This is part 2 of our Security Pro’s Guide to Cloud File Storage and Collaboration (file sync and share). The full paper is available on GitHub as we write it. See also Part 1.

Understanding Cloud File Storage and Collaboration Services

Cloud File Storage and Collaboration (often called Sync and Share) is one of the first things people think of when they hear the term ‘cloud’, and one of the most popular product categories. It tends to be one of the first areas IT departments struggle to manage, because many users and business units want the functionality and use it personally, and there is a wide variety of free and inexpensive options.

As you might expect, since we can’t even standardize on a single category name, we also see a wide range of different features and functions across the various services. We will start by detailing the core features with security implications, then the core security features themselves, and finally more advanced security features we see cropping up in some providers.

This isn’t merely a feature list – we cover each feature’s security implications, what to look for, and how you might want to integrate it (if available) into your security program.

Overview and Core Features

When these services first appeared, the term Cloud Sync and Share did a good job of encapsulating their capabilities. You could save a file locally, it would sync and upload to a cloud service, and you could expose a share link so someone else on the Internet could download the file. The tools had various mobile agents for different devices, and essentially all of them had some level of versioning so you could recover deleted files or previous versions.

Cloud or not?

Cloud services popularized sync and share, but there are also non-cloud alternatives which rely on hosting within your own environment – connecting over a VPN or the public Internet. There is considerable overlap between these very different models, but this paper focuses on cloud options. They are where we hear the most concerned about security, and cloud services are dominant in this market – particularly as organizations move farther into the cloud and prioritize mobility.

Most providers now offer much more than core sync and share. Here are the core features which tend to define these services:

• Storage: The cloud provider stores files. This typically includes multiple versions and retention of deleted files. The retention period, recovery method, and mechanism for reverting to a previous version all vary greatly. Enterprises need to understand how much is stored, what users can access/recover, and how this affects security. For example make sure you understand version and deletion recovery so sensitive files you ‘removed’ don’t turn up later.
• Sync: A local user directory (or server directory) synchronizes changes with the cloud provider. Edit a file locally, and it silently syncs up to the server. Update it on one device and it propagates to the rest. The cloud provider handles version conflicts (which can leave version orphans in the user folders). Typically users access alternate versions and recover deleted files through the web interface, and sometimes it also manages collisions.
• Share: Users can share files through a variety of mechanisms, including sharing directly with another user of the service (inside or outside the organization) which allows the recipient to sync the file or folder like their own content. Shared items can be web only; sharing can be open (public), restricted to registered users, or require a one-off password. This is often handled at the file or folder level, allowing capabilities such as project rooms to support collaboration across organizations without allowing direct access to any participant’s private data. We will cover security implications of sharing throughout this report, especially how to manage and secure sharing.
• View: Many services now include in-browser viewers for different file types. Aside from convenience and ensuring users can see files, regardless of whether they have Office installed, this can also function as a security control, instead of allowing users to download files locally.
• Collaborate: Expanding on simple viewers (and the reason Sync and Share isn’t entirely descriptive any more), some platforms allow users to mark up, comment on, or even edit collaborative documents directly in a web interface. This also ties into the project/share rooms we mention above.
• Web and Mobile Support: The platform syncs locally with multiple operating systems using local agents (okay, Windows, Mac, and at least iOS), provides a browser-based user interface for access from anywhere, and offers native apps for multiple mobile platforms.
• APIs: Most cloud services expose APIs for direct integration into other applications. This is how, for example, Apple is adding a number of providers at the file system layer in the next versions of OS X and iOS. On the other hand, you could potentially link into APIs directly to pull security data or manage security settings.

These core features cover the basics offered by most enterprise-class cloud file storage and collaboration services. Most of the core security features we are about to cover are designed to directly manage and secure these capabilities.

And since “Cloud File Storage and Collaboration Service” is a bit of a mouthful, for the rest of this paper we will simply refer to them as cloud storage providers.

Core Security Features

Core security features are those most commonly seen in enterprise-class cloud storage providers. That doesn’t mean every provider supports them, but to evaluate the security of a service this is where you should start. Keep in mind that different providers offer different levels of support for these features; it is important to dig into the documentation and understand how well the feature matches your requirements. Don’t assume any marketure is accurate.

Security Baseline

Few things matter more than starting with a provider that offers strong baseline security. The last thing you want to do is trust your sensitive files to a company that doesn’t consider security among their couple priorities. Key areas to look at include:

• Datacenter security: The provider should offer exceptional datacenter security – including physical controls, logical controls, and all the other essentials to reduce the risk of physical and technical attacks. You cannot necessarily assess this yourself, so look for up-to-date third-party certifications and attestations, such as SOC 2 or ISO 27001. Generally the more the better, but make sure you sign the NDA and get the actual reports, when the assessment occurred, and which organization performed it.
• Business continuity: Short of a international asteroid impact, your provider should never lose your data. Their business continuity plans should account for multiple catastrophic outages, including complete loss of at least one data center. They should test their plans and provide assurance of their effectiveness, with documentation.
• Encryption: All customer data should be encrypted for compliance and to protect data from accidental loss of physical media. Ideally multiple keys should be used for different customers, and you should review their encryption and key management architecture. Note that this is not client-managed encryption – the provider manages the keys and can see your data, but it provides higher assurance against data spillage or exposure of physical media.
• Application security: The web application must be free from vulnerabilities to SQL injection, CSS, CSRF, and other application and business logic attacks. This also applies to direct API access. The provider should offer proof of ongoing security testing and web application security controls.
• Internal controls: Providers should have well-documented internal security controls to prevent both external attacks and insider abuse. Don’t expect them to provide you with all the details, but one key to ask about is administrative access and auditing. Essentially who can access your data, how, and how it is monitored in case of internal or external abuse. Two-factor authentication for administrators is a must.
• Transparency, staffing, and documentation: The short version: you want a provider with a dedicated security team, who is transparent about security operations and provides good documentation – both of their inherent security, and how to secure the services you use with their platform features.

This isn’t an exhaustive list, but key areas to focus on in your initial assessment. Without a solid security baseline it really doesn’t matter what else the service offers.