of 109F. Yesterday they hit 115F, breaking the record. A little helly. Stupid humans and global warming. We are down to the last five days of our month in Boulder. Staring down 110F+ temperatures isn’t doing much to improve my enthusiasm about heading home. Then again, I’ll only be home for one night before I head off to nine days in Vegas for Black Hat and DEF CON. I think it might be a degree or two cooler there than in Phoenix, so I have that going for me. Which is nice. The end of a trip, especially an extended one, is always a melancholy time. I didn’t accomplish nearly everything I hoped, but still can’t complain. I caught up with most of my friends, enjoyed watching my girls take swim lessons at the pool I taught at 20 years ago, hit nearly all my favorite restaurants, and learned that there are a c**p-load of kid-friendly parks in Boulder. Kind of never noticed them pre-kids. On the downside I didn’t get nearly as many rides or runs in as I hoped. Some friends’ schedules simply didn’t work out. And although we snuck in a few family hikes, I really hoped to spend more time in the mountains. Then again, that’s sorta tough with 5, 3, and 1 year olds. I had two main goals coming into this trip, and completely accomplished both of them. First was to simply relax and let the mountain air reduce my stress level. Work-wise it actually turned into a pretty packed month, but something about this town helps me maintain my center. It isn’t anything metaphysical, just an effect of settling into a place where you feel completely comfortable. I also wanted to get my kids out of the heat, and give them a summer adventure with a lot of time in the outdoors. To build up good memories of a place that is so important to me. You know, blatantly manipulate my kids. It totally worked. But summer is coming to a close and it’s time to gear up for the fall sprint. The workload is looking pretty intense, but continues the trend of some of the most fulfilling projects of my career. It starts with our Black Hat cloud security training, where I have a bunch of new material for advanced students I am excited to try out. So I didn’t spend as much time at coffee shops playing aging hipster as I expected (thanks to JumpCloud for loaning me a desk during my trip), didn’t spend as much time wandering the hills, and missed a couple friends. But in the end everything went pretty much perfectly. I’m mentally refreshed and ready to attack, the kids have awesome memories and some new favorite places, and no one ended up in the ER this time, so I think we get to come back next year. All good. Assuming our air conditioning still works in Phoenix. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich did a webcast on cloud security (with a SaaS focus) for Elastica. Favorite Securosis Posts David Mortman: TI+IR/M: The New Incident (Response) & Management Process Model. Adrian Lane: Hacker Summer Camp. There is always something going on before Black Hat, and this year has its share of drama. Mike Rothman: Firestarter: Security Summer Camp. A little over a week out, and I’m starting to get fired up. Schedule locked down, liver primed, ready to descend on Vegas. Good thing I don’t need to worry about disclosures or anything… Rich: Cloud File Storage and Collaboration: Core Security Features. I am picking my own post because I could use some feedback on this one. Other Securosis Posts The 2015 Endpoint and Mobile Security Buyer’s Guide [Updated Paper]. TI+IR/M: Quick Wins. Cloud File Storage and Collaboration: Overview and Baseline Security. Incite 7/23/2014: Mystic Rhythms. TI+IR/M: The New Incident (Response) & Management Process Model. TI+IR/M: Threat Intelligence + Data Collection = Responding Better. Leading Security ‘People’. Favorite Outside Posts David Mortman: The Promises of DevOps. Mike Rothman: Losing my religion. Hadn’t thought about Silicon Valley as a land of zealots, but after reading Chris Shipley’s post I get it. Though in order to do the things you do at a start-up (or even a big tech company) you need to believe. And that’s certainly many folks’ definition of religion… Adrian Lane: This Box Can Hold an Entire Netflix. A surprisingly ‘server-hugger’ style approach to content delivery, from one of the most whole-hearted and innovative cloud companies out there. A very interesting read! Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Threat Modeling: Designing for Security Anti-Surveillance Camouflage for Your Face Apple’s Legal Process Guidelines: U.S. Law Enforcement Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices. Slides. Apple’s support note on the tools mentioned in the presentation above. As expected, they have legitimate uses and don’t circumvent security controls. It will be interesting to see whether iOS 8 changes in response. Share:

