In an age where Cyber attacks are occurring daily, where even security focused companies are not immune, and in which third party embedded components can cause huge disruption we thought where we thought it would be worthwhile to focus a blog post on what we do to protect the File Fabric from third party software vulnerabilities.by
Without a doubt Amazon S3 Object Storage is the big gorilla of the storage world. Many companies, large and small, are using it to store data.
One of the challenges of using Amazon S3 has been how to secure it and how to securely share from it. There have been far too many articles with regards to S3 breaches because of mis-configuration which have been well documented, although Amazon have tried to help combat this with its recent announcement regarding public access setting for S3 buckets.
There are those that think that S3 security is flawed by design. The simple purpose of this post is to present ways in which the Enterprise File Fabric helps to make S3 data more secure.by
As Amazon S3 has become more widely used the thorny issue of sharing files has become more of an issue. Sharing files on S3 can be complex and can involve public buckets, IAM Policies and temp URL’s. This complexity has often lead to companies setting buckets to public to enable access which in turn has led to its own issues in terms of breaches or unauthorised access.Continue reading “How To Easily Create Private Password Protected Amazon S3 Links And Folders”by
DropBox has been in the press quite a lot lately with regards to passwords breaches and also with surreptitious behaviour with regard to machine security on Mac. Although DropBox has started to reassure users with ‘how secure we are‘ type information Corporate IT departments will again feel they have cause for concern with regards any internal corporate use of DropBox.
So the key question we are trying here is ‘just do do you solve a problem like Dropbox‘ ? Indeed this is a slightly unfair question in that it is using DropBox to make a point and the reality is we could have picked on one of several cloud storage services as Corporate IT has misgivings with anything Cloud when it relates to files.
One of the more frequent requests we have had for the Storage Made Easy Office 365 Connector was to enable users how used their own identity management with Office 365.
This affects users who purchase Office 365 through a reseller / Distributor such as GoDaddy or for companies who are using their own Identity Management with Office 365 for Single Sign On (SSO).
Users who use Office 365 with their own identity management or third party identity management can now also use the SME O365 connector, previously limited only to Microsoft Office 365 OAuth.
This blog post is a technical post outlining the steps needed to deploy the Storage Made Easy Cloud Control Gateway and Enterprise File Share and Sync solution on the Azure IaaS compute infrastructure.
Storage Made Easy provides a private enterprise file share and sync solution that can not only be used with Azure Blob Storage Data but which can also be used as a cloud security point to secure other storage points or sync and share solutions, such as Office365 and SharePoint. We call this Cloud Control and you can read more about it here.
We wanted to provide you with an update on the recently published vulnerability for OpenSSL. Please see here for an explanation regarding the vulnerability.
As soon as we were made aware of this vulnerability we immediately scanned our infrastructure to assess the potential risk.
Our analysis showed that we were not at risk to the vulnerability on our own servers nor on the IaaS or on-site cloud appliances as we are not running an affected version of OpenSSL.
LastPass HeartBleed checking tool is giving false positives. Please use any of the below sites / services that correctly check for HeartBeat vunerability in sites:
We have liaises with LastPass who are using a different algorithm to issue warnings and the SME site has been whitelisted.by
Many file sharing vendors offer at encryption at rest but the the real question is do they let you manage your own encryption key?
Ask yourself these questions?
– Are you comfortable not controlling your own file encryption?
– Do you have sensitive data you wish to store in the cloud that you do not want to have your file sharing vendor have access to?
– Do you have data that absolutely must have controlled encryption from a legislative view point?
– Do ypu trust your vendor not to provide a ‘back door’ to the NSA?
Storage Made Easy:
– Offers private key encryption in which the private key is not stored on its hosted platform for all users (including free users).
– Let’s you encrypt data stored on any remote cloud including Box, DropBox, Amazon S3 etc
– is a UK company that has servers located in the US and in Europe in which no data is shared between the two
– Can provide a completely on-premise solution for Cloud Control and unified joined up file sharing that encompasses all public and private corporate data.
SME puts encryption of your files in your hands not your vendors !
If you had not noticed, there has been a lot of controversy about the recent discovery that companies or individuals are prone to having their activities monitored by the US intelligence services. This is allegedly done under the code name PRISM and again allegedly involves some deep integration with large cloud companies, although many are denying the extent of their participation and service integration.
So what can you do to protect yourself? Below are the top 5 things you should,consider as a company and as an individual:
1. Run your own Private Data Cloud: We have been promoting this for a while with the SME Cloud Appliance. Install your own Cloud File Server, use it with your own data, and auditing / governance monitoring, from desktop and mobile clients. It’s behind your firewall and its under your control. In short own your own data.
2. Encrypt your data. If you have to use public cloud services encrypt your data. SME provides streamed 256 bit SHA-1 AES encryption in which you keep the private key. It’s not anywhere on our SaaS service and of,course if you use the SME on-premise appliance then you have total control. Additionally consider desktop encryptors such as TrueCrypt and BoxCryptor.
4. Consider using an anonymous proxy that hides your IP address. Tor (originally short for The Onion Router)is free software, available for desktop and mobile clients, for enabling online anonymity. Tor directs Internet traffic through a free, worldwide volunteer network consisting of thousands of relays to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.
Also don’t forget that there are many ways to identify you, even if the IP address is ‘randomized’. Either Delete your browser cache, history and cookies etc or consider using anonymous browser sessions or extensions or add-ins that prevent browser cookies or tracking.
5. Consider the locality of your data. If you are in the UK or EU do you really want your data hosted in the US and subject to the Patriot Act. If you are in the US (or anywhere in the world) consider point 2 strongly. Private Cloud can offer just as many benefits as public cloud.
An often trotted out phrase is that “if you are doing nothing wrong you have nothing to fear”. With that simple phrase vanish personal freedoms and liberties built up over hundreds of years from the likes of Thomas Paine onwards.by
We have for quite a while enabled public/private key AES 256 bit file encryption for files in which the private key is not stored on our servers. Many providers now support their own encryption and what we offer is over and above that (and in many cases our encryption is used as an additional security as it is truly private whereas in most cases the vendor stores the public and private key).
We believe it makes sense for us to support vendor Cloud encryption mechanisms were they add value and are possible. To this end we now support the Amazon S3 Cloud encryption and we’ve made it pretty easy to turn the encryption on, straight from the settings of the S3 provider (accessible from the Web DashBoard):
Once you are in the settings page of the S3 provider you simply turn it on: