Last week at Black Hat in Las Vegas, IT security firm Imperva discussed a “man-in-the-middle” attack that affects certain enterprise file-sync-and-share (EFSS) services, allowing hackers access to files transferred into the cloud. This is a very relevant and interesting vector of attack for EFSS services.
We were especially drawn to a Dark Reading story on the disclosure from August 5 that touches on encryption, and we believe clarification is necessary to highlight the role encryption can play in mitigating the effects of this attack.
Under current file sharing services security processes, we feel as though encryption remains the strongest resolution to this–as encryption is the best protection against the consequences of most security threats. We agree with Imperva CTO Amichai Shulman that this new type of attack will not dissuade organizations from adopting the cloud. Instead of staying away from EFSS services, companies allowing cloud-based file sharing services should be properly educated on implementing an encryption solution to prevent data from being compromised.
Two key points on the current state of file sharing security
- EFSS/Cloud Storage Service/File Share services use SSL/TLS to protect the communication (and not the data, which passes via a secure tunnel in plain text), thus the users’ data is easily available in plain text to the attackers once they reach an account.
- The current server-side data-at-rest encryption for EFSS/Cloud Storage Service/File Share services only occurs once the data reaches the cloud. Even with the encryption offerings from these services the attack is still relevant.
WinMagic’s take on a resolution
Client side encryption alongside file sharing services is the best method to resolve the issue (man-in-the-cloud) and prevent any sensitive data from being compromised. While client side encryption does not prevent the attack (e.g. it does not block the synchronization token file from being modified), encryption on the end point ensures that all data stored locally within the cloud sync folders remain encrypted, and that the synchronization process only moves encrypted data to the cloud.
Current encryption solutions available for EFSS cannot properly encrypt files on the end point, thus the risk of compromised data is very prevalent. In order for end point encryption solution to be both effective and practical, enterprises must have intelligent key management control, where encryption keys are created, distributed, and fully owned by the organization, not by third parties.
Cloud folders and encryption key policies can be deployed transparently, and most importantly users can transparently use these encrypted files, with no user behavior change. With mature key management, users share encrypted files with each other without even needing to share passwords.
With proper end-point encryption in place, the hacker capitalizing on the attack outlined at Black Hat last week will only receive encrypted data from the user. The attacker won’t be able to compromise sensitive data – or modify the contents.
Or download our eBook “What Consumers Believe About Cloud File Sharing & Why That’s a Warning to IT Pros“