Consumer tech acceptable for sensitive data with a little help from encryption.
While workers have embraced consumer technology in the workplace with enthusiasm, those technologies have posed pesky problems for organizations that deal with sensitive personal information, especially universities.
That was the case at Brown University where one of its HIV researchers wanted to use Dropbox, an online storage and sharing service with more than 275 million worldwide users, to manage the work of her research team.
Brown’s IT department has strict rules governing the kind of data gathered by those HIV researchers. Any information “regulated, restricted, confidential or personally identifiable” must be stored on a system owned and managed by Brown.
Those rules put a crimp in Assistant Professor Caroline Kuo’s HIV research in South Africa. Kuo, a Dropbox user, found the service ideal for her project’s needs. It stored data on a device as well as in the cloud, which is important when collecting data in the field where Internet connectivity may be non-existent, and synchronized that data seamlessly with the cloud when an Internet connection was available.
Most important, though, Dropbox was easy to use, a characteristic that’s been driving adoption of consumer technologies by workers. “A lot of my staff in South Africa are computer illiterate,” Kuo explained. “They have to go through basic computer training to even learn how to open a file. Dropbox was really simple for them to understand.”
That simplicity is what makes products like Dropbox attractive to users. “What’s exciting about the new file sharing tools is that people can gravitate to them quickly and solve an immediate obvious problem: sharing a file with someone else,” observed Greg Milliken, marketing vice president for M-Files, maker of an enterprise content management platform.
Dropbox’s simplicity contrasted mightily with the solution offered by the university’s IT department, a solution really not designed for sharing multiple files through a unified interface. For each filed shared, a secure link had to be created and emailed to whomever you wanted to share the file with. Then the email’s recipient had to click on the link and login to the system to obtain the file. Synchronization between a local folder and the Brown cloud was non-existent, and shared files stored on the university’s servers were automatically deleted after 30 days.
“It was designed to send one or two files between two people, but what they weren’t prepared for was multiple users needing to access shared files and an interface to make that happen,” Kuo said.
“It was unwieldy for multiple accounts,” she continued. “On on our project, we’ve got 10 folders and in each folder there are large audio, video and Word files. Having to create a link and email them separately was a nightmare.”
Although Kuo liked using Dropbox, she shared the university’s concerns about security. Storage of data on a device was nice, but it was risky, too. “A big consideration is how do you protect the data on the device,” she said. “It’s very likely that a device will be stolen. Just last week, colleagues were held up at gunpoint for their mobile phones that they’d been collecting data on.”
In addition, some central administration over the devices was needed. If a device is stolen, it would be handy to be able to wipe the device’s data remotely. The IT department, too, needed some insight into the devices to impose policies to insure security, as well as cut the device’s access to the university’s systems when its owner left the institution.
What Kuo and Brown discovered was a solution to both the needs of the project manager and the IT department. It’s called nCrypted Cloud. The service encrypts data at rest and in transit, preserves the ease-of-use of DropBox and gives project managers and network administrators a measure of control over users and shared files.
Check out “Encrypt All Your Shared Data With nCrypted Cloud“.
“We view Dropbox as a cloud hard drive, and we’re sort of a virtual lens on top of it,” nCrypted Cloud co-founder Nick Stamos explained. “We intercept all the data to and from Dropbox and encrypt it.”
The data is also encrypted at the endpoints in a system, where an nCrypted Cloud client application resides. When a file needs to be used at an endpoint, the client decrypts the data for application use.
The “virtual lens” approach has allowed nCrypted Cloud to expand its solution beyond Dropbox to Google Drive, OneDrive, Box and Egnyte.
To a Dropbox user, there’s very little to tip them off they’re using nCrypted Cloud, save for a slight addition to a standard Dropbox file icon: a lock to show a user that the file is encrypted.
Policies can be attached to files and folders by their creators and workflow policies controlled by an administrator. Creators can control details about sharing the contents of a folder and collaboration on files. Administrators have full auditing visibility into the system and can set policies such as requiring a PIN to access any Brown University data with a mobile device or barring “rooted” mobile devices from accessing university data. “It’s sort of a distributed responsibility,” Stamos said.
Management of the system is done through nCrypted Cloud’s servers. That’s a useful arrangement should a device be misplaced or stolen. “Whenever a thief tries to connect a mobile device to a network, we can erase the data on the device from a central location,” Kuo said. “So not only is the data encrypted, but on top of that we know we can log onto the device from our office and wipe it clean.”
Encryption can serve another purpose when using a service like Dropbox. “There’s some concern that cloud storage providers will look at your data to target advertising at you,” explained Richard Stiennon, chief research analyst with IT Harvest and an nCrypted Cloud user. In fact, last fall it was revealed that Dropbox was peeking at all “.doc” files uploaded to the system. The company said it needed to snoop on the files for de-duplication purpose, to scan for them for malware and to allow users to a preview documents without opening up a desktop program.
An elaborate key management system is also deployed to protect data encrypted by nCrypted Cloud. For example, keys for unlocking Brown’s data aren’t stored on nCrypted Cloud’s servers where they could be obtained by a third-party. “We don’t want access to those keys,” Stamos said. “So if the Department of Justice or someone else comes to us, we don’t want to ever expose our customers’ information.”
With nCrypted Cloud, each file is put into a 256-bit AES zip container. “That was important for us because we didn’t want to build anything that was proprietary,” Stamos explained. Each file has a unique password and each person has both a personal and corporate identity. Each identity has a private and public key pair. Passwords encrypted with the corporate identity has two public-private key pairs — one for the owner of the file and one for their employer. “That guarantees that the corporation or institution will always have access to the information,” Stamos said.
It also addresses a problem with devices that may contain both personal and institutional information because personal information can be encrypted using a personal identity. “If you leave work or quit, they can revoke your access to work files and be assured you don’t have access to them,” said Adrian Sanabria, an enterprise security analyst with The 451 Group. “At the same time, you can be assured that they can’t revoke your access to your personal files.”
“The catch is,” he added, “you’re the one categorizing what’s work and what’s personal. So the company is depending on the user to do that correctly, if at all.”
Other measures are taken to ensure that nCrypted Cloud can’t be forced to cough up a customer’s private keys. First, the corporate private keys remain with the institution — only the institution’s public keys remain with nCrypted Cloud.
Second, it borrows an algorithm used to secure WiFi networks to secure a user’s private keys. In nCrypted Cloud that algorithm is used to take a user’s account ID, which is public information, and a password to generate a personal key that’s used to encrypt their private key. That encrypted cocktail is stored in the nCrypted Cloud servers. “So the server has encrypted data that it will give to anyone who asks for it but they need the right credentials to unlock the private key,” Stamos explained.
One knock against encryption is that it creates latency in a user’s experience. Stamos discounted that notion for nCrypted Cloud. “It really doesn’t hurt performance,” he said. “I think we’re the only product in the world that actually reduces the size of data when we encrypt it.”
“Computers are so powerful today performance really isn’t an issue,” he added. “Even in mobile, network connectivity is always a bigger constraint than encrypting and decrypting data.”
In the coming months, the Brown researchers will be expanding their efforts to gather data through mobile devices. Those efforts could be a real test for nCrypted Cloud. “It’s a big unknown for me how nCrypted Cloud will perform where network speeds are slow and reception unstable,” Kuo said.