• No results found

Encrypting Business Files in the Cloud

N/A
N/A
Protected

Academic year: 2021

Share "Encrypting Business Files in the Cloud"

Copied!
9
0
0

Loading.... (view fulltext now)

Full text

(1)

Quick Guide for IT-Security and Data Privacy

Encrypting Business Files in the Cloud

Requirements for data security in the cloud

End to end encryption

(2)

1

Related Links

• On the Security of Cloud Storage Services, Fraunhofer-Institute, www.sit.fraunhofer.de

• Security Guidance for critical areas of Focus in Cloud Computing,

Cloud Security Alliance, www.cloudsecurityalliance.org • Guide: Properly planned

cloud-Solutions for exchanging business files www.ftapi.com/cloud

Data Security in the Cloud – A Review

When it comes to file or data exchange between corporations most business managers think of Dropbox or other cloud storage services. These services often establish themselves within a company, yet go unnoticed by IT departments responsible for data privacy.

Cloud services offer simple solutions that can easily be integrated, even without IT expertise or support from an IT administrator. This is especially true in those areas that lack internal solutions for secure file transfer.

Unbeknownst to those responsible, many of these cloud services become an informal feature in the company’s IT infrastructure. The necessary integration into existing IT-security concepts remains a grey area.

Free cloud storage services exacerbate the unchecked growth within an IT department’s responsibilities, which in turn could result in a loss of data ownership and an increase in risk to the security of sensitive business files. Conventional cloud storage services are limited within their capabilities as business world applications.

Cloud services are largely designed for personal use and are not subject to more advanced security

mechanisms and standards. Independent studies have confirmed these findings1.

A key concern in cloud storage is the lack of encryption during the file transfer and storage process. Items saved in the cloud are often stored in plain text and are therefore theoretically available to everyone.

Even if encryption mechanisms are in place, they often don’t ensure continuous security throughout the entire transfer process.

“… all data should be encrypted on the client system before the data is transmitted into the cloud using a key unknown to the service provider.” (Fraunhofer-Institut, 20121)

Source: flickr

ITaaS IaaS

(3)

2

(4)

3

Secure

File

Transfer

Encrypted Transfers Encrypted Storage Appropriate

Storage Location Safety Measures Tampering

Compliance & Traceability

Recipient Verification

Requirements for Data Security in the Cloud

Companies that exchange business files with clients and partners via cloud services should consider the following key safety points:

Encrypted Transfers – “Secure in Motion”

The files are protected throughout the entire transfer process. Beginning when the files are uploaded from the PC and ending when they are delivered to the recipient.

Encrypted Storage – “Secure at Rest“

In most cases, files are temporarily stored on a server, where they are then forwarded to a recipient or stand ready to be downloaded. Sensitive business files can be stored on a server for days or weeks at a time. Therefore, it is particularly important to provide a continuous encryption during this stage of the transfer process.

Appropriate Storage Location

In addition to the file encryption, the location where the files are stored is also crucial. Thus preventing third parties from tampering with or deleting temporarily stored files. Choosing an appropriate server location can also help avoid potential legal issues.

Tampering Safety Measures

A secure system in the cloud ensures the integrity of the delivered files by detecting tampering as well as identifying and labeling changes to files.

Compliance & Traceability

A secure system provides complete transparency and control of all transactions. The

transactions must be recorded in a transparent and traceable manner to ensure the company can retrace which employees sent and received which files. These records help provide reliable proof of a successful delivery.

Recipient Verification

It must be ensured that only the authorized recipient can download the delivered files. Thus, preventing the uncontrolled forwarding of download links or login information.

(5)
(6)

5 Human (Risk) Factor

In addition to the above mentioned technical safety factors, there is another crucial prerequisite for IT solutions pertaining to the security of file sharing with partners and customers: The employees’ opinion.

If the system is too complex or time-consuming for everyday work, then employees run the risk of returning to previous delivery methods at the cost of safety, nullifying any existing security

regulations.

Insecure APIs in the Cloud

Ensuring the security of the file transfers that go to and from the cloud service providers

significantly increases the amount of work IT managers must do, a point that most cloud service providers fail to mention. To prevent potential threats on the application level, the user must have detailed knowledge of APIs and the security features of the applications used on the cloud.

A large potential threat arises through web-based interfaces of cloud applications. […]

interfaces must be implemented in a technically safe fashion and must have an effective access control feature […]. (TeleTrusT, 20122)

Many cloud service providers offer built in "connectors“, that join applications to a cloud

environment. As it is, the quality of theses connectors remains unclear, suggesting that sensitive files should always be encrypted.

The Obligation: Encrypting Files

When cloud services claim that file exchanges are encrypted and thereby ensure a secure transfer, they are often only telling half the story.