This is part 3 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also part 1 and part 2 here. Identity and Access Management Managing users and access are the most important features after the security baseline. The entire security and governance model relies on it. These are the key elements to look for: Service and federated IDM: The cloud service needs to implement an internal identity model to allow sharing with external parties without requiring those individuals or organizations to register with your internal identity provider. The service also must support federated identity so you can use your internal directory and don’t need to manually register all your users with the service. SAML is the preferred standard. Both models should support API access, which is key to integrating the service with your applications as back-end storage. Authorization and access controls: Once you establish and integrate identity the service should support a robust and granular permissions model. The basics include user and group access at the directory, subdirectory, and file levels. The model should integrate internal, external, and anonymous users. Permissions should include read, write/edit, download, and view (web viewing but not downloading of files). Additional permissions manage who can share files (internally and externally), alter permissions, comment, or delete files. External Users An external authenticated user is one who registers with the cloud provider but isn’t part of your organization. This is important for collaborative group shares, such as deal and project rooms. Most services also support public external shares, but these are open to the world. That is why providers need to support both their own platform user model and federated identity to integrate with your existing internal directory. Device control: Cloud storage services are very frequently used to support mobile users on a variety of devices. Device control allows management of which devices (computers and mobile devices) are authorized for which users, to ensure only authorized devices have access. Two-factor authentication (2FA): Account credential compromise is a major concern, so some providers can require a second authentication factor to access their services. Today this is typically a text message with a one-time password sent to a registered mobile phone. The second factor is generally only required to access the service from a ‘new’ (unregistered) device or computer. Centralized management: Administrators can manage all permissions and sharing through the service’s web interface. For enterprise deployments this includes enterprise-wide policies, such as restricting external sharing completely and auto-expiring all shared links after a configurable interval. Administrators should also be able to identify all shared links without having to crawl through the directory structure. Sharing permissions and policies are a key differentiator between enterprise-class and consumer services. For enterprises central control and management of shares is essential. So is the ability to manage who can share content externally, with what permissions, and to which categories of users (e.g., restricted to registered users vs. via an open file link). You might, for example, only allow employees to share with authenticated users on an enterprise-wide basis. Or only allow certain user roles to share files externally, and even then only with in-browser viewing only, with links set to expire in 30 days. Each organizations has its own tolerances for sharing and file permissions. Granular controls allow you to align your use of the service with existing policies. These can also be a security benefit, providing centralized control over all storage, unlike the traditional model where you need to manage dozens or even thousands of different systems, with different authentication methods, and authorization models, and permissions. Audit and transparency One of the most powerful security features of cloud storage services is a complete audit log of all user and device activity. Enterprise-class services track all activity: which users touch which files from which devices. Features to look for include: Completeness of the audit log: It should include user, device, accessed file, what activity was performed (download/view/edit, with before and after versions if appropriate), and additional metadata such as location. Log duration: How much data does the audit log contain? Is it eternal or does it expire in 90 days? Log management and visibility: How do you access the log? Is the user interface navigable and centralized, or do you need to hunt around and click individual files? Can you filter and report by user, file, and device? Integration and export: Logs should be externally consumable in a standard format to integrate with existing log management and SIEM tools. Administrators should also be able to export activity reports and raw logs. These features don’t cover everything offered by these services, but they are the core security capabilities enterprise and business users should have to start with. Share:

This is part 2 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also Part 1. Understanding Cloud File Storage and Collaboration Services Cloud File Storage and Collaboration (often called Sync and Share) is one of the first things people think of when they hear the term ‘cloud’, and one of the most popular product categories. It tends to be one of the first areas IT departments struggle to manage, because many users and business units want the functionality and use it personally, and there is a wide variety of free and inexpensive options. As you might expect, since we can’t even standardize on a single category name, we also see a wide range of different features and functions across the various services. We will start by detailing the core features with security implications, then the core security features themselves, and finally more advanced security features we see cropping up in some providers. This isn’t merely a feature list – we cover each feature’s security implications, what to look for, and how you might want to integrate it (if available) into your security program. Overview and Core Features When these services first appeared, the term Cloud Sync and Share did a good job of encapsulating