File encryption technology has proved to be invaluable in preserving the confidentiality of sensitive files stored on servers, notebooks and removable media. But what happens to encrypted files when users want to move them to the cloud or collaborate via file-sharing services?
Simply taking a file and transferring it to the cloud introduces significant security challenges. File encryption in the cloud can be surprisingly complex; even more so if the organization doesn’t necessarily trust the cloud provider’s security measures. What follows are some tips for identifying and addressing issues involving encrypting cloud-based files to safeguard sensitive data.
1. Retain control of all encryption keys.
A cloud provider may offer file encryption services, but an organization that’s serious about file confidentiality should avoid these services. The primary reason for this is that provider-offered services typically require the organization to surrender control of its secret or private encryption keys to the cloud provider, which means that the cloud provider can decrypt the organization’s files at will, without the organization’s knowledge.
The issue of control over encryption keys becomes particularly important if the sensitive data is subject to compliance regulations such as the Health Insurance Portability and Accountability Act or the Sarbanes–Oxley Act. Such efforts may require the organization to retain control of its encryption keys, and granting a third party access to these keys could be a serious security or privacy violation.
2. Provide a file encryption solution for users.
When organizations find provider-offered file encryption solutions unacceptable, they typically deploy their own solution. Ideally, encryption and decryption activities should happen locally, not within the cloud, so the keys are never exposed to the cloud in the first place. This is a concern because of the possibility of leakage within the cloud, such as malware transferring sensitive information (including keys) to malicious external parties.
To avoid these risks, encrypt files locally, then transfer to the cloud for storage. When the file is needed, the local file encryption solution transfers it back from the cloud to local storage before decrypting it. Many local file encryption solutions are specifically designed to be compatible with major cloud-based file-sharing services. Even better, these solutions work transparently, automatically protecting all files that users transfer to these services so that the organization doesn’t have to rely on the users to manually encrypt files before transferring them.
3. Enable secure collaboration for users.
By default, a local file encryption solution will protect each file so that only its “owner” can access it. Many encryption software packages also offer an option to encrypt files for access by multiple users.
The solution generates a shared secret key and provides that key only to the appropriate users. Ideally, the software can securely provision the key to internal users’ devices so the key is protected at all times. Then users can access the stored file in the cloud, transfer it to local storage, and then use the copy of the shared key to decrypt the local copy of the file. Updating a shared file is handled in a similar fashion. Making secure file sharing seamless will discourage users from sharing files through unsecured means.
To learn more about CDW cloud solutions, go to CDW.com/cloud.