In part 2 of our Cloud File Sharing ChalkTalk series, watch as Ankur Shah does a deep dive into real-world customer use cases for avoiding the compliance and privacy risks associated with file collaboration services. Full transcript below:
Hello. Welcome to one more edition of CipherCloud ChalkTalk. My name is Ankur . I’m head of product at CipherCloud.
In today’s ChalkTalk, we’re going to talk about an important part of CASB and that’s around data security. More specifically, we’re going to talk about file encryption. I’m going to do that by illustrating two use cases that we’ve come to understand through our customers. Following that, I’m going to show you an architectural diagram that demonstrates how we enable those use cases.
One of the customers that we recently came across – they’re in travel and entertainment business – is storing hundreds of thousands of individual user data into Box. They have PII and PCI data. The customer’s challenge there was they wanted to make sure that that data is protected no matter where it goes. So for that customer, what we have done is enabled DLP based file encryption – such that any time we detect PCI or PII data, we encrypt that data, and make sure that only authorized groups such as HR and finance have access to it.
In addition to that, the customer also wanted to enable folder based encryption, whereby when certain groups upload content in folders designated to them, all files get encrypted irrespective of the content within the file. This ensures that the files are protected no matter where they go. Whether the employees leave the company or stay with the company, only authorized people have access to that.
Yet another use case that we have come to understand through one of our largest healthcare customers is they store patient records, and these are hundreds of thousands of patient records in Box. And they wanted to make sure that when those records are stored that contains ePHI data, only healthcare professionals such as nurses and doctors have access to that. The only way to enable that is to make sure that all the data containing patient health record information is encrypted, such that only healthcare individuals have access to that data. If they share that data externally or with unauthorized users, that they never have access to that data.
How it Works – Encryption
Now I’m going to talk about how we enable those use cases. All right. Let’s get right into how the encryption really works. So we have a user that could either be behind the enterprise firewall, or could be an external to the corporate premises.
- The first step is that the user uploads a file. Let’s just also say that that also contains patient records or contains credit card numbers.
- Step two is that the cloud providers notify CipherCloud cloud based service that there is an event – in this case it’s a file upload event that took place.
- Step number three, we’re going to scan the file. We’re going to look at the records and if we detect sensitive data or if you detect that they were uploaded on sensitive folders, we are then going to start the encryption process.
- Step 4: The way it works is we’re going to first ask Key Management Service that can either reside on customer premises, or as part of our cloud services – we’re going to ask the KMS service to give us what we call wrapped or encrypted data encryption key.
- Step 5: Once we get the data encryption key, we’re going to use that to encrypt the file and upload the file into the cloud provider. At this stage, you have an encrypted file that is stored in the cloud storage, and only authorized users can have access to it.
How it Works – Decryption
In the last section, we talked about how the file encryption process works. In this segment, let’s understand how the decryption works. The user here in this case has a desktop or a mobile application where they have access to the encrypted file that they downloaded from the cloud application. This document is now secure. So at the initial step, the CipherCloud client, which is available on desktop and mobile client registers with the cloud service to make sure it’s an authorized endpoint.
As the next step, the user tries to open the document. We will then prompt the user to authenticate with the cloud service. Once the user is authenticated, the client is going to ask the CipherCloud cloud service to request access to the document and therefore the encryption keys. Next step, the CipherCloud cloud service is either going to request the on-premise Key Management Service that customer controls or our cloud based KMS service to unwrap the data encryption keys specific to the file. This is to make sure that the master keys never leave the customer premise and customers always have control to that.
Once the unwrapped DEKs (data encryption keys) are retrieved, those keys are returned to the desktop client. The user will then use those keys to open the document. For an end user, all of this process happens behind the scene and it’s pretty seamless. This way we make sure that only authorized users have access to the document. When they leave the company, it’s very easy for us to revoke those keys so that they can never have access to those documents.http://www.ciphercloud.com/wp-admin/post.php?post=26967&action=edit#save
With that, we will end today’s ChalkTalk. Hope you enjoyed watching this.
Register for a Free Trial of CipherCloud Cloud Security Broker. CipherCloud Cloud Security Broker adds complete visibility and protection for file-sharing tools ― Office 365 SharePoint, OneDrive, Box, Salesforce, Dropbox and more.