secure documents – Storage Made Easy Blog

December 18, 2011

Bring your own Device is changing Enterprise IT

In the not to distant past most companies had a unilateral policy on cell phones. You were given one by the company and it was a BlackBerry, or it was a Windows Mobile etc, and there was a mandate that you had to use it. The company provided it, you used it, and more often than not you walked around with another personal phone that you actually wanted to own and use.

Today, more and more companies are adopting a BYOD or ‘bring your own device’ approach. The Apple iPad was pinpointed, by research Forrester did on the subject, as what started to consolidate the shift that was preceded by the iPhone, as company executives brought it with them to the office and challenged IT to support it.

Far from IT departments having the ability to strictly dictate the mobile of their ecosystems, they are being challenged by personal smartphone preference. The Forrester report cites 59 percent of companies that were surveyed enabled employees to bring their own phones to work.

Another factor is the rise in remote or on-the-move working. Whereas in the past company workers had found themselves logging onto the corporate VPN from a laptop or PC, many companies use Google Docs or Hosted SharePoint making access easier to “just connect” using web security protocols such as OAuth. Many analysts and government bodies are predicting this as being the future of IT.

We’ve long been an advocate of this ‘martini’ anytime/anywhere type policy of working with data from mobile devices. It’s the future, plain and simple. This is why we very early built out a comprehensive mobile strategy that focused on supporting all the major mobile devices ie. iOS, Android, BlackBerry and Windows Phone.

It’s also the reason why we’ve concentrated on providing governance and e-compliance features that work against what we believe will become the real challenge of corporate IT, that of the sprawl of public and private Cloud Services.

We will continue to focus on this throughout 2012 and broaden not only our supported data cloud offerings but we will also also release support for other SaaS services, some of which are in beta now with some of our customers.

We will continue to expand governance options and integration with Corporate IT, and best of all if you want to host all this in your own data centre, you can using our Cloud Appliance which supports VMware, XEN, and KVM environments.

We believe 2012 will be looked back on as the year that two key themes converged in corporate IT, that of mobile working and Cloud Computing, and we are looking forward to working with existing and new customers to support it.

August 8, 2011August 9, 2011

Creating Amazon S3 public, private and encrypted shared links for business use

Amazon S3 is a great robust reliant storage service but sharing files could be easier. This post will step you through how you can easily create and share links for Amazon S3 using SMEStorage clients and tools.

If you wish to make file links available for sharing using Amazon S3 then you need to edit the Access Control List list for that file and grant read access. Amazon provides API’s and programmatic access to do this and there are many tools that work with Amazon that enable to visually alter the ACL. S3Fox is one popular one that comes to mind.

The SMEStorage tools are more focused on the use of shared links from a knowledge worker or business perspective. How they are generated and used works above any Cloud File mapped to a SMEStorage Account (ie. Not just Amazon S3).

The way SMEStorage works is that it becomes an abstraction of any Cloud that it is mapped to it. During the initial setup SMEStorage syncs information about the files. This includes the filename, date, creation and modify time, location etc. The files don’t move and continue to reside at their original location, and this mechanism enables SMEStorage to provide a virtual Cloud directory of files available to your account from the different storage providers you have mapped to it.

This meta mapping mechanism is transparent to users and enables SMEStorage to add value added services, such as the link creation for example (other examples that come to mind are adding FTP and WebDav even when the underlying Clouds do not support them).

Once the Amazon S3 Provider has been added to an account and the meta information sync, as outlined above, completed it is possible to generate secure private, or public file links for sharing files.

When you generate a link using any of the SMEStorage tools for Amazon S3 you are not changing the ACL of the file, which remains private, but granting access to the file via SMEStorage.

There are a few ways you can share files in this way:

1. Generate a SMEStorage link (which in turn can be given as a TinyURL). This link is generated using a 30 character created URL. The URL string is created using multiple input seeds: the filename, file size, and a random seed. The link does not exist until it is requested. Once requested the link remains available until the file is changed (ie renamed, or moved).

The advantage of this is that you can share a link with one or two people whilst keeping the actual file private.

All tools can generate such links, below is an example of this using iSMEStorage for the iPad.

