Some see the reliance on the public cloud as the Achilles’ heel of enterprise file sync and share (EFSS). While EFSS products are more robust than their consumer-grade counterparts, their use of the cloud does add a number of concerns that IT should address. Some of those concerns include security, data management and vendor lock-in.
The Cloud Security Problem
The biggest concern that most people are worried about when they talk about the public cloud is security. Not all EFSS products are created the same when it comes to security and that is the real problem. Some public cloud vendors adopt very strong security practices that are equivalent to those found in corporate IT departments; some do not. This is why a recent Wilson Research Group survey found IT personnel considering an EFSS preferred owning and controlling their own files to surrendering them to a cloud service, by a ratio of 7:1.
A lot of cloud security concerns center around how an individual user is authenticated. Many systems use simple password authentication, and some store and transmit the password in clear text. (If the app is able to send you your current password if you forget it, then they are storing it in plain text.) Other companies store the password encrypted, but it is not “salted” with random data in order to make it significantly harder to decrypt using brute force techniques.
Even if a cloud product supports two-factor authentication, it might be easy to get around the second factor. The most common second factor is an SMS message, which is better than nothing, but it’s easily intercepted and faked. A Wired article discussed hackers using social engineering attacks can easily hijack an SMS message, and more sophisticated attacks can simply grab it in transit. Another issue with two-factor authentication is many systems only use the second system if a boundary is crossed, such as logging in on a new system. If someone gains access to an already connected system, they will not trigger a two-factor request and can do significant damage.
The biggest risk with only requiring the second factor on new devices are devices that have already been authenticated to a given sync directory, but have now been lost or stolen. Sophisticated corporate espionage attacks know what kind of EFSS the organization is using, and know that all they have to do is steal the right laptop and they can access the organization’s data. IT should carefully inspect EFSS solutions to see how easy it is to revoke a device’s access to data within the EFSS system or architecture.
The Data Residency Problem
Another security-related concern is data residency. In order to safeguard the privacy of its citizens, the European Court of Justice struck down the 15 year old “safe harbor” agreement with the U.S.. This forces Europeans to store their files on cloud servers located in Europe, under European jurisdiction and European law.
Many companies and countries have policies or laws that dictate data of a certain type remain within the borders of a given country or region. The U.S., Australia, Hong Kong, Canada, Germany, Italy, Luxembourg, Mexico, the Netherlands, Singapore, Switzerland and the U.K. regulate data residency for some types of information such as government files and healthcare records. In addition, many professional associations such as law, accounting, finance, mortgage brokers and banking have professional standards for their members that include data residency requirements to govern the use of cloud service providers and to keep information within a defined geographic jurisdiction. The reason is simple. They do not want personal and confidential files to come under the jurisdiction of a foreign power.
Cloud storage holds a treasure trove of information from many users and organizations and is a high value target for both hackers and national security agencies. According to a study from Skyhigh of 18 million users, 21% of files uploaded to cloud providers contain confidential information such as personally identifiable information (PII), protected health information (PHI), payment card data, or intellectual property. Knowingly or not, 34% of users have uploaded sensitive data to the cloud.
Unfortunately, many public cloud providers are leveraging data centers all over the world for cost and latency reasons. Data residency concerns can become quite problematic. True, organizations can deal with data residency contractually, but it also must be policed on a continuing basis to make sure the data is never stored outside the boundaries specified by a given customer – and ensuring that data is meeting this standard can actually be quite difficult from a customer viewpoint. All the confusion of exactly where data is at any given moment in time is probably another reason why administrators prefer owning personal data to storing it in the cloud.
Legal Jurisdiction Issues
Even if you comply with data residency, you may still have cloud security issues when protecting your confidential files from foreign jurisdictions. If the cloud provider is a U.S. company, it can be served with a U.S. search warrant for content it has in its possession regardless of where that content is located. This principle applies not just to the U.S, but to all nations and all jurisdictions. The lesson is this – when you store data in the cloud, even if the files are stored on servers located in your own country, they may still be under the jurisdiction of a foreign power.
Secret Access by Law Enforcement
What about law enforcement trying to access your data? With remote storage, you may not know that the provider was served a subpoena, warrant or security order. In fact, the provider may be prohibited by law from telling you.
Although nearly every provider’s terms read differently, one thing remains the same. They all tell you explicitly they must and will comply with legal requirements from governments, security agencies and law enforcement (to secretly access your files) and are not responsible for any loss you experience.
The Cloud Transfer Problem
Another challenge with the public cloud is that it is on the other side of an Internet connection. While large transfers tend to slow down once a company is completely online with an EFSS system, problems arise when the company adds new devices to the network, or existing devices must be resynced. A significant amount of data will need to be synced to the cloud or from the cloud in order to bring that device into the fold, and that amount of traffic can create quite a load on the Internet connection.
Another transfer concern about the public cloud is once all of the organization’s data is synced up to the cloud – and that may take a significant amount of time – changing cloud providers can become quite problematic. If the organization wants to change cloud providers, an entire re-sync of all content is required. But the path from one cloud vendor to another cloud vendor can actually be quite difficult, because vendors simply don’t want to make it easy. In most cases, IT has to download all the data back into the data center and then send it back to the new cloud provider. The result? Organizations don’t change providers.
The Attack Surface
A final concern of having sensitive data stored in the cloud is it gives hackers another place from which to grab sensitive data. EFSS providers create multiple copies stored in multiple locations of the information they hold.
It goes without saying, that if the available attack surface is minimized, the ability for an adversary to successfully breach through an organization’s defenses becomes more difficult. At the same time, an organization can manage a smaller environment better than a large and complex one. Overall, this translates to a lower risk posture.
The Chain of Custody Problem
Finally, what about chain of custody questions? Consider, for example, the Target hack of customer data that was initiated by someone who stole credentials from one of its vendors. EFSS data should be tracked and audit logs should be available centrally for forensic examination at a later date. Unfortunately, many EFSS vendors do not provide any of these tracking or auditing features.
Some file sync and share products are starting to examine this reliance on public cloud. If they can offer you the advantages of EFSS without the disadvantages of the public cloud, they might offer a real alternative to the status quo. Leveraging devices (e.g. SAN, NAS, desktops, laptops) that are already in place and behind the organization’s firewall, versus cloud or EFSS solutions solves many of the problems mentioned above, especially those revolving around the security, as well as the performance and bandwidth issues of synchronizing large amounts of data to some third parties.
Sponsored by Qnext
Qnext Corp. is a global developer of disruptive apps and private cloud technologies committed to simplifying and protecting your digital life through innovation, imagination and state-of-the-art software.
Their solution, FileFlex was created in response to users need for accessible data but is better than the traditional enterprise file sync and share solution. It virtualizes file access to ALL the company’s disparate storage infrastructure and devices. This enables any server, notebook, desktop, SAN, NAS, public, private or virtual private cloud to be available anytime, anywhere through a secure and private network and single dashboard. The file access virtualization technology behind FileFlex essentially takes the company owned infrastructure and turns it, in its entirety, into a private cloud.