Cloud storage and collaboration services like Dropbox are convenient, but not every business is comfortable with the level of security provided. If employees are sharing files with customer information or details of your next product launch, how do you make that more secure? You can hope that employees use a strong password and don't get phished; you can hope that they use multi-factor authentication (MFA); or you can use an identity service like Okta or AzureAD that wraps those services in a single sign-on system and enforces MFA.
Or if you want to be a bit more hands-on about it and get more control over where and when employees can work on cloud files, iStorage's cloudAshur (pronounced 'assure') is a 99 (ex. VAT) rugged hardware key for PCs and Macs that stores encryption keys (AES-ECB or AES-XTS 256-bit) and authenticates the computer when you plug it into a USB port (USB-B rather than USB-C).
Give each employee a key and the cloudAshur software, and both local files and files stored in the cloud and shared with colleagues via cloudAshur can be encrypted. They can only be viewed or edited after the physical key is placed into a USB port, a 7-15 digit PIN typed in on the keypad, and a username and password entered into the cloudAshur software to sign into the cloud account. An attacker who successfully phishes for the cloud storage credentials will only see encrypted .IST files that they can't open or even preview -- and so will the user until they plug in the USB key, enter the PIN and sign in.
The inconvenience of having to do all that just to get some work done is balanced by the way cloudAshur brings together files from different cloud services. You see an extra cloudAshur drive in Explorer or the Finder with virtual folders for each cloud service you use, with the files that have been shared with you, and you drag files you want to encrypt into the folder.
The PIN-protected cloudAshur USB dongle from iStorage lets you share enrypted files with other users -- so long as they have matching devices and have logged into the client app.
You can use cloudAshur individually, to protect your own files, and set it up yourself. But if you want to share encrypted files with colleagues, they need their own cloudAshur that's been provisioned with the same encryption key as yours. That means buying the iStorage KeyWriter software, which uses one cloudAshur as the master key and clones the encryption keys to more cloudAshur devices for other people to use.
You can clone cloudAshur dongles from a master device using the KeyWriter software.
If you do that, your organisation can also use the iStorage cloudAshur Remote Management Console (RMC) software to manage users and devices. This gives an admin much more control: you can see who is using the devices and where they are, (including a log of times and files accessed) and if you see unauthorised use you can disable the cloudAshur remotely. You can also set the times and physical locations where the keys can be used, if you want to limit them to business hours and business locations. You can only set one location , using a postcode and a radius around it, which isn't convenient if you want to allow people to work from your different office locations but not from home (and there are no exceptions for VPN connections).
You can also add extra security with the cloudAshure RMC software; encrypting file names so they don't give away any clues, blacklisting known bad IP addresses (annoyingly, you can only do that individually, rather than by specifying the far shorter list of IP addresses you want to allow) and blocking specific file types. The latter is referred to as 'blacklisting', which is confusing when it's next to the IP control setting; we'd also like to see iStorage join other vendors in moving to less contentious terms like 'block' and 'approve'.
The cloudAshur Remote Management Console (RMC) lets you manage users and devices.
Getting the PIN wrong ten times in a row locks the device. You can use the RMC software to change how many wrong attempts you want before this brute-force protection kicks in, and you can use the admin PIN to create a new user PIN. You can also set a one-time recovery PIN that you can give a remote user so they can create their own new PIN. Getting the admin PIN wrong ten times in a row deletes the user PINs and the encryption key. You can't set up the device without changing the default admin PIN -- a fiddly sequence of pressing the shift and lock keys on the device individually and in combination and watching the three colour LEDs blink or turn solid. Even with the limitations of a numeric keyboard, this seems unnecessarily complex.
If someone loses a device or leaves the company without giving it back, you can remotely kill the cloudAshur hardware; you can also temporarily disable a key if it's misplaced (and having both options stops users delaying reporting a key they hope to track down because having to get it reset or replaced will be inconvenient). You can also reset and redeploy a key, so if someone leaves the company you can safely reuse their key (and at this price, you'll want to).
A security system isn't much use if it can be physically cracked open and tampered with. The cloudAshur packaging comes with security seals over both ends of the box, although we were able to peel them off carefully without leaving any marks on the packaging, so a really dedicated adversary who managed to intercept your order could replace them with their own security seal.
