A Cloud-based software service is a software service where it is not important to understand who or where the host of the service is. Cloud-based solutions offer a value proposition to companies who wish to enable a mobile workforce so it is tempting to use them for as much as possible and even access to critical company information. Cloud-based solutions are challenging the traditional boundary between “inside” and “outside” the network. Cloud-based solutions for team collaboration, team file sharing, and group email systems are key offerings in the software as a service (SaaS) marketplace.
A security challenge exists when business critical information is entrusted to an external service provider in the Cloud because that external service provider is unknown. The main concern is around confidentiality of the information; if business critical information is stored with an unknown external service provider, how can a business be sure that it is not inadvertently revealed to the unauthorized party? A standard approach to solving this problem is through the use of cryptography. It is well understood how to use a combination of symmetric algorithms (for example, data encryption standard (DES), international data encryption algorithm (IDEA) and advanced encryption standard (AES)) to encrypt large volumes of data, while using public-private key algorithms to perform key-exchange and non-repudiation of endpoint identity.
While cryptography solves the issue of confidentiality in the Cloud for file storage, it comes with certain limitations. A file can be encrypted at one of two points; by a user on their client system prior to sending to the Cloud, or in the Cloud server itself. If a user encrypts a file at their desktop then there is an issue of key management for a large number of end-user points, potentially numbered in the thousands for enterprise users. Additionally users can forget to encrypt files before sending them into the Cloud. If the files are encrypted on the server then the decision making process can be simplified for the user; all files are encrypted by default. But then the server must manage the encryption keys, and becomes a primary target for attackers. If the server encryption key store is compromised then all file contents are revealed, with disastrous consequences.
Known file servers can encrypt files stored on the file server but if an attacker breaks into the file server then security is compromised because files and keys are stored together.