2. With the cloud being an essential part of so many IT
organizations, best practices have emerged to help IT evaluate
the right vendors’ ability to meet mission critical security needs.
The following slides outline the basic cloud features any vendor
should have, as well as basic and advanced security measures.
This ebook is based on “The Security Pro’s Guide to Cloud File Storage and Collaboration” by Securosis, September 12, 2014
3. STORE
Store files with user-controlled
recovery
SYNC
Silently sync local directory
with the server
SHARE
Share in/out of the organization
at a file or folder level
VIEW
Has an in-browser viewer
Basic Cloud File Sharing Features
COLLABORATE
Can add comments on
documents in a web interface
WEB/MOBILE SUPPORT
Can access files from
web/mobile
INTEGRATE VIA APIs
Able to integrate directly
with other platforms
MANAGE CONTENT
Organize files and folders,
manage versions, and check-
in/check-out
4. DATA CENTER SECURITY
Includes physical controls,
logistical controls, and third party
certifications like
SOC 2 or ISO 27001
BUSINESS CONTINUITY
Provider has a plan for
catastrophes such as
power outages
APPLICATION SECURITY
Free from vulnerabilities to SQL
injection, CSS, CSRF
and other application and
business logic attacks
Core Security Features:
Security Baseline
INTERNAL CONTROLS
Well-documented internal controls to
prevent outside/inside attacks
TRANSPARENCY, STAFFING AND
DOCUMENTATION
Includes a dedicated team,
transparent operations, and good
documentation
ENCRYPTION
All customer data should be
encrypted at rest and in transit
5. Core Security Features:
Identity and Access Management Features
SERVICE IDENTITY
When sharing documents externally, collaborators should
not be required to register with your internal identity
provider.
FEDERATION AND SSO
Support internal identity for automatic registration with the
service. SAML is preferred.
TWO FACTOR AUTHENTICATION
Users are required to enter a second piece of ID
AUTHORIZATION AND ACCESS CONTROLS
Permissions should be at the directory, subdirectory and
file level and integrate internal, external and anonymous
users
DEVICE CONTROL MANAGEMENT
Administrators can manage which devices users use to
access the system
CENTRALIZED MANAGEMENT
Administrators can manage all permissions and sharing
through the web interface
6. COMPLETE AUDIT LOGS
Contains user, device, file accessed, activity performed, and
metadata such as time and location
LOG DURATION
Does it ever expire?
LOG MANAGEMENT AND VISIBILITY
How do you access it and how easy is it to use?
INTEGRATION AND EXPORT
You should be able to export the logs and integrate them with
other logs
Core Security Features:
Audit and Transparency
7. With a centralized service, you can
easily track down files and logs to
determine if leaks happen. This is a
powerful security feature.
Search features let you
search your entire index for
keywords or content.
Advanced Security Features:
Universal Search and Investigation Support
8. Advanced Security Features:
Client-Managed Encryption
In both cases you will need your own Key
Management Infrastructure
Two Options For Client-Managed Encryption
Cloud platform endpoint agents handle encryption
Cloud platform manages encryption in their backend, but offers key
management to enterprise users. Customer has exclusive access to
encryption keys.
1
2
9. Advanced Security Features:
Data Loss Prevention
Advanced Security Features:
Information Rights Management
DEFINITION:
Limiting usage of a file according to access policies
EXAMPLE:
• You can let someone view a file, but not email, share or
download it
• Protects against copy and printing
• Good data loss prevention will include full-text indexing
and search + audit log of all activity associated with a
file. Third-party DLP integration may provide more
capabilities.
• Bonus points for real-time monitoring of content
10. Advanced Security Features:
Device Security
Advanced Security Features:
API Support
Robust APIs are quickly becoming standard. They
should be able to integrate with all tools, future
and existing.
• Restrict access only to approved devices
• Prevent offline access
• Prevent data leakage through copy/paste and
“Open in” other applications
11. Advanced Security Features:
Security Tool Integrations
STANDARD INTEGRATIONS:
• Cloud security gateways
• eDiscovery
• Data loss prevention (DLP)
• Mobile device management
• SIEM/log management
12. For more information:
Download: The Security Pro’s Guide
to Cloud File Storage and
Collaboration
This ebook is based on “The Security Pro’s Guide to Cloud File Storage and Collaboration”
by Securosis, September 12, 2014