In the global and digitized world of work working with cloud solutions is steadily increasing. However, sensitive data from companies and public authorities are not adequately protected against access by third parties in the public cloud with conventional controls such as password prompting. Encryption, in turn, makes it difficult to work with the documents. It needs an approach that combines security and transparency.
Public cloud services such as Dropbox, iCloud or Google Drive are no longer relevant only to home users. More and more companies and government agencies are working with and relying on such cloud solutions. For example, cloud services are used as a collaborative workspace, for storing documents, or for continuous backup of data.
However, public clouds are increasingly targeted by cybercriminals. This creates significant security risks for companies and authorities. Another problem with cloud solutions: Security-related and personal data are subject to strict privacy regulations. As part of the new EU General Data Protection Regulation (EU-GDPR) sensitive data must not leave the legal sphere. But most cloud services have no servers within the country and can not guarantee the appropriate data security.
Access to the cloud and encryption of the data
Identity and Access Management (IAM) controls access in any cloud via passwords, keys or similar. However, these can not guarantee the necessary level of security. An encryption of the data in the cloud is therefore absolutely necessary. Only then can companies and authorities protect their sensitive documents from unauthorized access.
Although conventional encryption solutions provide more security, they do have significant disadvantages: encrypted documents make collaboration in the cloud much more difficult. Many work processes become slow, the flexibility of the collaboration is lost. But that is the key use and success factor of cloud solutions.
New security strategies for the cloud solutions
An alternative is the so-called “Cloud Access Security Broker” (CASB). The CASB is a new category of cloud security solutions. A CASB is located in the network traffic between the cloud user and the cloud system and controls all access to the cloud. It regulates both the authentication of users and the access rights to files and applications in the cloud. For example, a CASB determines enterprise IT security policies for user login, logging, or malware detection.
But even a CASB offers no holistic protection. Many CASBs do not have an encryption system. Although they control access to the data in the cloud, the data itself remains unencrypted.
Cloud Access Security Broker with encryption
If the use of public cloud services in the future not only meets the highest security requirements, but also enables collaboration in the cloud, a new approach is needed: the connection of a Cloud Access Security Broker with an encryption system of files. Only such a solution offers maximum security. With this “high-security CASB” companies and authorities can work transparently and securely even with highly sensitive documents in a public cloud.
The solution works in several steps and uses virtualization, encryption, and fragmentation to protect data from complex internal and external cyber attacks:
When uploading a document to the cloud, the high-security CASB creates a virtualized version of the original document. This virtual document contains only the meta information of the original, such as key words and specific access rules to the document. However, it has no content itself. The original document, on the other hand, is simultaneously encrypted and fragmented on different, freely selectable storage systems. This physical fragmentation protects the data from attacks and external access. Since the original document is never completely visible and only fragments are stored. This even allows working with top secret documents in the cloud. In addition, companies and governments can use this CASB to precisely define their access rights to cloud documents and implement their cloud security strategy. And above all, the highly sensitive data in the cloud does not leave the country and thus meets the strict data protection requirements.
When re-edited, the high-security CASB controls access to the document. A separate log-in system checks access via various security queries. Only employees with authorized access rights can access and download the document. Only during the download does the high-security CASB reassemble the document and decrypt it.
This leaves one hand – even in an attack on the cloud – the confidential content for attackers or unauthorized persons unreadable. On the other hand, employees can open the document from different locations and work together on it. An effortless integration into existing workflows like collaboration, team-working etc. is possible. Work and business processes are maintained and are flexible. The high-security CASB even allows complex work processes such as a full-text search in the encrypted document.
Conclusion: High data security and transparent solution for the cloud
Through encryption, virtualization, and fragmentation, a high-security CASB provides maximum data security that is both simple and transparent for the user. He enables global companies and authorities with multiple locations to work flexibly and collaboratively. The solution is both scalable and compatible with all popular cloud providers, fileshare systems and file formats. Thus, a high-security CASB is not only suitable for large but also for small businesses.