Taking control of the cloud

Sharing data has never been simpler. The likes of Google Drive, OneDrive and Dropbox offer a simple way for users to store files and share them with other people.

While the services were originally designed for consumer use, businesses have increasingly found them useful as it means that they’re not being constrained by their own IT departments. Everything has been simplified: no need for expensive equipment, no need to learn tricky commands, point and click and those files are readily available.

But, as we saw at the end of 2015, putting trust into providers can be a fraught process. The large-scale hack of Yahoo customers showed that once details are shared outside the firewall, data is immediately put at risk.

The Yahoo incident was just the latest in a steady flow of stories about hacks to the likes of Dropbox and other public cloud SaaS services. All of these have caused concerns about the move to cloud. While there’s a growing interest in the use of technology, the nagging doubts about security remain – it’s still the number one stumbling block when it comes to moving organisations to cloud.

In particular, there are concerns about public cloud, worries that hinder the take-up of services. “A single vulnerability or misconfiguration can lead to a compromise across an entire provider’s cloud,” says a 2016 report by the Cloud Security Alliance; concerns that are grist to the mill for those companies jumpy about moving to the cloud.

This belief has been backed up by a survey from the Ponemon Institute in which more than half of those questioned believed that, by using public cloud services, they were more likely to be hit by a data breach. The bottom line is that with public SaaS, your data is residing somewhere beyond your firewall.

There’s a paradox here: these concerns don’t really square with the increased popularity of the public cloud service providers, such as Box and Dropbox. How are they attracting customers when there are such prominent concerns?

Firstly, there’s the fact that these services started as consumer offerings, and security isn’t always the highest priority when users don’t have IT departments breathing down their necks. IT professionals know the danger of moving outside the firewall – the end users may not.

The cloud companies are aware of this, in trying to assuage customer concerns, they will talk about security measures. All cloud companies will go into great detail about the amount they spend on security controls, how technically advanced their experts are and how up-to-date their equipment is. They will also set out how they use all the best possible, military grade encryption: all of this is designed to give their customers peace of mind.

This is not quite the whole story – what these service providers don’t tell you is that they also control the encryption keys for that security: this is the most crucial aspect.

Data stored in Box or Dropbox is also encrypted, of course, but in these instances the key is generated and held by the provider. This clearly puts data at some sort of risk as a disgruntled employee of the provider could have access to a copy of the key, and with that, get hold of decrypted information.

The SaaS providers are aware of this risk and have taken steps to mitigate it. Box, for example, has developed a product called KeySafe, which aims to remove this fear. With KeySafe, the enterprise and Box both have encryption keys but the enterprise has full control over access and Box needs permission to access them.

Can you trust the providers?

But public cloud services like Box KeySafe don’t offer all the answers either. These services generate your encryption keys, meaning you must continue to trust that your provider won’t cache the keys or have auditing devices that record all encryption keys and data. That’s not a situation that would satisfy the most security conscious of customers. There might even be questions about the strength of encryption itself, and this is something that you have no control over.

But key ownership is not the only encryption control consideration for enterprise organisations. The vast majority of public SaaS services decrypt data once it has been transported to the cloud in order for the service provider to enable features like deduplication, search indexing, virus scanning, and more. Once these processes are complete, the files are again encrypted for storage in the cloud. But for many risk-averse and security-conscious enterprises, the exposure of data – no matter how small the window – is unacceptable.

It’s not just about the encryption either; you should have a choice as to where data is held. You may well be happy about data being held in a datacentre, that’s miles away from your office – or even in another country – but if you’re not, there’s precious little you can do about it.

What you need is a system that allows you to ensure that your data is stored in complete privacy. One that allows complete freedom to hold your data where you want it; one that makes sure that you’re never out of control that enables you to share documents, while staying secure.

The market for these products has become known as private enterprise file sharing and synchronisation (EFSS). They’re so named as they allow employees to share files across a whole range of devices while ensuring that everything – data, metadata, encryption keys, user authentication – is driven through a customer’s own firewalls and VPNs – whether cloud-based or on-premise – and not a third party provider’s. 

Benefits for regulated regimes

Private EFSS systems provide real benefits for any organisation operating within strict regulatory environments – think government organisations and Fortune 2000 companies – where there must exist strong controls on who can see what information, and, just as importantly, where properly implemented audit trails is paramount.

These organisations can leverage their choice of private cloud storage infrastructure, either through an on-premises object storage system or via a virtual private cloud (VPC) that’s hosted by a cloud storage infrastructure provider like Amazon Web Services, Microsoft, et al.

IT administrators manage file access through policies – setting out who can share files with whom so that enterprises can ensure the relevant people talk to each other.

Private EFSS is also a system that can work particularly well with remote users, such as those in branch offices, who would like to use cloud services but can feel themselves constrained by the lack of reliable network connections. By definition, remote offices can be in areas where fast WAN connections are not prevalent and, as a result, they need to deploy their own file servers.

When you’re running an environment where users are deploying cloud apps but are still relying on local servers, there’s a bit of a headache for systems administrators: the question is how to handle this issue. The best way is a system that allows the customer to ensure unified file access across office file servers, endpoints, and the cloud, meaning there’s no need to create separate file management silos across multiple platforms like Sharepoint or Dropbox. All the while, you’re preserving users’ established ways of working, with files equally accessible locally and in the cloud.

But the real effect is seen when security is considered. It’s taken as given that all organisations have security as a high priority but there are some sectors where security is absolutely vital to the way that organisations run. Two of these are the financial arena and the defence sector; security is the life blood of these institutions, so they have been particularly wary of implementing cloud solutions.

Improved flexibility

However, many organisations in these spaces still want to turn to cloud deployments to improve flexibility. Spanish bank Santander is one of the companies that looked to implement cloud to drive more productivity, while, at the same time, ensuring the highest level of security. The company needed a highly-scalable EFSS offering that would provide that security. While wanting the flexibility of cloud, the company wanted to ensure maximum security; to this end, Santander implemented a solution that sat behind the organisational firewall, offering the customer a variety of security controls.

But it’s not just about financial institutions. There are probably fewer tougher customers when it comes to security than defence organisations. The US’s Defense Information Systems Agency, DISA, has moved to cloud to improve its flexibility and reduce its costs but most importantly it has deployed private EFSS to maintain complete control of its data within the firewall.

Santander and DISA are just two organisations that have decided that the many advantages of a cloud-based approach mean that it’s become an essential way of working. And they both can demonstrate that deploying cloud doesn’t mean sacrificing security – all businesses want to be seen as safe, as well as agile.

Max Cooter, Freelance tech journalist
Image Credit: TZIDO SUN / Shutterstock