A common feature of enterprise environments today is mobility. Many organizations require digital workflows across many different locations, not just behind a single network perimeter. Cloud computing is the cornerstone of this kind of work, with many platforms available for easy working and saving changes, no matter the location. Small business owners may be especially attracted to these platforms, especially since they offload much of the backend management to a third party. Cloud storage solutions are especially attractive in these environments, since they remove the need for on-site NAS and file server devices, while also providing the opportunity to edit files remotely and have the changes synced. As with any cloud platform, cloud storage requires security hardening to protect company data as it traverses across the Internet.

The most common cloud file storage and sharing platforms are OneDrive, Dropbox, and Google Drive. Both OneDrive and Google Drive are part of larger cloud computing platforms provided by Microsoft and Google, respectively. Dropbox is a standalone platform. Regardless of which platform you use (many businesses use multiple), the same common-sense security practices apply.

It is important to ensure that both a strong password and multifactor authentication are in place on all cloud storage accounts. A compromise of any cloud storage account can result in sensitive company data being exfiltrated and published by a threat actor. Requiring strong passwords in compliance with your Password Policy and adding MFA on top is a great first defense against account compromise. In the case of OneDrive and Google Drive, you should already have MFA enabled as part of the wider Microsoft/Google cloud platforms. If possible, opt for using an authenticator app or security key rather than SMS codes.  All three major platforms allow for Identity Federation/Single Sign On (SSO) access, either through the manufacturer’s IAM solution (Azure AD, Google Workspace), or third-party federation. For better usability and consistency of workplace identities, opt to use these features if you can.

Within the cloud platforms, sharing permissions allow users to fine-tune who has access to the files and folders they store. A OneDrive user may want to share a report with other employees collaborating on a project. A wedding photographer may want to share a folder full of recent photos outside their domain with the bride. The ability to do this is a massive help to productivity, but access control needs to be closely monitored to prevent data leakage. These platforms usually include options to share with “people in your organization”, “specific people”, and “anyone with the link”. The principle of least privilege should be used here; make sure to avoid selecting “anyone with the link” under any circumstances. Sensitive project or committee documents should be shared with specific employee accounts, not with every single person in the organization. It should be an automatic practice to double-check sharing permissions before sending any file. These platforms will also often provide an option to set an expiration date for shared data. When sharing files with clients or stakeholders outside your organization, set an appropriate expiration date to prevent the data from being accessed beyond the necessary timeframe.

These platforms also provide the ability to see active sessions running under your account. It is good practice to regularly review these sessions to check for any abnormal behavior, remotely sign them out, and reset your password if any are found. These platforms also offer logging options, enabling you to view and review activity on your resources. You should enable this ability and connect the logging function to a Security Information & Event Monitoring (SIEM) appliance for centralized insight.

All three of the major platforms have version control/file backup features that allow users to revert to older copies of files if aid files are damaged or lost in some way. OneDrive version restore, Dropbox Rewind, and Google Drive’s version control/trash are the specific feature names. These features are a crucial security control for your environment, as they can allow data recovery in the event of a cybersecurity crisis like a ransomware attack.

Regarding the security of files themselves, all three platforms utilize AES-256 encryption for data at rest and TLS for data in transit. This provides a good layer of security for files by itself; however, if you frequently add data in the confidential and restricted classification levels to your storage, you should look into adding additional encryption at the client level. The three platforms offer a desktop version to closely integrate workstation file editing with the cloud. Windows provides BitLocker for client-side encryption, while macOS offers FileVault. You could instead opt to use a third-party encryption platform such as VeraCrypt, Cryptomater, or Boxcryptor.

Your business may use cloud storage for all file transactions with no local file storage in place at all. Therefore, you must pay attention to how your platforms of choice are configured to avoid sensitive data leakage and compromise. This guide will hopefully have pointed you in the right direction towards implementing common-sense controls to help with storage security.

Checklist
Cloud_Security_Hardening_Checklist_FIXEDDownload
External Links