By Jonathan Gohstand
The increasingly global nature of business requires companies to collaborate more and more across borders, exchanging all manner of documents: contracts, engineering documents and other intellectual property, customer lists, marketing programs and materials, and so on. Unfortunately, the combination of recent NSA revelations and new European regulations are likely to make the challenge of securing business data even more difficult than it already is. It is therefore likely that new approaches will be needed that more easily allow trust across borders for confidential document exchange.
Evolving Regulatory Environments
Data shared across national boundaries may be subject to multiple legal frameworks depending on the nature of the information. The regulatory environment in the European Union is evolving significantly, with countries working to update their laws and regulations to protect citizens’ electronic data, even when it is held outside the EU. This includes almost everything a person might post to the internet, including photos, blogs and so on. The concern is that the EU will strengthen its regulations to a level that will be extremely difficult and expensive for companies to comply with.
There is currently an agreement with the EU (“Safe Harbor”) that US companies can voluntarily participate in if they are holding EU citizens’ data. That agreement could be replaced by much more stringent requirements, though they will not take effect before 2016. US companies are required to implement a number of protections for citizen data under the EU agreement, and there is no provision that allows them to release personal data to the government.
All of these developments were in play before the Edward Snowden revelations took place. Since then, European attitudes on data privacy have hardened even further. In the meantime, attitudes in the rest of the world toward US-based service providers have also soured. To make matters worse, the Snowden information leaks not only exposed “NSA snooping”, it also raised suspicions that some vendor equipment and standardized algorithms may have been compromised with backdoors or weaknesses.
New Reality Is Impacting Cloud Sharing
Meanwhile, organizations are seeking to leverage cloud computing as much as possible for business agility and cost control reasons. The natural choice will be to use a cloud-based document sharing provider for external collaboration. A big reason for this is that business partners need to update documents, not just read them. Granting such access to data inside an organization’s data center is problematic from both a security and administrative perspective.
Given this quagmire, organizations that want to use a cloud provider for external collaboration across international boundaries have two choices, both of which are problematic:
- US Provider: This is a good option for organizations that prefer to use a well-established provider, are not worried about the government or NSA accessing their content and are not concerned about equipment backdoors. But it may not be acceptable to your international business partners.
- Non-US Provider: This approach may appeal to organizations that want to allay concerns expressed by their foreign partners, especially those in Europe, about US government access to their data. However, a European operator is unlikely to be as well established as a US cloud provider, US businesses will not have any realistic leverage with them and foreign governments are known to dabble in data interception themselves. Finally, depending on who the organization is doing business with, they may face resistance from a non-European partner not willing to use a European cloud provider.
Given these alternatives, some organizations may be tempted to just give up and keep data internal. This approach reintroduces the security and management headaches that most companies were trying to eliminate by adopting cloud sharing in the first place. It also poses a problem for the organization’s partners because they will need to manage a different access model for every business with which they collaborate.
Federation May be the Answer
Fortunately, new federated encryption and key management technologies have emerged to addresses these problems. As a starting point, consider encryption. Crypto is an obvious solution to the cloud provider dilemma for international collaboration. If the data is encrypted then it should be protected from unauthorized access. In reality, it’s not that simple.
In most environments, the cloud provider is performing the encryption. As a result, the provider could receive a lawful request to access data under their control or their systems could be compromised. Both would result in a data breach. Furthermore, some providers may not encrypt data end-to-end. This fact alone may cause European organizations to balk, particularly if regulated data is involved.
There are other options that move control of encryption keys into the hands of data owners. However, most require a “trusted third party” to handle encryption support services such as key management, opening another hole, and inviting problems with European regulations.
Replacing Trust with Trustworthiness
A new class of federation and mediation technologies offers the best hope for cross-border encryption. In this model, the central cloud service provider does not need to be “trusted”. Instead, they serve a “mediator” to facilitate secure document collaboration, but do not have the necessary data access privileges or keys to actually decrypt files or access them in an unencrypted form.
This architecture consists of a mediator and two or more end-user software elements, and works as follows:
- The central (cloud-based) mediator receives enrollment requests from the various users who want to collaborate. No distinction is made between the users based on location – they can be anywhere.
- The meditator enrolls these users into a cryptographically protected group, and establishes a data repository for the documents that will be shared. Using advanced key management techniques, the relevant key material is fragmented, re-encrypted and distributed. As a result, the mediator does not end up with enough key material to decrypt anything, and each user must have the “approval” of the mediator to decrypt documents in the group repository. Note that because documents are initially encrypted at the end stations and the mediator cannot decrypt them, this architecture has removed the need for a “trusted third party” in the cloud.
- As users submit documents into the shared repository, these are encrypted and the activity logged.
- When any user tries to access a document, they submit their (cryptographically authenticated) credentials to the mediator. If the mediator concurs that the request is valid, a portion of key material is released to the requesting user. This missing key fragment plus the user’s own key material, allow the document to be decrypted.
Advancing Security through Mediation
Besides delivering confidentiality, this federated architecture offers advanced services that basic encryption facilities do not. The key enabler is the mediation function: since it serves as gatekeeper for data access. Using the mediator, business partners can pre-agree on special conditions for document access, in addition to the normal release that takes place when participating users authenticate themselves to the system.
As a simple example, access revocation becomes trivial. If the group agrees to revoke a person’s access to documents, the mediator can be instructed to deny access to that person, and immediately this request is implemented, since the mediator must approve all document release. Contrast this with certificate revocation, which can take a significant amount of time before actually terminating access.
For a more powerful example, let’s assume that collaborating companies agree that they want to ensure that if their participating end-user is on vacation or leaves the company, protected documents can still be accessed. Using the mediator, they would establish a cryptographically protected “release circuit,” which would authorize document access when a combination of other staff agrees.
A typical example might be the combination of a member of the executive team, an IT administrator, and a representative from HR. A member of all three teams would need to authorize the release using a cryptographically secure process. Only then would the document be decrypted and delivered to whomever the team selects. The mediator logs all this activity in an encrypted, centralized log facility. Since all participants can audit activity, there’s no risk of a rogue IT person compromising the logs.
A federated architecture also supports controlled access within documents for searching and eDiscovery. When an end-station encrypts a file, it can also extract metadata (including keywords, revision history, etc.), encrypt that metadata using a different set of keys, and pass it to the mediator for storage. As with the document itself, mediators on their own cannot decrypt the metadata. However, mediators can implement a [circuit] for metadata release. For example, business partners could agree that a combination of an executive and an IT person at any collaborating firm can “unlock” the metadata, so that they can being an eDiscovery search or security investigation. Once they find the document subset of interest (if any), they can initiate the (more restrictive) document release process on just those files. In this way, the companies involved can still meet their data governance requirements without compromising overall security.
Conclusions
Privacy concerns and emerging government regulations are making secure document sharing across international boundaries significantly more difficult and expensive to implement. This threatens the ability of organizations to move to cloud-based solutions, decreasing agility and efficiency. Fortunately, new security architectures such as federated and mediated encryption are capable of meeting these challenges.
Like all privacy systems, such technologies must be properly deployed and maintained to be effective. Since they eliminate the need for a trusted third party in the cloud, they offer the best hope for establishing a trustworthy framework for secure document collaboration locally or internationally.
Jonathan Gohstand is an expert in security and virtualization technologies, and vice president of Products & Marketing at AlephCloud, a provider of cloud content privacy solutions.