How Can IT Respond to Cloud File Sharing Threat?
Don't hate Dropbox. New approaches are evolving to help security teams deal with threats posed by cloud file sharing in the enterprise.
By Jieming Zhu
Cloud file sharing services such as Dropbox, Box, Google Drive and OneDrive are marginalizing IT departments. As infrastructure and apps move to the cloud, and employees increasingly use personal devices to access corporate data (BYOD), the traditional perimeter is crumbling. This situation is introducing new security risks and creating an environment in which IT departments are losing their relevance and control over data.
Furthermore, IT is cast in a bad light for attempting to block the use of services that employees want to use.
So what can IT do to turn the tide?
Adapt and Thrive
Just as IT professionals have reacted following every major computing inflection point since the mainframe was invented (minicomputers, client/server, PCs, the Internet, laptops), the answer is reinvention. IT must transition from being an infrastructure provider/manager to being a policy and audit strategist. Despite the fact that corporate IT infrastructure is gradually moving to the cloud, organizations must keep policy and audit controls in-house.
Creating policies and control objectives for cloud security is easy. Implementing, enforcing and proving they were enforced (auditing) is hard. It’s even harder to achieve this without slowing down business agility and impacting employee efficiency. Nevertheless, if IT wants to regain and even boost its relevance within the organization, it must find ways to apply controls in the cloud that enable, not block, cloud file sharing.
Another significant challenge that stands in the way of implementing control and audit for cloud sharing services is the Snowden effect, previously known as privileged user management. Unlike the relatively safe confines of the corporate data center, the cloud introduces a second set of IT administrators (those at the cloud service provider), who can potentially gain unauthorized access to confidential data if they control the encryption keys.
Is Encryption the Answer?
One of the primary tools in the IT toolbox for extending policy and audit from inside the perimeter to the cloud is encryption. The basic concept is simple. If data is encrypted, then in theory one need not worry about where the data is stored or moved. It also can be used to implement access controls independent of document container: Only those with the valid key material can access the data.
Relying on encryption however, introduces its own challenges. The most critical issue is the resulting lack of visibility. Once data is encrypted, it is effectively impossible to search, preview, archive and scan for data leakage or implement any other content-based control. Trying to work around the encryption by decrypting and re-encrypting is not scalable, and introduces obvious security risks. Despite these shortcomings, this method is commonly implemented by cloud providers.
The Evolution of Cryptography
To get around this problem, cryptography is evolving from basic encryption into something much more powerful that is based on federation, mediation and secure metadata. Let’s start with federation. Just as identity has become federated in the cloud (using SAML to leverage a corporate account to log into cloud services is a good example), key management is following suit. Using key federation, users can share content across organizations without relying on a single service provider or organization to handle the keys.
For example, if three organizations in France, Italy and the U.S. want to share data, federated key management eliminates the need for them to trust a cloud provider. They can even prevent one company’s IT department from abusing the keys to unlock content.
Federation simplifies the implementation of controls in the cloud because it greatly reduces the need for controls on and trust of service providers. These are always difficult to implement with any level of robustness.
Cutting Out the Middle Man
Mediation is another important cryptographic innovation, and involves a paradigm shift in architecture. In this model, the central cloud service provider serves only as a "mediator" to facilitate secure document collaboration, but does not have the necessary data access privileges or keys to actually decrypt files or access them in an unencrypted form.
Secure metadata is the third innovation. To get around the problem of implementing content-based policies on encrypted data, secure end-points extract the necessary metadata at the point of and prior to initial encryption. This could include keywords, versioning, access logging, etc. This metadata can be secured cryptographically and then accessed as needed to implement requirements such as eDiscovery, data leak prevention or archiving. Meanwhile the data itself can be pushed to the cloud or onto BYOD devices, encrypted end-to-end.
There’s no silver bullet to keeping IT relevant in the face of a disappearing perimeter. Because cloud file sharing cuts across so many functions and data sets compared to single purpose cloud apps, it is forcing the industry to find new ways to keep control and audit inside the network while enabling cloud adoption.
We can learn valuable lessons and clues from other infrastructure technologies, such as identity management, which is making a successful transition from the data center to the cloud. When done right, it is possible to enforce policy without impeding the adoption of new technologies.
About the author: Jieming Zhu is CEO for AlephCloud, a provider of cloud content privacy solutions.