The cloud storage security gap -- and how to close it

Cloud storage vendors don't provide a comfortable balance for some IT admins, but third-party options get you part way there

The cloud storage security gap -- and how to close it
Blue Coat Photos (CC BY-SA 2.0)

Cloud storage is a wonderful thing. It gives IT a central place to manage, secure, and back up company files. It lets users work on their files anywhere, from practically any authorized device, so the days of having to keep multiple copies of files synced across devices (work computer, home computer, mobile devices) are over.

But there’s a potential security gap in cloud storage that means you’re not getting the data security you expect, or you’re forcing users to walk through hoops to get their jobs done. And there’s no elegant solution to the problem today.

Here’s the scenario: IT encourages or requires users to store all work documents in their corporate OneDrive, Dropbox, Box, or Google Drive. Basically, to use it instead of the My Documents folder in Windows or Documents folder in MacOS. To do that effectively, and to maintain usability with users’ computer software, users are running the local virtual disk client for OneDrive, Dropbox, Box, or Google Drive. No more need for thumb drives, emailing of documents to themselves, and the other practices users invented to get their work done wherever, whenever.

Here’s the risk: A Windows PC or Mac running the virtual drive software is stolen or accessed by an unauthorized person. Even if IT cuts off access to the cloud storage service, and to any cloud-subscribed apps like Microsoft’s Office 365 or Google’s G Suite, those virtual drive apps have made local copies of the user’s documents on that computer. So, a data thief could get those local copies of the nominally cloud-stored corporate documents.

Yes, the various virtual drive apps let users choose which folders to sync, so not all files need have local copies on users’ computers. But IT can’t manage those settings, leaving the risk of business files having local copies on compromised computers.

These virtual drive apps store local copies for three reasons:

1. Offline access, which is still often an issue in airplanes, hotels, and conference facilities—even where there is public Wi-Fi available, many companies tell users not to use them due to fear of man-the-middle hacks.

2. Better performance, because local files open and save faster than internet-stored ones.

3. Application compatibility and file usability, meaning the user can access the files in the cloud storage as if it were a local network drive. That lets users open files directly in their device’s applications, whether for editing in Excel, viewing in Acrobat, or attaching to an email. The use of a virtual drive also means that users can directly manage files and folders as they do any other files: move files, delete them, rename them, create folders, and so on. In other words, cloud storage works just like local storage for users.

The web interfaces to cloud storage services don’t let local apps open their files, and the web interfaces are very difficult to use for file management—you can rename and delete files easily enough, but anything else is difficult. Virtual-drive apps are “how the vast, vast, vast majority of Dropbox users connect to Dropbox, and that’s how we encourage users to work with it, rather than via the limited web access,” says Rob Baesman, Dropbox’s product manager for business and enterprise. IT may prefer the security of web-only cloud-storage usage, but it’s not operationally realistic.

Microsoft Office 2016 apps can open OneDrive-stored Office files directly, but this direct link between Office 2016 and cloud-stored office files doesn’t help in working with other file formats or applications. Ditto for Google’s mobile-only G Suite productivity apps. So they’re not the answer, either, even if they can help.

This last issue—application compatibility and file usability—is a big one, because it makes companies choose between assured security and user productivity. If a company allows only web access to cloud-stored documents, we all know what will happen: Users will just download the files or the virtual drive apps themselves to work around the usability barriers, or they’ll just defer work as long as they can, especially when offsite. Users are biased to getting their jobs done, so preventing that is a recipe for compliance disaster.

The good news is that the mobile iOS and Android virtual drive apps for Box, Dropbox, Google Drive, and OneDrive don’t keep local copies of cloud-stored files. The bad news is that their Windows and MacOS computer apps do, and computers are both more likely to be where users work with files and less secured than mobile devices. 

Oh, and mobile cloud-storage apps may also soon begin keeping local copies of cloud-stored data available for offline use. In fact, Dropbox announced today that it will soon let users select folders to keep local synced copies of for offline use on iOS and Android devices. Box already offers this capability. Can automatic local retention be far behind In mobile, too?

