By Rahul Sharma @rashrtwit and Babu Srinivasan
There has been recent news and discussions around companies ramping up encryption and security controls to protect corporate and personal data from prying eyes, spying, hacking and interception. Refer to the links at the end of the article. Enterprises, users and service providers (Google, Microsoft, Facebook, Yahoo, Twitter) are rightly enraged that both consumer and corporate data is getting is at risk and getting compromised. Microsoft has even equated such recents security incidents to “earthquake in the tech sector”. Tech companies and enterprises are now looking at ways to ramp up information security.
For enterprises, corporate digital information is business critical and with the increased threat perception, they are looking for ways to secure and protect information. However adding to their concerns, mobility and increasing adoption of cloud for compute and storage have increased the threat vectors for information even further. Enterprises are also trying to figure out if storing corporate documents on cloud services (Box, Office365, Google Drive) is secure or not. Also, whether they should allow BYOD devices to access corporate information and data. Intersection of all these trends (increased security incidents, cloud, mobility) has created business challenges for enterprises.
We, at Averail, are in the business of securing information for our enterprise customers and users. To keep information protected from security threats, we recommend that enterprises put the following security controls and mechanisms in place:
Retain control on your data/documents: As employees, customers and partners for a business access, share and collaborate on information, enterprises must put in place security policies and mechanisms to control, audit, track information items and documents. Such policies and controls must include “who in what context and where” (role, location, business process, workflow) using which device and application is authorized to access and share a sensitive document. These security controls must protect and track a document throughout its lifecycle and restrict/disallow duplication. At any time, an information owner should be able to track and audit actions and activities on a document and determine who have copies of that document and wipe/revoke access.
Decide where content is stored based on security classification of information. This includes decision around whether enterprises should let their business documents be stored on consumer or enterprise-grade cloud storage. Consumer cloud storage solutions have now become ubiquitous across users and devices—almost every mobile user can access these services and use them to store and sync both personal and business content. Some of these consumer cloud storage repositories continue to have security issues. Many of these consumer cloud storage systems are not enterprise-grade in terms of security given their focus on usability and productivity of consumers. Given these services store content in their cloud storage, security threats for both data-in-transit, data-at-rest, residency, privacy, unauthorized access apply to the business content stored therein. So as an enterprise, you must understand the classification of your information assets. If documents are meant to be publicly shared with customers and partners, use of cloud repositories is a good medium. However, for confidential and sensitive documents tied into existing business processes and workflow keeping documents secure and associated with original enterprise-grade source repository (whether on-premise or cloud) is recommended.
Keep the documents associated with its source: Documents must not be dissociated from their system of record and original source. This also applies to enterprise sync-and-share solutions that copy documents to sync server/hub for further synchronization with sync endpoints on devices. Anytime a document gets duplicated to another local or cloud repository, it creates a vector for information leakage and enterprises can potentially lose control of that document.
Encrypt data-at-rest and data-in-transit: Corporate documents need to be encrypted both at-rest and in-transit as these get shared and collaborated. Such encryption must be end-to-end and document must not be in clear on any untrusted storage and across communication protocols and traffic paths. Such encryption must use cryptographically strong keys (RSA 2048 for all certificates, AES 256 bit encryption) and ideally meet FIPS 140-2 requirements for both at-rest and in-transit. Perfect Forward Secrecy must be required. Perfect Forward Secrecy (PFS) provides additional security by separating authentication from the Key Exchange: RSA certificate is used for authentication of the server and ephemeral diffie-hellman used for key exchange. While PFS doesn’t prevent an active man-in-the-middle attack by someone who has access to the RSA private key, the ‘Forward’ in PFS says that it is not possible to decrypt previously archived encrypted SSL traffic even if you have the RSA private key. The keys are ephemeral, used for the duration of session and deleted.
Manage and control your encryption keys: Most cloud-based repositories and cloud-hosted enterprise content management systems either keep the content unencrypted or encrypt the content with keys owned by the service provider and not keys owned and managed by the content owner. The rationale being requirements and mechanisms needed for document indexing for search, performance and de-duplication. Whenever content is encrypted, the big question is—who controls the lifecycle of encryption and master keys—the latter in the case of split key encryption. Enterprises must retain ownership of their content and encryption keys across these repositories and require business sensitive content to be encrypted with an option to allow fine-grained control over key revocation and rotation. The same control on encryption keys should be applied to mobile applications (targeted for access to business content) that cache/store and encrypt business documents as users access/view/edit them.
Averail provides a solution that applies the above security controls and mechanisms to secure business information and documents for enterprise customers.
Unlike trying to create yet another cloud-based content management system, we started with a fundamental disruptive tenet that Averail must secure, enforce policies, control and track content throughout the lifecycle of access, sharing and collaboration; from any device, any source or repository (on-premise or cloud); without duplicating or dissociating that document from its origin and system of record; thereby enabling enterprises to retain control of their content and to allow them to choose where content is stored based on its security classification.
Along the goal to secure documents across any repository, Averail enables secure access to documents across on-premise SharePoint, Box, Office365, Dropbox, SalesForce, network/shared drives and any WebDAV storage. Averail Quick Connect supports end-to-end secure tunnel for documents in transit as these get accessed from smartphones and tablets from on-premise information sources. While Averail Cloud service manages and enforces policies and controls on content (and hence acts as a content control and policy management plane), the content and documents are never duplicated or copied to Averail cloud service from the original source repository of the documents. This is unlike cloud repositories or hybrid/on-premise sync-and-share solutions that duplicate or migrate the document to the cloud; and thereby break the association of the document with its origin and associated policies, permissions and business processes. Averail Access application acts as a secure content container that enforces policies and document controls, manages document encryption and key management and supports remote content management queries and commands (for selective content wipe, application deactivation or block etc.). Admin or information owner can use Averail admin console to define and manage user/device/document-level policies for access and sharing of content; provision and manage users and content sites; publish content to users and dynamically keep content updated with associated notifications; control access to a subset of repositories; audit, trace and remote manage content on mobile devices.
Averail also enables enterprises to encrypt documents stored on Dropbox and other cloud repositories and retain control on storage and management (generation, revocation) of encryption keys. So if such cloud repository gets compromised, security risk is mitigated as first, the content is encrypted and second, encryption keys cannot be compromised as these are controlled by the enterprise and not by the cloud service.
In conclusion, as these information security threats increase, Averail can help business customers secure and protect their information. More about Averail on our website http://www.averail.com.
Microsoft, suspecting NSA spying, to ramp up efforts to encrypt its Internet traffic http://www.washingtonpost.com/business/technology/microsoft-suspecting-nsa-spying-to-ramp-up-efforts-to-encrypt-its-internet-traffic/2013/11/26/44236b48-56a9-11e3-8304-caf30787c0a9_story_1.html
Forward secrecy at Twitter https://blog.twitter.com/2013/forward-secrecy-at-twitter-0,
Yahoo vows to encrypt all its users personal data: http://news.yahoo.com/yahoo-vows-encrypt-users-personal-data-193109865.html.
How does NSA break SSL: http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
USA tech companies call for more control on surveillance: http://www.chicagotribune.com/business/sns-rt-us-usa-security-surveillance-20131209,0,7050486.story