The Storage Made Easy solution can be used for many functional use cases. One of these use cases which we will discuss in this blog post is that of a secure encrypted data room.
We will break this down piece by piece as to how this was created.
In terms of how this can be achieved, the SME on-premises or on IaaS File Fabric product can be used, but this can also be achieved using the SME SaaS solution.
The first thing to do is to add your storage provider of choice with regards to where you want the Data Room data to be stored. We will use Amazon S3 but you could choose to use any type of storage that SME supports.
Once this is done we can choose how we will encrypt the data. This is an important step as it means that despite the data being stored on Cloud it will be totally secure, even if the data is directly accessed from the Storage. SME support AES 256 bit encryption.
There are 3 different ways sme support to encrypt the data:
1. File by file encryption – In this mode the encryption key is not stored by SME and must be remembered. Different encryption keys can be applied to different files or folders. No key, no data retrieval.
2. Blanket Data Room encryption. A single key is chosen and stored and is used to encrypt the data.
3. Blanket Data room encryption with the key stored in an external key server. SME supports the Hashicorp Vault key management server.
We can now add the users that we wish to access the Data Room:
Now encryption is set then the SME Cloud File Manager UI can be used to create (pseudo) folders on S3 to contain the documents for the data room and then read only ACLS’s can be applied as per our requirement.
Next we can set a policy to turn off file sharing for all users as we do not want the documents to be shared:
And as the administrator of the Data Room we now populate the document folders which remember, will be encrypted as per our earlier choice.
All interactions from end users will be audited and will be available to the Administrator
And finally we set some instructions for the home page the users will see when they first login into the Data Room:
That is it, we are done. We have a data room that:
- Has data stored on Amazon S3
- Has secure encrypted data
- Has users added
- Has ACL’s set to only access the data in a read only fashion
- Is set to prevent file sharing
- Audits all access so that this can be used for Compliance such as GDPR
- Has intranet type instructions for use
If we wished to we could use the SME File Fabric to easily extend this by adding GEO restriction controls (only allow access from the UK for example) or IP controls (only allow one specific IP address to access),by