Of course, before you panic, you have to decide if this data-loss scenario is worth losing sleep over. If it were a common one, I believe you’d see non-local-sync or other protection options already in place from the cloud storage vendors. The fact they haven’t done so is telling.

If this security risk is one you deem critical, there’s no good solution to this dilemma for computers, where the local syncing occurs. But there are options IT can consider to reduce the risk of the necessary usage of virtual-drive access to cloud storage.

Option 1: Enforce or provide encryption

One is to enforce encryption (and thus passwords) on user devices. That’s easy to do for iOS and Android, but not so easy for Windows and MacOS—especially on users’ personal computers. Still, you can use management policies to prevent corporate access from unencrypted computers, even if you can’t remotely enable encryption on them. Encryption will block most unauthorized access—as long as the user passwords aren’t easily guessed, of course.

There are third-party tools to encrypt cloud-stored files, such as Secomba’s Boxcryptor, which works with all major storage services on all four major computer and mobile operating systems—Windows, MacOS, iOS, and Android—plus in beta for Chrome OS. Volume licenses cost $8 per user per month.

Such cross-platform encryption would deter data thieves, but it requires users to manually encrypt files or move them into the encrypted folders. So you’re relying on users to know when to go through these extra steps—and then perform them. That’s a long shot.

Option 2: Use digital rights management

Another step is to use digital rights management software that combines access management and encryption. These tools aren’t cheap, and they require IT administration, but they do the job if securing business data is a paramount need.

If you’re a Microsoft shop—as most enterprises are—using OneDrive and/or SharePoint, that means you should look at Microsoft’s Azure Information Protection technology, an add-on to an Office 365 subscription. This set of tools encapsulates files with digital rights management, requiring a key to access—it’s sort of file-specific encryption.

There are several versions of Azure IP, so the degree of protection varies based on how much you’re willing to spend, but caveats common to all are that support for non-Microsoft apps, file formats, and operating systems is inconsistent and often nonexistent. For example, Azure IP now supports only Windows users, though Microsoft tells me that support for MacOS, iOS, and Android is coming “soon.”

There are third-party providers for access management and encryption of cloud storage as well, including Vera (for Box, Dropbox, and OneDrive), Barracuda Networks’ Sookasa subsidiary (for Dropbox and Google Drive), and nCrypted Cloud (for Box, Dropbox, Google Drive, and OneDrive).

You might also be able to remove the virtual drive app, along with its files, from at least some of the user’s devices using an enterprise mobility management suite or using the admin console for the enterprise editions of Box or Dropbox. But not all EMM tools support selective wiping on Windows or MacOS, and even where they do, a data thief would know to not make an internet connection that would trigger the wipe, system lockout, or other remote IT remediation.

Option 3: Use a third-party virtual drive app

For Windows and MacOS, ExpanDrive creates virtual drives for Amazon S3, Box, Dropbox, FTP and SFTP, Google Drive, OneDrive, and WebDAV servers, plus some other obscure services.

Unlike the native virtual drive apps for Box, Dropbox, Google Drive, and OneDrive, ExpanDrive’s virtual drives don’t sync a local copy; files are kept on the cloud service (and in device memory while being used, of course). That means users need an internet connection to work with cloud-stored files. But it also means no local copies are left behind for an unauthorized user to access,

A Mac-only option is Eltima Software’s CloudMounter, which creates virtual drives for Amazon S3, Dropbox, FTP and SFTP, Google Drive, OneDrive, and WebDAV servers. (Note the omission of Box.) It works like ExpanDrive.

Both ExpanDrive and CloudMounter have user settings for auto-mounting their virtual cloud drives, so once set up any user could get to the cloud-stored files. That’ll concern IT, but it’s not such a big deal in practice. For one, Box, Dropbox, Google Drive, and OneDrive all give user the same auto-mounting option. And if IT disables access to the cloud service, there’s nothing for ExpanDrive or CloudMounter to mount—and no local synced files remaining as in the case of Box, Dropbox, Google Drive, and OneDrive.

