March 13, 2023
Cloud-based file sharing supports seamless collaboration and the free flow of information across enterprises. However, improperly secured file shares can expose the enterprise to significant cloud security threats in the face of malicious attacks or human error. How can you secure your cloud file sharing solutions?
In this blog we examine potential cloud security risks related to file shares and how those risks can be mitigated. We’ll also look at how NetApp’s Cloud Volumes ONTAP adds important file share protection capabilities.
Use the links below to jump down to the sections on:
- Tools That Mitigate Cloud File Share Risks
- How BlueXP Cloud Volumes ONTAP Supports Secure File Sharing
- Beyond File Share Security
Secure File Sharing: A Top Security Priority
It’s critical to remember that in the cloud’s IaaS and PaaS service models, the onus of both data loss protection and data loss prevention lies completely with the customer. Even in the SaaS service model, the end-user is responsible for determining which individuals or which roles have access to data.
The cloud service providers offer an array of cloud-native security features and managed services to support cloud data protection efforts and secure file shares. For example, cloud storage providers can typically encrypt data at-rest, often offering encryption key management services, such as Google Cloud’s GMEK for example. The cloud providers also offer the option of encrypting data in-transit as it moves in and out of the cloud’s network. They also offer cloud activity monitoring services, such as Amazon CloudWatch and Azure Monitor, that can alert users about anomalous events.
However, no tool or service can secure file shares if the organization lacks the cloud security expertise to avoid the following poor practices:
- Undefined or unenforced corporate policies for sharing information, such as inadequate classification of data according to sensitivity levels and security control requirements.
- Granting overly permissive access to file shares by users or applications.
- Failure to implement automated policy-based constraints such as reasonable timeframes for revoking access or content expiry.
- Implementing person-to-person sharing directly on IaaS storage.
- Unobfuscated—i.e., openly readable—file share URL links.
Tools That Mitigate Cloud File Share Risks
Through the cloud service partner networks, cloud users also have access to tightly integrated third-party vendor tools that provide visibility into and robust corporate control of file shares across multiple applications and complex multicloud and hybrid infrastructures.
- Cloud Access Security Brokers (CASB)
CASBs are typically deployed as gatekeepers interposed between internal and external end-users and the organization’s cloud infrastructure. CASBs provide central IT with full visibility into cloud service usage and automatically identify high-risk users, apps, and activities. Most CASBs provide access controls that prevent unsanctioned access to data as well as trigger risk mitigation workflows. Next-generation CASBs often use machine learning, artificial intelligence, and behavior analytics to predict and preempt security and ransomware threats.
- Data Loss Protection and Prevention (DLP) Software
DLP tools ensure that sensitive and business-critical data is protected against loss or exfiltration due to accidental or malicious unauthorized access. Although DLP engines are often included in CASB platforms, they are also available as standalone solutions. DLP tools monitor networks, storage and endpoints to identify and block activities that could lead to data exposure, loss, corruption or leakage.
- Digital Rights Management (DRM) Services
DRM is a set of tools and practices that protect copyrighted and/or confidential digital media—including file shares—from unauthorized copying and redistribution. DRM tools support secure file shares by tracking and auditing which users are accessing files through which devices. Enterprise-grade DRM tools typically offer highly-secure encryption, protection at the file level, and analytics for control and visibility into how digital assets are being consumed.
How BlueXP Cloud Volumes ONTAP Supports Secure File Sharing
BlueXP Cloud Volumes ONTAP is an enterprise-grade software-defined storage (SDS) solution and management platform that runs on AWS, Azure, and Google Cloud. Through BlueXP, users get a unified single-pane to configure and manage file shares across hybrid and multicloud deployments, complete with automated workflows. With support for all major NAS file share protocols, including SMB/ CIFS and NFS (as well as block-level SAN/ iSCSI storage protocols.
Since security is non-negotiable, Blue XP and Cloud Volumes ONTAP is equipped with host of features to help you leverage file shares securely in hybrid and multicloud environments:
- Data protection with point-in-time incremental backups based on NetApp Snapshot™ copies and automatic DR processes.
- Cloud Backup makes it possible to automatically create low-cost object-based copies of your file share data that are stored either in the cloud or on-prem using NetApp StorageGRID® appliances.
- BlueXP ransomware protection keeps data at the center of your anti-ransomware efforts, scanning your files shares both in the cloud and on-prem for any security vulnerabilities, signs of malware, and delivering alerts to potential risks so you can remediate them or respond if attacks are already underway.
- Cloud-based WORM storage can prevent accidental or intentional changes to or deletion of shared files.
- Data encryption in flight for SMB3+/NFS4.1+ protocols and at rest through a number of encryption technologies, including external key management servers, XTS-AES-256 keys, NetApp Volume Encryption (NVE), and the native cloud provider key management services.
- Tight integration with all the leading access control protocols such as Microsoft AD, LDAP, VPC, Amazon IAM, as well as built-in user and multi-tenancy management.
- Dedicated network connections so that file shares do not transit the Internet.
- Users’ roles can define who has access to which actions in BlueXP.
- SSO and identity federation provides uniform ways to access file shares.
- File-level permissions can lock specific files from being accessed.
Read more about secure file sharing and the security features Cloud Volumes ONTAP uses to keep enterprises and their file data safe.
Beyond File Share Security
Cloud-based file shares have become an important business enabler, allowing information to flow freely among employees, customers, and partners. However, it’s up to you to make sure leveraging the benefits of cloud file sharing doesn’t expose your data to increased risks of loss, corruption, or exfiltration.
The IT and security teams tasked with establishing and enforcing data security best practices can build a robust data security technology stack using cloud-native as well as third-party services and tools, but they can go much further with the help of Cloud Volumes ONTAP and BlueXP.
Beyond security, file sharing with Cloud Volumes ONTAP provides users with access to secure file storage services on AWS, Azure, and Google Cloud that can meet enterprise-scale requirements for high availability to ensure business continuity, zero-capacity cloning to speed up DevOps pipelines, BlueXP edge caching to consolidate files in a central repository for lower-latency remote access, NetApp FlexCache® to bring data closer to disparate users, and much more.