Users are employing these services, despite their fundamental security issues, to transfer data from enterprise servers to personal devices – often as ‘shadow IT’ outside the purview of the IT department. There are three immediate concerns. Fundamentally it can lead to a breach of compliance in both law and regulations if the data includes any personal information. Secondly, recent hacks, including those on Twitter and Facebook, demonstrate that cloud providers are not proof against hackers. And thirdly, if a user exfiltrates sensitive data to a synchronization and subsequently leaves the company, he retains access to that data.
Encryption is often seen as the solution to all of these problems – but it isn’t that simple for compliance. For example, if an encrypted file is stored in the cloud to enable collaboration, the location of the crypto keys becomes an issue. If the keys are also stored in the cloud, it is almost certainly not compliant with, for example, PCI. “Our system,” Pravin Kothuri, CEO and founder of CipherCloud, told Infosecurity when he announced CipherCloud for Box, “provides compliance for all of the major regulations – compliance is one of the major drivers for our products.” This is because the encryption happens on the user’s server and the keys remain under the user’s control.
Box was chosen as the first partner for CipherCloud simply because it has higher penetration into the enterprise that comprises CipherCloud’s primary market. “Dropbox,” said Kothari, “is still mainly SMB and consumer, but we will also support Dropbox in the future.”
“For Box,” he continued, “a document will first go through a DLP policy check. If that DLP reports a violation, depending on the policy, we will encrypt the document on the fly before it goes out. In this way sensitive documents can still be shared for collaboration, but without any worries about security or compliance.” The only requirement is that external partners or colleagues who wish to access the shared file must do so via the CipherCloud gateway, which can be on site or in the cloud, to get the keys. In this way the enterprise retains control over both the document and access to it. If an authorised user leaves the company, or if the storage server is compromised, the user can simply revoke access to the gateway and make the encrypted document inaccessible.
What the CipherCloud development demonstrates is that where technology provides a problem (cloud-based file sharing), technology can and will also provide a solution – in this instance through a combination of of DLP, on-the-fly encryption, and compliant key management.