Without a doubt Amazon S3 Object Storage is the big gorilla of the storage world. Many companies, large and small, are using it to store data.
One of the challenges of using Amazon S3 has been how to secure it and how to securely share from it. There have been far too many articles with regards to S3 breaches because of mis-configuration which have been well documented, although Amazon have tried to help combat this with its recent announcement regarding public access setting for S3 buckets.
There are those that think that S3 security is flawed by design. The simple purpose of this post is to present ways in which the Enterprise File Fabric helps to make S3 data more secure.
As a reminder the Enterprise File Fabric a software product that can be hosted on-premises, or used from the cloud. At its heart it is a metadata indexing engine for storage with rules and policies to secure and protect data whilst promoting easy secure sharing and collaboration, either from one data endpoint or across multiple storage clouds.
It does not replicate or cache data other than in end user Apps. It provides added value features to existing file or object storage be that on-premises or on-cloud.
- Authentication and Authorisation:
One of the reasons that configuring / working / sharing data from S3 ends up being insecure is because setting up the Identity Access Management and bucket policies becomes unwieldy and complex quickly at any type of scale. We have written a prior blog post about this exact problem.
The File Fabric can easily ingrate companies existing Identity Management (Active, Directory, LDAP, SAML) with Amazon S3 data making the authentication and authorisation of access much easier and more familiar to IT administrators, with a visual permissions console.
- Secure Sharing:
Amazon S3 has the concept of a temporary URL for a file for sharing. Finding tools or Apps that use this mechanism can be difficult and the interfaces clunky. Also someone who obtains the URL prior to expiry could use it to access the content. S3 does supports bucket policies that limit the IP addresses that are allowed access to data but this does not really help for real-time sharing of files.
The File Fabric enables a secure URL to be generate d to share a an object / file. The URL Is private and also had options for further security, such as password protection, number of times it can be downloaded, date expiry etc. If password protection is chosen then there is an option to share the password over SMS by adding your Twilio API Keys.
Buckets or pseudo Folders can be shared in a similar way and with similar password options, but folders also have an ‘anonymous option’ so that users that a URL can be shared and partners or other end users can upload files to an S3 location, without seeing any files that exist in that location.
Note that this can be done from the web, desktop (Mac, Windows, Linux) or the Android or iOS Mobile so it can be done easily ‘on the move’
It is always hard to factor out the human element of security and indeed many of the issues with spilled S3 content revolve around the human factor. If you work on the principle that data may be inadvertently exposed then it makes sense to take adequate protections to protect that data, such as encryption.
Amazon provides its own Server-Side Encryption of data (SSE). This also includes what it defines as SSE-C which enables customers to use their own keys.
The File Fabric supports SSE inclusive of SSE-C but it also provides it’s own transparent encryption, in which customers provide their own keys. When this is used the File Fabric encrypts data streams prior to the final object being stored at rest on Amazon’s S3 storage infrastructure.
If Amazon root keys were exposed or a breach occurred for any reason at all then any fees would not be able to be used without being accessed through the File Fabric (or alternatively one of the stand alone decryption apps).
Although we have discussed specifically Amazon S3 all of what has been discussed also works with Amazon S3 compatible storage or indeed any of the other 60 on-premises and on-cloud storage solutions that the File Fabric supports.