Brown HIV researchers make Dropbox secure with nCrypted Cloud

While workers have embraced consumer technology in the workplace with enthusiasm, those technologies have posed pesky problems for organizations that deal with sensitive personal information, especially universities.

That was the case at Brown University where one of its HIV researchers wanted to use Dropbox, an online storage and sharing service with more than 275 million worldwide users, to manage the work of her research team.

[Box, Dropbox, or drop both?]

Brown's IT department has strict rules governing the kind of data gathered by those HIV researchers. Any information "regulated, restricted, confidential or personally identifiable" must be stored on a system owned and managed by Brown.

Those rules put a crimp in Assistant Professor Caroline Kuo's HIV research in South Africa. Kuo, a Dropbox user, found the service ideal for her project's needs. It stored data on a device as well as in the cloud, which is important when collecting data in the field where Internet connectivity may be non-existent, and synchronized that data seamlessly with the cloud when an Internet connection was available.

Most important, though, Dropbox was easy to use, a characteristic that's been driving adoption of consumer technologies by workers. "A lot of my staff in South Africa are computer illiterate," Kuo explained. "They have to go through basic computer training to even learn how to open a file. Dropbox was really simple for them to understand."

That simplicity is what makes products like Dropbox attractive to users. "What's exciting about the new file sharing tools is that people can gravitate to them quickly and solve an immediate obvious problem: sharing a file with someone else," observed Greg Milliken, marketing vice president for M-Files, maker of an enterprise content management platform.

Dropbox's simplicity contrasted mightily with the solution offered by the university's IT department, a solution really not designed for sharing multiple files through a unified interface. For each filed shared, a secure link had to be created and emailed to whomever you wanted to share the file with. Then the email's recipient had to click on the link and login to the system to obtain the file. Synchronization between a local folder and the Brown cloud was non-existent, and shared files stored on the university's servers were automatically deleted after 30 days.

"It was designed to send one or two files between two people, but what they weren't prepared for was multiple users needing to access shared files and an interface to make that happen," Kuo said.

"It was unwieldy for multiple accounts," she continued. "On on our project, we've got 10 folders and in each folder there are large audio, video and Word files. Having to create a link and email them separately was a nightmare."

Although Kuo liked using Dropbox, she shared the university's concerns about security. Storage of data on a device was nice, but it was risky, too. "A big consideration is how do you protect the data on the device," she said. "It's very likely that a device will be stolen. Just last week, colleagues were held up at gunpoint for their mobile phones that they'd been collecting data on."

In addition, some central administration over the devices was needed. If a device is stolen, it would be handy to be able to wipe the device's data remotely. The IT department, too, needed some insight into the devices to impose policies to insure security, as well as cut the device's access to the university's systems when its owner left the institution.

What Kuo and Brown discovered was a solution to both the needs of the project manager and the IT department. It's called nCrypted Cloud. The service encrypts data at rest and in transit, preserves the ease-of-use of DropBox and gives  project managers and network administrators a measure of control over users and shared files.

[Dropbox going two-factor, becoming de facto]

"We view Dropbox as a cloud hard drive, and we're sort of a virtual lens on top of it," nCrypted Cloud co-founder Nick Stamos explained. "We intercept all the data to and from Dropbox and encrypt it."

The data is also encrypted at the endpoints in a system, where an nCrypted Cloud client application resides. When a file needs to be used at an endpoint, the client decrypts the data for application use.

The "virtual lens" approach has allowed nCrypted Cloud to expand its solution beyond Dropbox to Google Drive, OneDrive, Box and Egnyte.

To a Dropbox user, there's very little to tip them off they're using nCrypted Cloud, save for a slight addition to a standard Dropbox file icon: a lock to show a user that the file is encrypted.

Policies can be attached to files and folders by their creators and workflow policies controlled by an administrator. Creators can control details about sharing the contents of a folder and collaboration on files. Administrators have full auditing visibility into the system and can set policies such as requiring a PIN to access any Brown University data with a mobile device or  barring "rooted" mobile devices from accessing university data.  "It's sort of a distributed responsibility," Stamos said.

Management of the system is done through nCrypted Cloud's servers. That's a useful arrangement should a device be misplaced or stolen. "Whenever a thief tries to connect a mobile device to a network, we can erase the data on the device from a central location," Kuo said. "So not only is the data encrypted, but on top of that we know we can log onto the device from our office and wipe it clean."

Encryption can serve another purpose when using a service like Dropbox. "There's some concern that cloud storage providers will look at your data to target advertising at you," explained   Richard Stiennon, chief research analyst with IT Harvest and an nCrypted Cloud user. In fact, last fall it was revealed that Dropbox was peeking at all ".doc" files uploaded to the system. The company said it needed to snoop on the files for de-duplication purpose, to scan for them for malware and to allow users to a preview documents without opening up a desktop program.

An elaborate key management system is also deployed to protect data encrypted by nCrypted Cloud. For example, keys for unlocking Brown's data aren't stored on nCrypted Cloud's servers where they could be obtained by a third-party. "We  don't want access to those keys," Stamos said. "So if the Department of Justice or someone else comes to us, we don't want to ever expose our customers' information."

[Google plan to thwart government surveillance with encryption raises stakes]

With nCrypted Cloud, each file is put into a 256-bit AES zip container. "That was important for us because we didn't want to build anything that was proprietary," Stamos explained. Each file has a unique password and each person has both a personal and corporate identity. Each identity has a private  and public key pair. Passwords encrypted with the corporate identity has two public-private key pairs -- one for the owner of the file and one for their employer. "That guarantees that the corporation or institution will always have access to the information," Stamos said.

It also addresses a problem with devices that may contain both personal and institutional information because personal information can be encrypted using a personal identity. "If you leave work or quit, they can revoke your access to work files and be assured you don't have access to them," said Adrian Sanabria, an enterprise security analyst with The 451 Group. "At the same time, you can be assured that they can't revoke your access to your personal files."

"The catch is," he added, "you're the one categorizing what's work and what's personal. So the company is depending on the user to do that correctly, if at all."

Other measures are taken to ensure that nCrypted Cloud can't be forced to cough up a customer's private keys. First, the corporate private keys remain with the institution -- only the institution's public keys remain with nCrypted Cloud.

Second, it borrows an algorithm used to secure WiFi networks to secure a user's private keys. In nCrypted Cloud that algorithm is used to take a user's account ID, which is public information, and a password to generate a personal key that's used to encrypt their private key. That encrypted cocktail is stored in the nCrypted Cloud servers. "So the server has encrypted data that it will give to anyone who asks for it but they need the right credentials to unlock the private key," Stamos explained.

One knock against encryption is that it creates latency in a user's experience. Stamos discounted that notion for nCrypted Cloud. "It really doesn't hurt performance," he said. "I think we're the only product in the world that actually reduces the size of data when we encrypt it."

[Dropbox fixes flaw that exposed user documents

"Computers are so powerful today performance really isn't an issue," he added. "Even in mobile, network connectivity is always a bigger constraint than encrypting and decrypting data."

In the coming months, the Brown researchers will be expanding their efforts to gather data through mobile devices. Those efforts could be a real test for nCrypted Cloud. "It's a big unknown for me how nCrypted Cloud will perform where network speeds are slow and reception unstable," Kuo said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Brown UniversityapplicationsdropboxsecuritysoftwarenCrypted Cloudencryptiondata protection

More about AES EnvironmentalDepartment of JusticeDropboxGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place