Encrypting and decrypting cloud storage data
To enhance security when users of your network complete in-the-cloud activities, you can configure the encryption of data that a user uploads to a cloud storage service. When the data is downloaded, it is decrypted to allow the user to work with it.
A module of Web Gateway, known as the Cloud Storage Encryption module (also referred to as Cloud Storage Encryption filter or engine), handles both encryption and decryption of data, including the metadata. Encryption and decryption remain transparent to the user.
Encryption and decryption is performed for "top-level" data that is processed in the request and response cycles. Data that is embedded in a request or a response and, accordingly, processed in the embedded objects cycle, cannot be encrypted or decrypted.
To encrypt and decrypt data, the module uses a standard algorithm, which can be one of the following:
The algorithm is also known as cipher.
A password is also required as a parameter of the encryption or decryption process.
For performing this process, the module relies on service description files, which exist for each of the various cloud storage services.
The files provide information on how to handle different data formats, the methods that can be used in an upload or download request, for example, PUT or POST, and the URLs that are sent with requests to identify the locations where the data should be uploaded to or downloaded from.
NOTE: Service description files are updated when a new version of Web Gateway is installed. It is not possible to download new versions of these files from an update server.
Encryption and decryption of data can be performed for the following cloud storage services:
- Google Drive
- Microsoft SkyDrive
For the Box cloud storage service, encryption and decryption is supported when a web browser or a native Box client is used to upload and download data. For Dropbox, Google Drive, and Sky Drive, it is supported when upload or download is performed from a web browser.
Configuring encryption and decryption
To configure the encryption and decryption process, you need to implement suitable rules on Web Gateway. They are provided in the Cloud Storage Encryption rule set, which you can import from the library.
The rules in the library rule set control the Cloud Storage Encryption module and provide a default password for the encryption or decryption process. The rule set also contains an optional rule for logging the process.
The rule that controls the module for encryption applies if it is found that a request that was received on Web Gateway is a request for uploading data to one of the configured cloud storage services. Similarly, the rule that calls the module for decryption applies if a request for downloading data from one of these services has been received.
If one of the two rules applies, it triggers an event that lets the module perform the encryption or decryption process.
But whereas decryption is executed as soon as the rule processing module (rule engine) has actually found the relevant rule to apply, encryption is not executed before all the following rules have also been processed, including rules configured for processing in the embedded objects cycle.
This ensures the data that is sent with a request for uploading or downloading can be processed in unencrypted format by the other rules.
Module settings are implemented with the import of the library rule set, which you need to configure to specify the following:
- Algorithm (cipher) used for encryption and decryption
- Supported cloud storage services
Data trickling and decryption
If data trickling is implemented as a mode of transferring data, decryption of an encrypted file that is downloaded from a cloud storage service might fail. You should therefore configure these functions as follows:
- On the rule set tree, the Cloud Storage Encryption rule set should be placed immediately before or after the rule set that you use to implement data trickling.
This prevents rules of other rule sets from being processed between the decryption and the data trickling rules, which can cause the decryption to fail.
A rule for enabling data trickling is contained in the Progress Indication rule set, which is an embedded rule set of the Common Rules rule set of the default rule set system.
To be completely sure that data trickling does not lead to a failed decryption, you can additionally do the following:
- Replace the Always in the criteria of the data trickling rule by CloudEncryption.IsDecryptionSupported equals false .
This prevents data trickling from being started when downloaded data is decrypted. However, configuring the criteria like this will have an impact on the performance of the data trickling process.
NOTE: A conflict between decryption and data trickling can also be the reason why a file that was downloaded from a cloud storage service is corrupted and cannot be opened, although no decryption errors were reported.
Multiple encryption of data
When a request for uploading data to a cloud storage service is received, the data can be encrypted more than once, performing encryption differently each time.
For each encryption, you need to configure a rule. You can, for example, specify a password for a user group in one rule and let encryption be performed under a particular algorithm, which you also specify in that rule, and then specify a password for an individual user in the next rule and let encryption be performed under a different algorithm.
So when it comes to downloading the data, it can only be decrypted if both passwords are known.
To decrypt what has been encrypted in multiple rules, the same number of rules for decryption is needed. Algorithms and passwords must be the same as in their encryption counterparts and the order of these rules must be the reverse of the order in which you placed the encryption rules.
SSL-secured upload and download requests
To cover also requests for uploading data to a cloud storage service or for downloading data when they are sent using an SSL-secured connection, you need to make sure the SSL Scanner rule set is enabled.
This rule set is implemented in disabled state with the default system of rule sets for Web Gateway.
The certificates that are needed for communication over SSL-secure connections must be installed on the web browsers that users work with to send upload and download requests.
Manual decryption of data
When Web Gateway is temporarily unavailable in your network or when a password conflict arises, it could be required that you decrypt cloud storage data manually.
This can be done if you know the algorithm and password that were used when the data was encrypted. You can download the data directly from the cloud storage service to your system and run a command for manual decryption on this system, which includes algorithm and password parameters.
Monitoring encryption and decryption on the dashboard
Statistics about activities performed for encrypting and decrypting cloud storage data can be monitored on the dashboard of the user interface.
The following parameters are shown:
- Number of encryption and decryption operations and errors (over time)
- Volume of encrypted and decrypted data (over time)
- Number of encryption and decryption operations and errors per cloud storage service
- Volume of encrypted and decrypted data per cloud storage service