Are Hidden Caches Putting Sensitive Data At Risk During A File Migration To The Cloud?

Have you ever wondered what happens to your files when they are sent over the Internet?

You probably have, if you’ve ever had to deal with data policies, regulatory compliance, security audits, or vulnerability assessments in any meaningful way. In fact, if you are using an enterprise file sync & share service like Box or Citrix ShareFile or Dropbox, you’ve undoubtedly at least asked the question, “Is my data safe?”

Let’s say you’ve done your research and answered YES to that question. You’re comfortable with the cloud provider you’ve chosen. ShareFile, for example, has an exceptionally strong security background, as does Box.  Perhaps you’ve even acknowledged that cloud services may provide better security than your own infrastructure, largely due to the investments they make in equipment, systems and human security expertise.

The point is, you are comfortable with storing information offsite in someone else’s data center and under someone else’s oversight.

But…have you thought about how you are getting your data there? Are you confident that there are no prying eyes accessing your data? That may be the case, if your file migration service relies on data caching or any kind of temporary, intermediate data storage.

Let’s walk through it together.

Selecting A File Migration Service

Typically, large data migration jobs are no match for the basic data import tools that cloud service operators tend to provide. Methods like direct upload or even secure FTP just aren’t up to the task of moving hundreds of gigabytes or terabytes of data over the Internet. They take twice as long, they don’t handle complexity well, and they struggle with broken connections and other system interruptions. That means you have to start things all over again. They’re just not well-suited for large drives.

So you turn to a service or product specifically built for file migrations. These services have a few common characteristics:

  • They are software-based systems – typically SaaS but occasionally with onsite components for acceleration and error-handling
  • They have job-based user interfaces that make it easy to connect sources with destinations and schedule one-time or recurring jobs
  • They handle errors, interruptions, inconsistencies, and other common data problems in graceful and elegant ways
  • They are 2-50x faster than conventional methods and much easier to use
  • They provide enterprise-level features such as job dashboards and audit trails

A file migration service is the right tool for the job, but if security is important to you, make sure you look one level deeper.

Talking Security: Direct Deposit or Cache?

Here’s where the big security question comes in. File migration services work by relying on an orchestration layer, typically cloud-based, that coordinates all the activity. It links to local file systems and cloud services, establishes and enforces policies, and manages all the data transfer from sources to destinations based on the user’s configuration. You define the jobs, and it executes them.

But there are two ways that data can be sent:

  1. Direct Deposit: The file migration service establishes direct communication between the two points. Data is streamed directly from the source to the destination, without being stored temporarily with the service itself. It’s kept fully encrypted and therefore secure in transit.
  2. Cache:  The orchestration layer does the same coordinating steps, but data is pulled off of its sources and temporarily stored by the file migration service itself before being delivered to its destination. This model is very similar to an individual downloading data from one location to their desktop, and then uploading it to its new home.

As a security professional, you are always thinking about what your risks are and where data is exposed. With the first option, Direct Deposit, the overall data transfer is much simpler. That means there are fewer opportunities for you, the user, to lose control of your data. Data streaming technology can be built on proven industry-standard methods for transferring data securely. The only touchpoints you need to be vetting are the sources and the destinations.

However, with the Cache option, you now have a server in the middle. You have to ask questions about what this server is doing and where temporary data is stored (On disk? In memory?). If the security policy for that server changes, will you as a user know about it, so you can ensure it meets your policy requirements? Who has access to that operating system, and what does that access permit them to see? Is the OS running in a public cloud or a shared environment, because if so, that’s a whole different layer of security you need to consider.

That’s a lot of extra risk to account for.

How Cloud FastPath Keeps Sensitive Data Secure

Cloud FastPath is built using the first option. We’ve got a long history in secure, fast transfer of sensitive financial information so we knew how critical this feature is to security-conscious specialists.

The Cloud FastPath service relies on access points called POPs, or Points-of-Presence. These small gateways sit on local stations or connect with web services in the cloud or other hosted environments. The system doesn’t cache, in fact it’s built more like a messaging system where data is transported through packets in real-time. That makes it fast and highly efficient, but also much more secure. Data can be streamed directly between POPs and the whole question of a temporary, intermediate cache is removed from the equation.

Cloud FastPath takes a number of other important security precautions:

  • Data is never stored on disk. Cloud FastPath doesn’t write data to the disk. We avoid a lot of problems with security and compliance by making sure data never finds its way into a physical form.
  • Data only ever exists in memory. We employ sophisticated in-memory techniques to efficiently process data and deal with network interruptions and bottlenecks. In the event of a system problem, data is re-retrieved from the source instead of a local cache.
  • Even a core dump leaves no trace. There is a case when even in-memory data can get written to disk – in the event of a core dump or system crash. Not that these happen – Cloud FastPath infrastructure is stable enough to be used in high-performance financial trading systems – but even under that circumstance, sensitive data wouldn’t be written to disk. We take this stuff seriously.

Keep Data Secure By Using The Right Systems

If security was an important factor in evaluating cloud providers, it should also be an important factor in evaluating file migration services. Keep that same degree of due diligence when it comes to every aspect of your sensitive data. Give Cloud FastPath a try and see how safe your cache-less file migration can actually be.

Image credit: Tambako The Jaguar