Do note that both ExpanDrive and CloudMounter have negatives:

  • Both will mount a recently opened file even if your computer loses its internet connection—that cached copy remains on the computer until you restart it.
  • Both can have long latency in file access and updates, so if a file is deleted or added somewhere else, you may not see the change for seconds or minutes.
  • Neither app updates renamed files, so your filenames get out of sync between the local virtual drive and the cloud storage.
  • File versioning is lost in at least some file types.

(Shout-out to the Technology Support Group at InfoWorld’s parent company, IDG, for testing these apps from an IT-management perspective.)

Plus, even if users have ExpanDrive or CloudMounter, it’s difficult to stop them from installing the cloud storage service’s native app directly to gain that offline access many want. But you can block their installation on managed computers and mobile devices. The big question is how far to intrude on users’ personal devices, especially if they use cloud services for personal storage, which you don’t want to block access to.

If its limitations are acceptable, ExpanDrive is available for Windows and MacOS, and costs $50 for a single-user license (not single-computer). There are three-user licenses for $130, five-user for $200, ten-user for $350, and $25-user for $750. If you want all future upgrades prepaid, that adds $75 per user to the cost. Otherwise, each upgrade will cost you.

And if its limitations are acceptable, CloudMounter costs $30 for a single Mac (not single user), $100 for five Macs, and $150 for 50 Macs. You can prepay for all future upgrades, for $15 for a single-Mac license, $50 for a five-Mac license, and $75 for a 50-Mac license. The company says it’s working on an iOS version for release next year, and might one day deliver versions for Windows and Android.

Finally, in Windows with OneDrive, you can set OneDrive (as well as SharePoint) as network drives, not app-based virtual drives. Network drives don’t keep local copies of files synced to the PC; they also don’t support OneDrive’s various sharing and collaboration features, as the OneDrive app does.

What cloud storage vendors could do—and why they won’t

What would really help is if the various virtual drive apps—Box, Dropbox, Google Drive, and OneDrive—for Windows and MacOS had either:

  • a no-local-copy option, so they would work like ExpanDrive or CloudMounter.
  • an option to encrypt their local copies, with a password required to access those copies each time the computer boots (somewhat like Boxcryptor, but for all cloud-synced files).

Either option should be IT-manageable for their business versions, of course—a failing of ExpanDrive and CloudMounter.

For the first option, Microsoft’s OneDrive used to work that way, providing what were called placeholders (aliases) to cloud-stored items rather than keep a local copy. But Microsoft removed that functionality in Windows 8.1 because the feature confused users due to users’ inability to tell which files were locally synced and which were aliases to the cloud storage.

Microsoft said this fall it would bring back the placeholder feature, renamed On-Demand, some time in 2017, but it’s unclear how it will work and if it will be available outside Windows. (Microsoft tells me, “We have nothing more to share at this time.”) To be effective for IT, admins would need to be able to set permissions for whether local syncing is ever allowed, which may not be an option given Microsoft’s history with OneDrive and its current focus on Azure ID.

Dropbox has its own placeholder technology coming, called Project Infinite; it’s now in private beta. It syncs only files that users actually open, not all files like the current Dropbox client does. But Dropbox’s Baesman says it won’t have a sync-only option because user testing showed that was simply too slow; he recommends using tird-party encryption tools instead.

For that second option of a password-protected, encrypted local store, the use of third-party tools is again Baesman’s recommendation.

My take is that IT should not expect any changes in the foreseeable future to the status quo. The convenience and productivity advantage of local sync far outweighs the risk of a compromised computer. And there are other ways to reduce that compromised-computer risk, particularly lost-device lock and wipe, mandatory device encryption, and the use of rights-managed individual-file encryption. Those techniques also protect local files, not just cloud-stored ones.

This story, "The cloud storage security gap -- and how to close it" was originally published by InfoWorld.

Copyright © 2016 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon