S&M Cloud, part of the multinational S&M Services and Systems Group, provides cloud services to the world’s leading companies. Their challenge was to support their customers, medical organizations in particular, moving large amounts of personal and sensitive data to cloud storage. An earlier system was not reliable, and difficult to manage.by
Interest in letting employees to work from home has never been higher and will remain high even after the Covid-19 virus has run its course. For Companies large and small the key challenge is how to make Company data available remotely in a way that is easy for employees to use without compromising on information security. The Enterprise File Fabric™ offers an unmatched set of features to support secure remote working. In this post we’ll see how to set up the File Fabric in less than an hour to provide secure remote access to on-premises data, be that SMB, NAS / SAN or Microsoft DFS shares. The best part is that data is not copied or removed anywhere, it remains in the same secure place and the File Fabric provides web scale secure access to it .by
More and more companies have been attracted to the thorough list of features that the Enterprise File Fabric offers as a key solution to cover almost every need when it comes to data management.
Check out our Case Studies for the year:by
The purpose of this post is to outline how the Enterprise File Fabric can be used with a BlockChain HyperLedger solution to provide guaranteed non tamper audit reports for the corporate file estate.
Blockchain is a distributed databased for maintaining records (called blocks) in which the data in the block cannot be altered retrospectively. HyperLedger is one of a number of projects that use blockchain at its core and is a specification for how a trusted network should work. In this example we use Fabric but there are others such as Sawtooth Lake, Corda R3 and Iroha.
The Enterprise File Fabric provides a unified multi-cloud content repository for all company data, whether stored on-cloud or on-premises. The solution supports over 60s storage endpoints including object storage such Amazon S3, IBM COS, Google Storage, Microsoft Azure, as well as traditional on-premises storage such as Windows Filers, NAS / SAN, and other more common storage solutions such as Box, DropBox, Office 365 etc.by
The Storage Made Easy solution can be used for many functional use cases. One of these use cases which we will discuss in this blog post is that of a secure encrypted data room.by
One of the predominant use cases that companies have is to enable file sync and mobile access to file share data that lives behind the corporate firewall without the need for a VPN and without reconfiguring permissions whilst using Active Directory or LDAP for authentication.
In many cases this is done for compliance or security reasons or perhaps because there has been a large investment in internal storage that has yet to be realised, and of course during the recent Covid-19 pandemic there was a pressing need to enabled such access for remote workers.
Accessing files over CIFS/SMB network over VPN using a mobile network is possible but access can be patchy, clients apps limited and it is often extremely slow.
The File Fabric enables this using its built in CIFS / SMB connector. This blog post will step through how to web enable SMB file shares.by
We quite often assume that when working with Cloud data it will be from the web or from mobile “on the go” devices. To be fair this can often be the majority of cases, but the Enterprise throws up all sorts of different use cases and I thought it would be useful to go over one of the more esoteric ones.
One of the customers that use the Storage Made Easy on-premise Enterprise File Share and Sync Cloud Control product is a medical company. They use the SME product as a hybrid on-premise cloud product that is able to offer storage locally and on Amazon S3. Both sets of storage use the Amazon S3 API. The SME Appliance is able to make local storage accessible over an S3 compatible API and then off-board this storage to Amazon S3 as required. This meant that the companies scripts and applications could easily work locally and with Amazon S3 with very minimal configuration changes.
Their field staff quite often find themselves in a situation where, when working remotely, their only means of access is using a terminal ie. there is no direct web access and mobile devices are blocked and cannot be turned on. In the past this meant that the consultant used to carry around CD’s / DVD’s in which information that may be required is burned off.
The consultants did however have direct access to terminals which were internet enabled. As the SME EFSS product also include a protocol gateway this mean it was possible to get direct terminal access to remote files using SFTP.
As the SME EFSS Gateway product integrated with the companies Active Directory services then terminal access was still using Single Sign On and the Active Directory credentials for each user access
User access can be obtained directly from the command line as per the example below..
Once authenticated the user can do a simple “ls” to get a file listing.
Once connected the view of the folder/files is available and can be worked with via the command line.
All access to the files are also logged and audited, including the username, the IP address and the types of interactions occurring, all part of a the HIPPA compliant process the customer implements. These reports can be exported and made available in excel to any compliance officer.
Secure access to files and data can take many forms and in the Enterprise the edge cases also need to be catered for as well as the more common access use cases.
