Many enterprises want to use cloud services for file storage and sharing but are hesitant because the cloud provider may be able to access the content. AlephCloud has a service that encrypts files at their creation source.
Cloud storage applications are great enablers of worker collaboration and productivity. When two or more people need to share files back and forth, and especially when they don’t all have access to a single internal storage facility like SharePoint, an application like Dropbox or Box can be helpful. Someone creates a file, drags it to the storage application icon, and the file is sent to the cloud—just that easy.
But while end users are interested in ease of use, enterprises are more concerned about data security. In response, the providers of these services have enhanced data privacy and security capabilities; for example, by using SSL to secure a file during transmission to the cloud and by encrypting the file at rest in the cloud.
Despite those protections, some enterprises are still skittish about allowing sensitive files to be stored in the cloud. It comes down to who has access to the files in a potentially unencrypted form. The cloud storage provider, for example, might have access to files in plain text when it’s the one that encrypts the files and holds the keys. This situation can be illustrated with this passage from the Dropbox website under a section entitled, “How secure is Dropbox?”:
This begs the question, how “rare” are the circumstances in which your private data is accessed by the cloud provider? “Rarely” is not the same as “never,” which is the answer most enterprises prefer. We need look no further than the example of Edward Snowden being the insider that gains access to sensitive information and exposes it inappropriately.
It is in this context that AlephCloud has introduced a solution called Content Canopy that provides encryption and key federation for cloud storage applications. Content Canopy helps to build the trustworthy cloud. Enterprises and cloud providers can use the solution to ensure that data stored in the cloud is fully encrypted at its source of creation and the cloud provider has no access at all to the keys.
There are two components to Content Canopy: client software and a cloud service that handles the key management and administration of the overall solution. Let’s break it down to see what each component does and how they fit together.
To get started using Content Canopy, a company subscribes to the service by buying X number of licenses from AlephCloud. An IT administrator gets a realm activation link and clicks this link to enroll himself in the service. Then he can invite end users to enroll by downloading an app to their desktop, laptop, iPhone or iPad (the company says Android support is coming soon).
Next a workgroup level administrator creates a group, names it and assigns people to the group. Behind the scenes, the group has its own public key/private key, and Content Canopy federates individual keys through the group key. Users don’t have to know this; all they know is they can put files into a folder assigned to the group and the files are automatically encrypted before being sent to a designated cloud storage service.
The storage repository can be any of a variety of cloud services, or even on-premise storage services. Currently AlephCloud supports Dropbox, Box, OneDrive and Amazon S3. A service gets associated with a group folder so a user simply drags his files to the folder to locally encrypt the file. Once a file is in the storage repository, only people in the group can access it and decrypt it using their key.
The Content Canopy service is used to set up shared groups and where key materials are produced, distributed and fragmented. Key federation takes place here so a key from this cloud service plus a key from the end user is required to encrypt/decrypt files. The third party storage service never has access to the keys or to unencrypted files. What’s more, AlephCloud never has access to unencrypted files or users’ secret keys. Thus an enterprise can be assured that vendors have “zero knowledge” of its sensitive content.
As for the end users, their way of work never changes. They still simply drag and drop files to a designated folder that has backend storage mapped to Dropbox, or Box, or some other application to share files with colleagues either inside or external to their enterprise. The encryption/decryption is all under the covers so they don’t have to even think about it.
It is the shared group concept that is tightly controlled and connected cryptographically in the AlephCloud solution. Everything revolves around one or more shared groups of people who are sharing information. The act of creating groups and putting people into groups is what distributes the mediated key material and then end users use the drag and drop interface to move files around.
AlephCloud executives say Content Canopy can actually be a platform that is integrated into operating systems, and it can be used to protect any object in addition to file sharing. These are considerations for the future.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.