The case is extruded aluminium that would be hard to open without leaving marks: iStorage says the design meets FIPs Level 3 for showing visible evidence of tampering and the components are coated in epoxy resin so they can't be swapped out.
The number keyboard is polymer coated to stop the keys you use for your PIN showing enough wear to give attackers a hint. The keys have a nice positive action, so you know when you've pressed them, and the lanyard hole on the end is large enough to fit onto a keyring or security badge lanyard. There's an aluminium sleeve to protect the key from water and dirt -- the device is IP68 rated. The sleeve also stops the battery getting run down if the keypad gets knocked in your bag.
Using cloudAshur isn't particularly complicated, but it is a bit more work than just using a cloud storage service. There are drawbacks like the inability to see previews in the cloud site to check you're opening the right file, and not being able to work offline -- even with a cloud service that syncs files to your device. And any mistakes about the times and locations where people can work could inconvenience employees on business trips.
The biggest threat with cloudAshur may not be hackers but employees who find it too much extra work and just don't encrypt files. This means you'll need to explain why you're asking them to carry a dongle and jump through these extra hoops.
Overall, cloudAshur is fairly well designed and offers a useful security boost -- as long as you can persuade employees to actually use it.
RECENT AND RELATED CONTENT
diskAshur2 and datAshur Pro, First Take: Secure but pricey mobile drives
Kingston IronKey D300 encrypted USB flash drive gets NATO Restricted Level certification
IronKey D300: Ultra durable USB flash drive with built-in encryption
Enterprise companies struggle to control security certificates, cryptographic keys
Google Cloud sets out new encryption controls as it looks to grow in Europe
Read more reviews
Go here to read the rest:
cloudAshur, hands on: Encrypt, share and manage your files locally and in the cloud - ZDNet
- WhatsApp overhauling status tab with encrypted Snapchat Stories-like feature - 9 to 5 Mac [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- GOP demands inquiry into EPA use of encrypted messaging apps - CNET [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Encryption Apps Help White House Staffers Leakand Maybe Break the Law - WIRED [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- World Wide Web Creator Calls for Internet Decentralization & Encryption - The Data Center Journal [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- What It Means to Have an 'Adult' Conversation on Encryption - Pacific Standard [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Confide in me! Encryption app leaks sensitive info from Washington DC - SC Magazine UK [Last Updated On: February 21st, 2017] [Originally Added On: February 21st, 2017]
- Gmail v7.2 Prepares to Add Support for S/MIME Enhanced Encryption - XDA Developers (blog) [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Top 6 Data Encryption Solutions - The Merkle [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Google helps put aging SHA-1 encryption out to pasture - Engadget [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Decipher your Encryption Challenges - Infosecurity Magazine [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How the Politics of Encryption Affects Government Adoption - Freedom to Tinker [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How Encryption Makes Your Sensitive Cloud-Based Data an Asset, Not a Liability - Security Intelligence (blog) [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Set up VMware VM Encryption for hypervisor-level security - TechTarget [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Encryption patent that roiled Newegg is dead on appeal | Ars Technica - Ars Technica [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Research proposes 'full-journey' email encryption - The Stack [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Database-as-a-service platform introduces encryption-at-rest - BetaNews [Last Updated On: March 1st, 2017] [Originally Added On: March 1st, 2017]
- Encrypted Messaging Service 'Signal' Adds Video Call Option - Top Tech News [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Germany, France lobby hard for terror-busting encryption backdoors ... - The Register [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- How to Send Encrypted Nudes, a Guide for the Discerning Lover - Inverse [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Ironclad Encryption Corporation Announces New Ticker Symbol OTCQB: IRNC - Yahoo Finance [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- The Best Email Encryption Software of 2017 | Top Ten Reviews [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- No, you shouldn't delete Signal or other encrypted apps - TechCrunch [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Best encryption software: Top 5 - Computer Business Review [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Encryption Backdoors, Vault 7, and the Jurassic Park Rule of Internet Security - Just Security [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- That Encrypted Chat App the White House Liked? Full of Holes - WIRED [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - New York Times [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Snake-Oil Alert Encryption Does Not Prevent Mass-Snooping - Center for Research on Globalization [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Customer Letter - Apple [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Don't Let WikiLeaks Scare You Off of Signal and Other Encrypted Chat Apps - WIRED [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- BT to offer customers encryption service for data - Capacity Media (registration) [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Encryption - technet.microsoft.com [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Use FileVault to encrypt the startup disk on ... - Apple Support [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Viber launches secret chats to go beyond encryption - SlashGear [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- Zix wins 5-vendor email encryption shootout - Network World [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- A lesson from the CIA WikiLeaks dump: Encryption works - The Seattle Times [Last Updated On: March 13th, 2017] [Originally Added On: March 13th, 2017]
- What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Google Cloud adds new customer-supplied encryption key partners ... - ZDNet [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Preseeding Full Disk Encryption - Linux Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bypassing encryption: 'Lawful hacking' is the next frontier of law enforcement technology - Boston Business Journal [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- 'Always Be Concerned': US Court Slaps Down Fifth Amendment Defense of Encryption - Sputnik International [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Wikileaks Only Told You Half The Story -- Why Encryption Matters More Than Ever - Forbes [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- EPA Sued For Withholding Info On Encrypted Text Messages | The ... - Daily Caller [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Opinion Data encryption efforts ramp up in face of growing security threats - Information Management [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- Bypassing encryption: Lawful hacking is the next frontier of law enforcement technology - Salon [Last Updated On: March 22nd, 2017] [Originally Added On: March 22nd, 2017]
- NeuVector Announces Container Visualization, Encryption, and Security Solution for NGINX Plus - DABCC.com [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Is encryption one of the required HIPAA implementation specifications? - TechTarget [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Paper Spells Out Tech, Legal Options for Encryption Workarounds - Threatpost [Last Updated On: March 23rd, 2017] [Originally Added On: March 23rd, 2017]
- Encryption debate needs to be nuanced, says FBI's Comey - TechTarget [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Comey Renews Debate Over Encryption - 550 KTSA [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- UK minister says encryption on messaging services is unacceptable - Reuters [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- The why and how of encrypting files on your Android smartphone - Phoenix Sun [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- UK targets WhatsApp encryption after London attack - Yahoo News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Critical flaw alert! Stop using JSON encryption | InfoWorld - InfoWorld [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- SecureMyEmail is email encryption for everyone - TechRepublic - TechRepublic [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Apple iOS 10.3 will introduce encryption which makes it MORE difficult for cops and spooks to crack into ISIS nuts ... - The Sun [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- How to Analyze An Encryption Access Proposal - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Questions for the FBI on Encryption Mandates - Freedom to Tinker [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Justice Department anti-terror chief keeps pressing on encryption - Politico (blog) [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- UK government can force encryption removal, but fears losing, experts say - The Guardian [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Encryption FAQs [Last Updated On: March 29th, 2017] [Originally Added On: March 29th, 2017]
- Why isn't US military email protected by standard encryption tech? - Naked Security [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- How have ARM TrustZone flaws affected Android encryption? - TechTarget [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Keeping the enterprise secure in the age of mass encryption - Information Age [Last Updated On: April 9th, 2017] [Originally Added On: April 9th, 2017]
- Lack of encryption led to Dallas siren hack - WFAA [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Internet Society tells G20 nations: The web must be fully encrypted - The Register [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Can we encrypt the web while giving governments a backdoor to snoop? - SC Magazine UK [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Why we need to encrypt everything - InfoWorld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- Hacked Dallas sirens get extra encryption to fend off future attacks - Computerworld [Last Updated On: April 12th, 2017] [Originally Added On: April 12th, 2017]
- SHA-1 Encryption Has Been Broken: Now What? - Forbes [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Encryption on the Rise in Age of Cloud - Infosecurity Magazine - Infosecurity Magazine [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Lawmaker Pushes Bill That Requires Encryption by Pennsylvania State Employees - Government Technology [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Disk encryption - Wikipedia [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- The apps to use if you want to keep your messages private - Recode [Last Updated On: April 15th, 2017] [Originally Added On: April 15th, 2017]