The recent controversy with regards to Prism and data snooping has brought the security of corporate data to the fore however the biggest threat to corporate data lies not with the corporate nemesis that is Prism but with the number of data leaks that occur every day in companies.
Data is any companies biggest asset and not controlling how corporate data is disseminated is a ticking time bomb waiting to explode in your company. Why? Take your pick, Legislative reasons, fraudulent reason, competitive reasons. There are many reasons why not controlling data dissemination could trip your company up.
Companies need to consider how to build an Effective data governance serves ACROSS their enterprise data silos. Doing so will define a cohesive set of parameters for data management, data usage, as well as the ability to create governance processes for a companies internal use, and for their supply chain, which ultimately leads to information assets that are well managed.
In the world of Cloud it is key that Data Governance and data policies work not only with data behind the corporate firewall but also cloud data and cloud services.
So what should you consider as a company to manage your data assets ?
1. Understand what information is sensitive across all data silos, have a federate access control mechanism that works with your user across this private and cloud data silos. Storage Made Easy provides such a federate mechanism to assign and control user permissions and access at a very granular level that overlays one or more data stores.
2. Set policies for data access and enforce them through common tools. For employee sharing of data through tools such as email, make it easy but also set policies that can define expiry time and password protection. Storage Made Easy has plug in’s for Microsoft Outlook and Mac Mail that enables productive file sharing across all cloud / private data but which has built in support for policy enforcement.
These policies should also ripple through to the mobile Applications used in a company:
3. Use Cloud Encryption for sensitive data and ensure that you control the private key. See our previous post on encryption and securing data for further information.
4. Audit all your company data. Irrespective of the policies set you should get in the habit of auditing your company data. SME enables the setup of an automated email to a specified user of the previous day file events such as sharing, files updated etc.
5. Set BYOD policies and device access policies that work like your company works. For example, have a contract firm that you gave access to a specific folder ? Then designate that they can only access the folder using a web browser and only from a specific IP address.
Companies need to connect disconnected information to enable corporate governance.by
**Updated 1st July 2016*
The recent PRISM Data snooping controversies have heightened almost every companies awareness of the potential vulnerabilities of data stored off-premise in the Cloud. Many Cloud Storage companies’ talk about encrypting data ‘at rest’ but the real issue is that the storage companies control the encryption rather than the company whose data is stored controlling the private key.
One of the features that Storage Made Easy provides is an encryption feature that can encrypt data uploaded to remote (and local) Cloud Storage. SME supports 50+ cloud storage vendors, which means companies are able to take advantage of private key encryption for some, or all data, across cloud storage providers.
For individual users of our cloud SaaS services SME uses a key entered by a user to encrypt data, but the key is not stored on the SME hosted service. If the key is lost, or forgotten, then when trying to subsequently access the file the user will not be able to gain access to the file as the correct key phrase will not be known.
For companies that use the SME SaaS hosted service team Admins specify a key that uses a similar mechanism but is applied to all users. Unlike the personal encryption the key phrase is either stored encrypted by the SME service, or it can be stored with a self hosted Vault instance.
For enterprise users who self-host the SME service then the key is can be stored on the service behind the corporate firewall or again it could use the open source Vault software on a key server.
SME uses AES-256 encryption using the Rijndael cipher, with Cipher Block Chaining (CBC) where the block size is 16 bytes. A random initialisation vector is generated when the user supplies an encryption key. The cipher Rijndael consists of:
– an initial Round Key addition
– a final round.
The chaining variable goes into the “input” and the message block goes into the “Cipher Key. The likelihood of recovering a file that has been encrypted using our encryption is fairly remote. The most efficient key-recovery attack for Rijndael is exhaustive key search. The expected effort of exhaustive key search depends on the length of the Cipher Key and for a 16-byte key, 2127 applications of Rijndael.
Once files are encrypted in this manner they can be accessed by an of the comprehensive SME desktop (Web, Mac, Windows, Linux) or mobile tools (Windows Phone, iOS, Android, BlackBerry). When an encrypted file is accessed the user is prompted to provide the private key phrase before the file can be opened.
If the file is accessed direct from the underlying storage then it will not be able to be used as it will be encrypted and without being opened via the SME service, either hosted or on-premises, it will not be able to be un-encrypted. This makes sensitive data stored on remote servers ultra-secure.
The SME also on-premises Cloud Control service resides behind the corporate firewall. It enables the ability to keep very sensitive data behind the corporate firewall but still enable secure file sharing and at the same time offers the ability to encrypt data that is stored on remote cloud storage and other SaaS services for additional security.by
Many service providers and companies offer Remote Desktop Services to enable companies to access their desktop remotely. Applications are installed for the users where user settings and data are saved to their profile.
We’ve had a few requests from companies and service providers now who wanted users to easily be able to access data on remote clouds (such as Azure, DropBox, Box, FTP, WebDav, Sharepoint Amazon S3 etc) from a remote desktop.
With Storage Made Easy, this is easily done as SME presents a WebDav entry point to all clouds that SME supports whether they support WebDav or not. This means the service provider needs only co-locate the SME software appliance (supplied as an OVF compliant file) in their network and add a simple script to the users startup. The script it:
NET USE * \\webdav.storagemadeeasy.com@SSL\DavWWWRoot
This enables user to get a mapped drive to remote cloud storage as soon as they login to their remote desktop and to browse and access these files like any other data drive and is a simple solution for bringing remote clouds directly into a users remote desktop using a simple metaphor they understand, “a drive”.by
We had an interesting Use Case recently in which the requirements were as follows:
The Company in question had a Google Apps Account and therefore used Google Drive for their Storage. They had a number of iWork Numbers documents that were modified by their team members whilst on the move using iWork and iPad’s. Currently their process was editing the files, and then trying to send the resultant file via email to other team members. Due to file size some files were not received and in general the email server was quickly eating up storage. What they cam to SME for was to figure out how they could refine this process.
With Storage Made Easy the process became much simpler. Firstly the company subscribed to a Cloud File Server SaaS Account. The SME Cloud Admin then added the companies Google Drive account to be accessible via SME and invited other team members to be part of the Cloud File Server. On the Folder(s) in question the Cloud Admin simply set permissions so that relevant team members had access and added a notification rule specific to keynote file to ensure that all subscribers to the shared folder received an email notification on new files or updates to existing files. As per our prior article on Twitter and SMS Gateways on these changes to file events SME can easily generate instant SMS notifications.
As Storage Made Easy enables WebDav above any Cloud added to it then Google Drive becomes instantly accessible via WebDav. For the Company this means that they can simply open and create new keynote files directly in Keynote from their shared Google Drive folder and then on completion simply save them back. The very act of doing this generates a file event on completion which send an email and/or SMS to users subscribed to the shared folder vastly simplifying the process.
Another added benefit to the company is the complete end-to-end joined up audit tracking they get on all Google Drive documents:by
One of the legal companies that use the Storage Made Easy on-premise Cloud File Server Appliance had a recent request that we felt was worth exposing as we can see it could be a common use case.
The company has legal and para-legal resources that had the need to be able to annotate PDF’s whilst away from the office using their iPad’s. The legal data is stored on an EU Amazon S3 instance and the SME Cloud File Server Appliance is used to provide single sign on with the internal Active Directory Server whilst also providing granular permissions and auditing services for full document tracking.
A key point for the company was that any PDF document editing would be able to be done on the move from an iPad, saved back to the S3 Cloud from the iPad, and also that any changes were audit trackable. and users were instantly notified of changes. The SME Cloud on-premise Cloud Appliance, which unifies public and private data sources, as well as providing a full audit trail for all file interactions was used to satisfy this requirement in the following way:
– SME Cloud Appliance was already installed on-premise behind the corporate firewall
– The companies own EU S3 Account had been added as a Cloud to be monitored from the Appliance
– Auditing of any file events was set
– Access to the S3 files was available via the WebDav protocol using the users Active Directory username / password as Active Directory SSO was enabled via the Appliance
– As S3 files were available via WebDav the iAnnotate iPad App could be used to login and annotate files as outlined below.
Setting up access to Storage Made Easy from the cloud appliance is done as follows:
1. First setup a new WebDav cloud connection
2. Enter the SME WebDav Details
4. After Annotating the document then simply save it.
5. On completion the annotated document is saved back to Amazon S3 (or any other WebDav Cloud it was access from).
All interactions that occur are also fully audited with the remote IP Address, username, and document details and these are available as part of the Audit logs provided by the SME Appliance that can be exported as a .cvs or excel and / or can be archived.by