2. Managed file sharing link: you can choose to share files using a SMEStorage generated email. The advantage of this is you can set an expiry time on the links which prevents the link from being reused or passed around at some point in the future.

Below is a screenshot of this sharing method from iSMEStorage for iPad.

3. Setting a file to public. When you set an Amazon S3 file (or any other file mapped to your account) to public it appears on your public files page, RSS page and is available via the web as it can be indexed by Search engines.

4. Sharing a file with a Collaboration Group: With SMEStorage you can choose to create Virtual Groups, to which you can invite members. You can do this directly from Client Tools, including mobile tools. You can then choose to share a file with the group and all members of the group will automatically be notified that there is a new file, without you needing to do anything. They are also notified automatically if a file is changed or updated.

Below are some mobile groups that have been created from a Windows Phone 7 mobile device:

5. Encrypted file shares: if you upload the file using any SMEStorage client you can choose to encrypt the file using AES-256 encryption, in which you keep the private key. SMEStorage does not store it. If you lose the key you will not be able to access the file. Once encrypted you can choose to share using any of the above mechanisms, but anyone clicking on the file link will need the password you chose when you encrypted the file. If you don’t provide this to them they will not be able to access the file.

The picture below shows the screen that is shown when a user tries to access an encrypted file.

July 25, 2011July 25, 2011

Implementing secure document delivery of private data to the iPad

One of the interesting projects we’ve recently been looking at with several customers is implementing secure document delivery of private (and in some cases public) data to the iPad using a combination of our Open Cloud Platform and our iSMEStorage iPad App.

The iPad seems to have become the executive, and salesman’s choice of device for mobility and ease of use. We’re seeing it everywhere from high end Finance to very small two to three man businesses.

What restricts some businesses from being able to use the iPad a means of accessing Cloud Data that they store on premise or in public Clouds in private accounts is often security. They need a level of security that can be above what is required for normal everyday use. I’ve outlined some of the requirements below:

1. Requirement to have full control over Cloud File Server / Gateway. This requires the company implementing our Open Cloud Platform on their premise or in their data centre. This is reasonable straight forward and we have a whitepaper on the architecture for high availability here.

2. The iPad has to be a complete sandbox and not accessible as a “File system”. Of course, the way Apple designed iOS Apps was that each operate in their own sandbox directory and by default there is no access to different directories from within Apps (unlike Android). However if the device jailbroken all bets are off. To this end, we implemented in our code for such clients that detects if the device is jail broken when the App is installed or launched. If it is then the App becomes inaccessible.

3. Of course in in point 2 above, if the App is not launched and someone gets access to the filesystem via a jailbreak then the files could still be compromised. To this end we have implemented encryption on PIN. The current version of iSMEStorage already enables adding a PIN over above login. For private customers we this PIN to also encrypt the data on the iPad, much like you can do using the home directory encryption that Apple provides on the Mac. This now means that if the device is jailbroken and the App is not launched then the files, even if accessed, cannot be viewed. This feature may well make it’s way into our App Store iSMEStorage App at some point in the future.

4. In the unlikely event someone does get access to the App then all documents that are accessed can be encrypted using the SMEStorage Cloud Platform which means that a PIN is required to download them to the device (where the are encrypted anyway). The encryption is 256 bit AES encryption.

5. Integration with third party authentication services. A number of clients we’ve worked with have their own third party authentication services. In some cases we’ve need to look at integrating these into the authentication mechanism used for our iPad App. Two examples are Ping Identity Server and Arcot mobile authentication solution. You can view a short whitepaper on security integration here.

6. Disabling any document sharing with other Apps. This of course makes perfect sense in a world where you want the ultimate security for files and was simply a case of disabling this feature. This presented some challenges where customers wanted still to have some editing capabilities of documents. To this end we entered into OEM’s with best of breed third party solutions for such private implementations that enable document editing from within the App as well as PDF annotation for PDF documents.

Taking these steps a secure document delivery solution can be achieved for Private data. Public data, stored on such services as Amazon S3, or RackSpace, can if required also be accessed by “plugging them” in at a Cloud Platform Server level. Additional data becomes part of the Cloud File System and can be managed easily within the virtual directory. The Organisation can use the options in the SMEStorage Cloud File Server to require encryption for all documents stored on such services that pass through the Cloud Gateway.