Contact Us Menu
Filters
Categories: Insight

The Seven Deadly Sins of File Sync & Share

shutterstock 150586184 purgatoryWith the recently publicized breach of Apple’s iCloud celebrity accounts and hacked Dropbox accounts, it’s time to take a long hard look at the risks posed by SaaS file sync & share solutions. It’s been said many times both by CTERA as well as others that such solutions are not secure – but let’s go beyond the slogans, dissect what exactly they are doing that’s so unseemly, and what conclusions businesses should draw from it.
In order to understand the pattern, I’ve gone back over the past year or so to examine various incidents, and magically ended up with seven of them – and so I bring you the Seven Deadly Sins of File Sync & Share:

It’s been said many times both by CTERA as well as others that such solutions are not secure – but let’s go beyond the slogans, dissect what exactly they are doing that’s so unseemly, and what conclusions businesses should draw from it.

In order to understand the pattern, I’ve gone back over the past year or so to examine various incidents, and magically ended up with seven of them – and so I bring you the Seven Deadly Sins of File Sync & Share:

 

LUST

lustHackers are lusting after your FSS data: Reported by a Google study earlier this year, and demonstrated also by a Dropbox disclosure in 2012, account hijacking is a common threat. The possibilities for hackers are endless – in many cases they simply used the accounts to target users with spam, but given that FSS services sync files to your computer, access to accounts can easily be used to insert malware into users’ PCs, to anything from keylogging to infiltrating enterprise systems. Naturally, the more widely-used services are more likely to be targeted by hackers.

Your penance: There are ways to mitigate such risks, including user authentication using Active Directory integration, frequent password changes, as well as two- or multi-factor authentication methods can all do a lot to prevent account hijacking.

GLUTTONY

gluttonyBig Brother will gobble up your data: As was revealed by Edward Snowden, the National Security Agency’s PRISM program taps into user data from a variety of US-based services providers including Apple, Google, and others. Dropbox has also been receiving requests for disclosure, and one can only guess how much data is collected by other means that don’t involve the NSA asking nicely.

Your penance:  If you want to make your files less appetizing and less accessible to intelligence agencies, you can either go completely private on your own infrastructure, or use a cloud service that allows you to encrypt your data at the source and be the sole owner of the encryption keys.

 

GREED

greed

Global encryption key, de-duplication across all accounts = more money: Look at any FSS provider and they will tell you that your data is encrypted with military-grade encryption. That’s about as useful as knowing that your house has a door and it’s locked. But who holds the key? And how many other doors use the same key?
Dropbox was sued in 2011 for misleading users on security, and changed their security statement as a result. But the truth remains that they (and many other providers) continue to de-duplicate all files across user accounts to increase storage space utilization and optimize their profit margins – pure and simple.  With companies like Box losing nearly $170,000,000 in only 12 months, it’s no surprise that SaaS vendors are feeling the pressure to make profits at the expense of your security.

That may be OK for consumers – who cares if their photo of the Eiffel Tower is de-duplicated against the almost identical variations that millions of other people uploaded – but for enterprises this is unacceptable in terms of security and privacy standards, and could also raise serious compliance issues.

Your penance:  Verify that your provider gives you control of the encryption keys.

 

SLOTH

sloth

Comfort trumps security: This one is on us, folks, the users. Almost all FSS providers have options for 2-factor authentications and strong passwords that would have prevented breaches like the iCloud celebrity photo leak, but usually they don’t enforce them. Therefore users take the path of least resistance and leave themselves vulnerable to breaches.

Your penance: In a business setting, IT should enforce such policies. At the very least you should control your encryption keys and enforce strong password policies.

 

WRATH

wrath

Be prepared to incur the wrath of your CFO: Enterprise users that use unsanctioned FSS services may cost the enterprise more money than was previously estimated. A recent study found that the use of such services is multiplying the cost of data breaches due to the lack of IT control. Whereas previously a leaky application or server could just be shut down, now this involves many (sometimes unknown) services providers. It puts a big dollar sign on the cloud services sprawl issue.

Your penance: Simply put – don’t use cloud services that don’t have the stamp of approval from IT for business use, tempting as it may be.

 

ENVY

envy

What do we do? We covet. Your files: Microsoft OneDrive for Business, as it turns out, inserts code into synchronized files, thus altering them (note – this is not metadata enveloping the file, it’s inside the file). The issue was discovered when compatibility issues arose with Office files.
On principle, it is unacceptable to have your entrusted files tampered with. It can also cause major problems for businesses that need to comply with Sarbanes-Oxley, HIPAA or any regulation that demands proof of data integrity and no tampering.

Your penance: Ensure that the solution that you’re using guarantees zero tampering, and provides data integrity checks.

 

PRIDE

pride

Oh, the hubris: File sync & share providers constantly pretend that they can replace backup. FSS is very useful, but it is no substitute backup for a variety of reasons articulated clearly in this report by Gartner. It is bi-directional sync, so a file deleted locally is also deleted in the cloud; versioning is limited;

Your penance: If you’re planning to use FSS as backup – don’t. Use a backup solution for backup, and better yet, find a solution that offers both functions from a single client, as CTERA does.

So with all this happening, does that mean that the cloud is inherently unsafe for business?
No. Nothing is 100% safe, but cloud services can be (and many are) just as safe as in-house enterprise file sync and share services, and in the case of smaller companies sometimes safer – because tier 1 cloud providers abide by the strictest practices demanded by their blue-chip clients.

Keep this in mind: VERY few companies can manage both consumer-grade services and enterprise-grade services and do justice to both. In such cases I would expect such solutions to be COMPLETELY separate from each other – run by different divisions, in different data centers, with different admins and support staff. The requirements and economic incentive for consumer vs. enterprise solutions are diametrically opposed, and reconciling them is improbable to the extreme. If you plan to use a service that caters to both types of audiences, verify the measures they are taking to keep them apart.

What else can you do? Dig one level deeper than the security slogans, and ensure that the services or software you are using has these features:

  • Source-based encryption: Encrypting your files before they are sent to the cloud. This in addition to TLS/SSL in-transit encryption.
  • Private encryption key management: The ability to control your encryption keys exclusively, preventing service provider staff and other 3rd parties from accessing your files when stored in the cloud.
  • Password policy enforcement: Ability to enforce use of strong passwords and password expiration period on users.
  • 2-factor authentication: Ability to require 2-factor authentication (via email or SMS) for account/device activation as well as shared links access.
  • Data integrity checks: Preventing ‘man in the middle’ attacks and tampering with your files by ensuring that the data that arrived in the cloud is the same data that left your device. This is typically done using hashes or fingerprinting such as the SHA-1 standard.

At CTERA we call this end-to-end cloud storage security. It is embedded in CTERA’s software and in our corporate DNA, enabling cloud owners to provide a more secure experience straight out of the box.

Get New CTERA Blog Posts Delivered Directly to Your Inbox
Skip to content