Cloud providers boast compliance to the highest security standards, including state-of-the art physical protection of hosting facilities, electronic surveillance and ISO 27001 certifications, to name a few.
While such efforts may sound impressive, in reality they offer absolutely no defence to enterprises seeking a security model that cannot be owned, and provide no protection against government data requests, blind subpoenas and clandestine spying.
There are a number of examples of regulatory challenges facing enterprises that want to adopt cloud computing. The US Patriot Act stipulates that the US government may collect data from US-based cloud companies regardless of the data's physical location. As part of the PRISM programme, the NSA secretly collects internet communications from major US internet companies, including Google and Microsoft.
Many SaaS companies will tell businesses that it matters less where their data is physically located, and more where the encryption keys are managed. One way around data privacy and residency regulations is encrypting everything before sending it to the cloud, and keeping the encryption keys on-premises, while allowing the encrypted data to be stored at public cloud providers. This is sound advice.
>See also: 4 megatrends that will dominate cloud computing for the next decade
Attempting to implement this idea, many public cloud file services have announced their support for enterprise key management (EKM) to push security-conscious, cloud-averse organisations to adopt the cloud by placing the encryption keys in the customer's hands.
While at first this may seem like a good approach to data security, it's neither sufficient nor comprehensive.
Since large portions of the enterprise file sync and share functionality – essentially everything except the key storage – is in the public cloud, businesses still need to trust that their service provider wasn't instructed by the government to install an auditing device to tap and record all of their data, metadata, encryption keys and user identities.
They also need to trust that their service provider won't impersonate their user accounts to access their data; generate links or collaboration shares to data on behalf of their users; or cache the keys that are used to encrypt their files.
Furthermore, EKM, whether cloud-based or on-premise, can provide a post-mortem solution for preventing data arriving at unwanted hands. What can businesses do about the data compromised between the time the security breach started until the time they received the notice and decided to retract the access on their EKM server? And after doing so, their entire file service is now inaccessible to your corporate users.
Enterprise cloud file sync and sharing services need to provide controls that enable users to take proactive measures and adhere to secure file transfer standards to prevent sensitive corporate data loss or leakage.
After meeting data residency compliance and regulations, businesses should look for a number of other features when choosing their cloud file sync and sharing service, including ensuring that it is not compromising their corporate user identities.
User identities are subject to hacking and are compromised on a daily basis. The identity theft resource centre (ITRC) reports over 348 identity theft breaches documented since January 2015 in government institutions, medical/healthcare organisations and credit card companies. Enterprises must protect their corporate user identities since loss of user identity is likely to result in loss of the user's corporate data.
They must also ensure it is not compromising their corporate metadata. Collecting evidence on the existence of data and its properties could pose a threat as much as losing the data itself. Some cloud storage solution providers do not adhere this strategy and keep all of their customer's metadata centralised in a public place. Thus, indirectly requesting enterprises to put their faith in them, which poses a significant risk to data confidentiality and integrity.
Organisations, needless to say, rely on data confidentiality to protect their intellectual property and maintain their competitive-edge. On the other hand, cloud file sharing services, by their nature, were designed for two finger taps, fire-and-forget sharing, to increase user productivity.
Now, assuming all collaboration shares are created between internal corporate users, the problem is somewhat contained as data still resides inside corporate borders. But that's hardly the case these days.
Today, IT is required to satisfy external collaboration needs to accommodate outsource projects and enable collaboration with external, private, contractors and designers. The question then becomes: how would you ensure the confidentiality and integrity of data when it resides outside of your jurisdiction?
Bullet-proofing the enterprise
In this age of cyber threats and exponential data growth, organisations cannot afford to take the optimistic approach or put on blindfolds and pray that their company's sensitive information doesn't get compromised. Breaches are the new normal.
Privacy is not passive and reality shows that investments must be made in solutions that provide controls for applying both network and application security.
>See also: The great IT myth: is cloud really less secure than on-premise?
To ensure a complete, bullet-proof cloud file sync and sharing service, there are certain components organisations must own their corporate user identities, metadata and encryption keys. In addition, they must control their corporate data residency, network countermeasures and internal and external sharing policies.
At all times, they need to ensure that they’re in the driver's seat, and that they didn't hand over their car keys along with their corporate data security and privacy to someone else.
Businesses should invest in a system that allows them to apply their corporate policies, and integrate their corporate security countermeasure systems, while gaining continuous insight to their corporate user usage patterns.
Sourced from Saimon Michelson, CTERA Networks
