Securing data in the cloud
The common misconception is that data stored in the cloud is secure if the system uses SSL and the website address has https:// in front of the website address.
The padlock means that the site has a digital certificate, and that data sent between the client and PC will be encrypted. It does not mean that any data stored on the site is encrypted or protected. If you are using one of the many cloud storage systems such as Office 365, Dropbox etc what does this mean for you? That depends on what type of data you are storing in the cloud.
What does this all mean?
Well if someone was to capture the data flowing between you and the datacentre that housed the storage solution you are using, the encryption would make it very hard for them to reconstruct the data in to anything meaningful.
What is the Catch?
The scenario above is unlikely to happen to most companies because you would need to be the target of a focussed attack. What is more likely is that your credentials will get stolen and the attacker will gain access to your account and all your data will be available to them over a secure connection. At that point it won’t matter that your data is encrypted whilst in transit as it will be readable to whoever logs in as you.
What Should you consider?
There is really only one option for highly sensitive data and that is to encrypt the data within the files so that the files themselves require some other method key to read them even if your account is compromised.
Password Protection of Files
There are a number of ways this could be done, you could at a basic level password protect all your files, this is easy for some files such as Word or Excel. Earlier versions of Office used encryption methods that could be easily broken but the newer versions such as Office 2016 use 256-Bit AES encryption which is considered secure. This is fine if you just have a few files, but the problem is that this wouldn’t be practical and would be really time consuming for folders with 000’s of files.
This method really doesn’t scale well and has some inherent weaknesses when you try and use this with a team, including the distribution of the password this is often the area that gets lost or shared amongst others.
What’s the Solution?
The CloudAshur solution we are starting to use allows the user to encrypt selected files and folders. The encryption chip inside the usb stick would normally encrypt the data stored inside it, but in this novel approach the encryption chip is used to encrypt files stored in other systems.
The system uses military grade encryption which is more than enough for most companies. The AES-XTS or AES-ECB 256-bit Hardware Encryption with FIPS PUB 197 certified USB 3.0 encryption controller is extremely secure.
What are the key advantages of this solution?
- You can create multiple keys for your team members with access rights to control who can access the data.
- Lost keys can be disabled remotely (remote kill) in the event of suspicious activity or an employee leaving the organisation without returning their encryption module.
- The type of files being uploaded and shared in the cloud (EXE, PNG, PDF, etc…) can be controlled. There is full visibility over what each User is doing in the cloud, such as, what files they are uploading, downloading, modifying, etc…
- You can view the location of User’s encryption modules via an on-screen map. I do have some concerns over the privacy of this but with the right care and controls this is a useful option.
- The ability to restrict the time and location of where and when the cloudAshur encryption module can be used by each individual user is possible, this is known as geo-fencing and time-fencing
Next Steps
IF you are in the situation where you need to protect data in the cloud then please contact us and we can look at the requirements and advise on the best way of protecting your data.