Cloud storage services often implement a so called weak encryption, in which only the communication channels are encrypted. The files are then unencrypted and temporarily stored on a server. The files that are now visible in plain text may remain on the server for extended periods of time.

2 Secure use of cloud applications, TeleTrusT - Bundesverband eV IT Security 2012

(7)

6 While some providers advertise their own personal server encryptions and utilities the resulting increase in security is negligible. The possibility of decrypting the exchange during the transfer from sender to receiver remains. The solution lies in a continuous encryption.

Real end-to-end-encryption

A strong encryption is essential in creating a continuous and consistent security

architecture, in which the files remain encrypted throughout the transfer process. A systems’ underlying encryption technology is essential in adhering to the corresponding safety standards. Many encryption techniques that are currently in use are hopelessly

outdated and offer virtually no protection.

An AES-256 encryption with a 256 bit key length provides the best possible protection. However, AES-128 can still be viewed as a relatively safe alternative.

Password Encryption

In addition to encrypting the files, it is particularly important that the passwords be encrypted and logged as well.

It is recommended to use a SSL/TLS connection with minimum encryption strength of RSA-1024 to protect passwords that are being transferred to the server. RSA-2048 encryption provides significantly more protection, which can be achieved by the using HTTPS.

Passwords should never be stored on a server in plain text. Prior to anything else passwords should undergo a one-way encryption (hashing method). Once the passwords have been encrypted with the hashing method they can no longer be decrypted. Even the technical personnel (who have access to the password database) cannot decrypt the passwords, thereby making them unusable.

In order to make the password hashes resistant to dictionary and brute force attacks, it is crucial to treat the system with salt and key stretching methods. The storage of passwords is considered safe when password policies are combined with encryption policies. For example when a

password requires a minimum character length and a combination of character types.

Application Encryption Solution

Transmitting

passwords RSA-2048, HTTPS Storing

passwords

SHA-512,

salt and key-stretching method

(8)

7

The Program: Segmentation of Business Files

When fragmentation is used along with encryption, data security is enhanced: an adversary has to compromise x cloud nodes in order to retrieve x fragments of the file f, and then has to break the encryption mechanism being used. (Cloud Security Alliance, 20113)

Before being transferred the files are divided into any number of segments. The segments are then encrypted and stored in an unknown order on one or more servers throughout the cloud.

Only when the recipient downloads the segments are they reassembled into their original

format. This is extremely advantageous and ensures that your data is optimally protected; even if the server is stolen or individual segments are lost.

CONCLUSION:

• Free cloud storage services are not suitable for businesses, as they often lack the necessary security mechanisms.

• Server security offered by cloud service providers is often negligible, as the encryption is not continuous throughout the cloud.

• A strong encryption is essential in creating a continuous and consistent security architecture, in which the files remain encrypted throughout the transfer process. The same applies for passwords.

• The optimal protection for files in the cloud is the result of combining end to end encryption with the segmentation of all files.

(9)

8

Contact

Based in Munich, FTAPI Software GmbH develops and markets software systems for secure transfer and storage of business files. The product FTAPI® SecuTransfer is based on proprietary technology, the development of which was funded by the European Union and the Federal Ministry of Economics.

The company was founded in 2012 and is setting a new standard for safety and efficiency in relation to file sharing in the business world. In contrast to existing file transfer solutions, FTAPI provides a truly continuous (end to end) encryption for all files.

FTAPI® Software GmbH Stefan-George-Ring 24 81929 Munich, Germany www.ftapi.com/en

© 2014 - FTAPI Software GmbH

Features and specifications are subject to change. Unauthorized distribution or publication is prohibited.

Download the full version now at www.ftapi.com/downloads Free of charge

References

Related documents

In the twenty-five years of this statute, which was enacted in 1978 to cover foreign intelligence-gathering within the confines of the United States, no court

regulation of GHG emission sources. 34 This scope of litigation includes, for example, a claim to prevent or limit a legislative or agency decision to carry out,

Prereq or concur: Honors standing, and English 1110 or equiv, and course work in History at the 3000 level, or permission of instructor.. Repeatable to a maximum of 6

We represent approximately twenty companies, both crumb rubber producers and asphalt paving contractors, and our combined membership represents between 70% to 80% of

Correlations between Total Mini-SeRvE and its factors, existential well-being, (EWB), religious well-being, (RWB), and mental ill-being, (MIB) in service user dataset, Spearman’s

l Stage 1 – development of a library of short message service messages to support weight loss and weight loss maintenance, with personal and public involvement, that focused on diet

Acknowledging the lack of empirical research on design rights, our paper wishes to investigate the risk of piracy and the perceptions of the registered and unregistered design

„ Monitor by sampling per PDP-context session performance for throughput, delay, packet loss, error ratio, service response time and traffic profile. parameters by GGSN and