Encrypting Business Files in the Cloud

Transcription

1 Quick Guide for IT-Security and Data Privacy Encrypting Business Files in the Cloud Requirements for data security in the cloud End to end encryption Secure file transfers

2 Data Security in the Cloud A Review When it comes to file or data exchange between corporations most business managers think of Dropbox or other cloud storage services. These services often establish themselves within a company, yet go unnoticed by IT departments responsible for data privacy. ITaaS SaaS remains Source: flickr a grey area. IaaS PaaS Cloud services offer simple solutions that can easily be integrated, even without IT expertise or support from an IT administrator. This is especially true in those areas that lack internal solutions for secure file transfer. Unbeknownst to those responsible, many of these cloud services become an informal feature in the company s IT infrastructure. The necessary integration into existing IT-security concepts Free cloud storage services exacerbate the unchecked growth within an IT department s responsibilities, which in turn could result in a loss of data ownership and an increase in risk to the security of sensitive business files. Conventional cloud storage services are limited within their capabilities as business world applications. Cloud services are largely designed for personal use and are not subject to more advanced security mechanisms and standards. Independent studies have confirmed these findings 1. A key concern in cloud storage is the lack of encryption during the file transfer and storage process. Items saved in the cloud are often stored in plain text and are therefore theoretically available to everyone. Even if encryption mechanisms are in place, they often don t ensure continuous security throughout the entire transfer process. Related Links On the Security of Cloud Storage Services, Fraunhofer-Institute, Security Guidance for critical areas of Focus in Cloud Computing, Cloud Security Alliance, Guide: Properly planned cloud- Solutions for exchanging business files all data should be encrypted on the client system before the data is transmitted into the cloud using a key unknown to the service provider. (Fraunhofer-Institut, ) 1

3 1 Study: On the Security of Cloud Storage Services, Fraunhofer-Institute for secure information technology, May

4 Requirements for Data Security in the Cloud Companies that exchange business files with clients and partners via cloud services should consider the following key safety points: Appropriate Storage Location Tampering Safety Measures Encrypted Storage Compliance & Traceability Encrypted Transfers Secure File Transfer Recipient Verification Encrypted Transfers Secure in Motion The files are protected throughout the entire transfer process. Beginning when the files are uploaded from the PC and ending when they are delivered to the recipient. Encrypted Storage Secure at Rest In most cases, files are temporarily stored on a server, where they are then forwarded to a recipient or stand ready to be downloaded. Sensitive business files can be stored on a server for days or weeks at a time. Therefore, it is particularly important to provide a continuous encryption during this stage of the transfer process. Appropriate Storage Location In addition to the file encryption, the location where the files are stored is also crucial. Thus preventing third parties from tampering with or deleting temporarily stored files. Choosing an appropriate server location can also help avoid potential legal issues. Tampering Safety Measures A secure system in the cloud ensures the integrity of the delivered files by detecting tampering as well as identifying and labeling changes to files. Compliance & Traceability A secure system provides complete transparency and control of all transactions. The transactions must be recorded in a transparent and traceable manner to ensure the company can retrace which employees sent and received which files. These records help provide reliable proof of a successful delivery. Recipient Verification It must be ensured that only the authorized recipient can download the delivered files. Thus, preventing the uncontrolled forwarding of download links or login information. 3