their capabilities. You could save a file locally, it would sync and upload to a cloud service, and you could expose a share link so someone else on the Internet could download the file. The tools had various mobile agents for different devices, and essentially all of them had some level of versioning so you could recover deleted files or previous versions. Cloud or not? Cloud services popularized sync and share, but there are also non-cloud alternatives which rely on hosting within your own environment – connecting over a VPN or the public Internet. There is considerable overlap between these very different models, but this paper focuses on cloud options. They are where we hear the most concerned about security, and cloud services are dominant in this market – particularly as organizations move farther into the cloud and prioritize mobility. Most providers now offer much more than core sync and share. Here are the core features which tend to define these services: Storage: The cloud provider stores files. This typically includes multiple versions and retention of deleted files. The retention period, recovery method, and mechanism for reverting to a previous version all vary greatly. Enterprises need to understand how much is stored, what users can access/recover, and how this affects security. For example make sure you understand version and deletion recovery so sensitive files you ‘removed’ don’t turn up later. Sync: A local user directory (or server directory) synchronizes changes with the cloud provider. Edit a file locally, and it silently syncs up to the server. Update it on one device and it propagates to the rest. The cloud provider handles version conflicts (which can leave version orphans in the user folders). Typically users access alternate versions and recover deleted files through the web interface, and sometimes it also manages collisions. Share: Users can share files through a variety of mechanisms, including sharing directly with another user of the service (inside or outside the organization) which allows the recipient to sync the file or folder like their own content. Shared items can be web only; sharing can be open (public), restricted to registered users, or require a one-off password. This is often handled at the file or folder level, allowing capabilities such as project rooms to support collaboration across organizations without allowing direct access to any participant’s private data. We will cover security implications of sharing throughout this report, especially how to manage and secure sharing. View: Many services now include in-browser viewers for different file types. Aside from convenience and ensuring users can see files, regardless of whether they have Office installed, this can also function as a security control, instead of allowing users to download files locally. Collaborate: Expanding on simple viewers (and the reason Sync and Share isn’t entirely descriptive any more), some platforms allow users to mark up, comment on, or even edit collaborative documents directly in a web interface. This also ties into the project/share rooms we mention above. Web and Mobile Support: The platform syncs locally with multiple operating systems using local agents (okay, Windows, Mac, and at least iOS), provides a browser-based user interface for access from anywhere, and offers native apps for multiple mobile platforms. APIs: Most cloud services expose APIs for direct integration into other applications. This is how, for example, Apple is adding a number of providers at the file system layer in the next versions of OS X and iOS. On the other hand, you could potentially link into APIs directly to pull security data or manage security settings. These core features cover the basics offered by most enterprise-class cloud file storage and collaboration services. Most of the core security features we are about to cover are designed to directly manage and secure these capabilities. And since “Cloud File Storage and Collaboration Service” is a bit of a mouthful, for the rest of this paper we will simply refer to them as cloud storage providers. Core Security Features Core security features are those most commonly seen in enterprise-class cloud storage providers. That doesn’t mean every provider supports them, but to evaluate the security of a service this is where you should start. Keep in mind that different providers offer different levels of support for these features; it is important to dig into the documentation and understand how well the feature matches your requirements. Don’t assume any marketure is accurate. Security Baseline Few things matter more than starting with a provider that offers strong baseline security. The last thing you want to do is trust your sensitive files to a company that doesn’t consider security among their couple priorities. Key areas to look at include: Datacenter security:

In the latest Firestarter, Rich, Mike, and Adrian discuss the latest controversial research to hit the news from HOPE and Black Hat. We start with a presentation by Jonathan Zdziarski on data recoverable using forensics on iOS. While technically accurate, we think the intent he ascribes intent to Apple shows a deeply flawed analysis. We then discuss a talk removed from Black Hat on de-anonymizing Tor. In this case it seems the researchers didn’t really understand the legal environment around them. Both cases are examples of great research gone a little awry. And Rich talks about a snowball fight with a herd of elk. These things happen. The audio-only version is up too. Share: