As every information security professional knows, constant vigilance is required to ensure that enterprise information is adequately protected. The widespread adoption of cloud and hybrid infrastructures over the past decade have only amplified the requirement, and today’s demand for remote working at scale brings yet another set of challenges.
If you are working to keep your organization’s information safe under these dynamic conditions, it may be helpful to be familiar with the ways that the Enterprise File Fabric™ can be configured to provide and enforce strong protection of data through encryption, both in flight and at rest.
We’ll refer to this diagram as we talk through the File Fabric’s encryption control points:
Require HTTPS Between Clients and the File Fabric (no. 1 on diagram)
All of SME’s File Fabric client programs, which run in the browser, on Windows, Mac and Linux desktops and laptops and on iOS and Android devices by default use HTTPS when communicating with the File Fabric. The File Fabric’s administrator can ensure HTTPS is always required by setting an option on the Site Functionality page:
Force Transparent Encryption of Files (no. 2 on diagram)
The File Fabric can apply a certified FIPS-140 compliant encryption algorithm to render the contents of files uninterpretable to unauthorized viewers. The organization administrator controls which folders have their contents encrypted:
Other points to note about the File Fabric’s file encryption:
- Both encryption and decryption are transparent to end users.
- The encryption key phrase can be rotated by the organization administrator as needed.
- The key phrase can be stored, encrypted, in the File Fabric’s database or in an external key store.
Use HTTPS Between the File Fabric and Your Storage (nos. 3 and 4 on diagram)
Every cloud storage provider supports access over HTTPS, and all of the Enterprise File Fabric’s™ cloud storage connectors are pre-configured to use HTTPS endpoints.
Your on-premises storage may or may not support HTTPS access and, in some situations, you might choose not to use HTTPS in your data centre,. The File Fabric’s connectors for on-premises storage systems that support HTTP and HTTPS all give you the choice:
Use Storage Encryption (nos. 5 and 6 on diagram)
Some storage systems offer their own encryption for files at rest. In most cases this encryption is transparent to storage client programs including the File Fabric. If your storage offers this kind of encryption you have the option of using it or the File Fabric’s file encryption or both.
The advantage of additionally using the File Fabric’s encryption can be that the data storage is remote and a Companies data governance policy requires stronger encryption that what is provided at rest by the data storage provider. In the event of a direct targeted breach against the storage the data would be useless unless accessed via the File Fabric, where the decryption key is applied to successfully unlock the data.
Amazon also offers a different kind of encryption, server-side encryption with customer-provided encryption keys (SSE-C), that requires the storage user to provide the encryption key when accessing the storage. The File Fabric is able to work with this kind of encryption as well by allowing the encryption phrase to be stored in the connector configuration:
As with other kinds of storage encryption, you have the option of using SSE-C with or without the File Fabric’s own file encryption.
Encryption is a particularly important tool in the information security professional’s toolkit. At Storage Made Easy we have embraced encryption as a key requirement for the File Fabric and deployed it liberally to protect your data on the storage and on the wire. Like all File Fabric features, encryption support spans all of the sixty or so kinds of storage for which we offer connectors.by