5 4

6 Human (Risk) Factor In addition to the above mentioned technical safety factors, there is another crucial prerequisite for IT solutions pertaining to the security of file sharing with partners and customers: The employees opinion. If the system is too complex or time-consuming for everyday work, then employees run the risk of returning to previous delivery methods at the cost of safety, nullifying any existing security regulations. Source: Insecure APIs in the Cloud Ensuring the security of the file transfers that go to and from the cloud service providers significantly increases the amount of work IT managers must do, a point that most cloud service providers fail to mention. To prevent potential threats on the application level, the user must have detailed knowledge of APIs and the security features of the applications used on the cloud. A large potential threat arises through web-based interfaces of cloud applications. [ ] interfaces must be implemented in a technically safe fashion and must have an effective access control feature [ ]. (TeleTrusT, ) Many cloud service providers offer built in "connectors, that join applications to a cloud environment. As it is, the quality of theses connectors remains unclear, suggesting that sensitive files should always be encrypted. The Obligation: Encrypting Files When cloud services claim that file exchanges are encrypted and thereby ensure a secure transfer, they are often only telling half the story. Cloud storage services often implement a so called weak encryption, in which only the communication channels are encrypted. The files are then unencrypted and temporarily stored on a server. The files that are now visible in plain text may remain on the server for extended periods of time. 2 Secure use of cloud applications, TeleTrusT - Bundesverband ev IT Security

7 While some providers advertise their own personal server encryptions and utilities the resulting increase in security is negligible. The possibility of decrypting the exchange during the transfer from sender to receiver remains. The solution lies in a continuous encryption. Real end-to-end-encryption A strong encryption is essential in creating a continuous and consistent security architecture, in which the files remain encrypted throughout the transfer process. A systems underlying encryption technology is essential in adhering to the corresponding safety standards. Many encryption techniques that are currently in use are hopelessly outdated and offer virtually no protection. An AES-256 encryption with a 256 bit key length provides the best possible protection. However, AES-128 can still be viewed as a relatively safe alternative. Password Encryption In addition to encrypting the files, it is particularly important that the passwords be encrypted and logged as well. It is recommended to use a SSL/TLS connection with minimum encryption strength of RSA-1024 to protect passwords that are being transferred to the server. RSA-2048 encryption provides significantly more protection, which can be achieved by the using HTTPS. Application Transmitting passwords Storing passwords Encryption Solution RSA-2048, HTTPS SHA-512, salt and keystretching method Passwords should never be stored on a server in plain text. Prior to anything else passwords should undergo a one-way encryption (hashing method). Once the passwords have been encrypted with the hashing method they can no longer be decrypted. Even the technical personnel (who have access to the password database) cannot decrypt the passwords, thereby making them unusable. In order to make the password hashes resistant to dictionary and brute force attacks, it is crucial to treat the system with salt and key stretching methods. The storage of passwords is considered safe when password policies are combined with encryption policies. For example when a password requires a minimum character length and a combination of character types. 6

8 The Program: Segmentation of Business Files When fragmentation is used along with encryption, data security is enhanced: an adversary has to compromise x cloud nodes in order to retrieve x fragments of the file f, and then has to break the encryption mechanism being used. (Cloud Security Alliance, ) Before being transferred the files are divided into any number of segments. The segments are then encrypted and stored in an unknown order on one or more servers throughout the cloud. Only when the recipient downloads the segments are they reassembled into their original format. This is extremely advantageous and ensures that your data is optimally protected; even if the server is stolen or individual segments are lost. CONCLUSION: Free cloud storage services are not suitable for businesses, as they often lack the necessary security mechanisms. Server security offered by cloud service providers is often negligible, as the encryption is not continuous throughout the cloud. A strong encryption is essential in creating a continuous and consistent security architecture, in which the files remain encrypted throughout the transfer process. The same applies for passwords. The optimal protection for files in the cloud is the result of combining end to end encryption with the segmentation of all files. 7

9 Contact Based in Munich, FTAPI Software GmbH develops and markets software systems for secure transfer and storage of business files. The product FTAPI SecuTransfer is based on proprietary technology, the development of which was funded by the European Union and the Federal Ministry of Economics. The company was founded in 2012 and is setting a new standard for safety and efficiency in relation to file sharing in the business world. In contrast to existing file transfer solutions, FTAPI provides a truly continuous (end to end) encryption for all files. FTAPI Software GmbH Stefan-George-Ring Munich, Germany Download the full version now at Free of charge FTAPI Software GmbH Features and specifications are subject to change. Unauthorized distribution or publication is prohibited. 8