Business continuity after a ransomware attack: the case for end-to-end encryption

Imagine the scenario: you get an urgent call from one of your customers. All her files seem to be corrupted. And then there’s that email demanding payment via Bitcoin for restoration. She needs your immediate help to get her business up and running. Later on, she’ll demand to know how you let her business be vulnerable to this attack.

You had installed firewalls, required strong passwords, and conducted email phishing drills—and still your customer was attacked.

What else might have prevented this situation?

Encrypted cloud file storage

Traditional file backups utilities are not sufficient because they can be vulnerable to the same attacks that penetrated your customer’s network in the first place. Furthermore, if a ransomware attack corrupts user files, the corrupted files will be copied to the backups (or the backups might be deleted entirely), resulting in data loss. Some vendors recommend offline backups, but these are complex to manage and security risks still exist (they have to be online frequently).

A better solution would have the following attributes:

• Cloud service

Using an external cloud service provider for backups (as opposed to on-premises management) can not only save costs but also add another layer of security to your customer’s network.

• Immutable copies of all file versions

It’s not enough to merely retain a copy of the latest versions of files; the service must retain all prior versions. Immutability means the service does not allow any prior version to be deleted or modified. Thus, in the event of an attack, an organization’s data can be restored to the point right before the attack occurred.

• End-to-end encryption (E2EE)

E2EE means that data is encrypted on a client device and stays encrypted until reaching another authorized client. Significantly, this means that nobody other than the customer’s intended recipients can see data—not even the cloud service provider or you as the MSP. Even if you or the cloud service provider are attacked, your customer’s data is safe.

• Authentication by cryptographic keys instead of passwords

We all know that most breaches start with a compromised password. If the cloud service requires a cryptographic key to authenticate a user, there are no passwords to guess or breach.

• Admin restrictions

After a successful password breach, attackers often acquire administrative credentials because admins can access all user data. This can make you, the MSP, a “central point of attack,” which means you’re a high-value target for an attacker. The ideal scenario is to require multiple admins to authorize any invasive operation so that an attack on a single admin won’t compromise an entire organization.

How does this work in practice?

There are thousands of use cases for encrypted cloud file storage. Just about every use case for storing files on a user’s PC or on a centralized on-premises server can be better addressed by encrypted cloud storage. I’ve listed some examples below to help you start to see how this can work for your customers:

• A manufacturing company needed an easy but secure way for customers to share design documents, parts lists, and QA data. Email is insecure and can’t readily handle large files as attachments. Traditional cloud storage didn’t adequately protect sensitive customer data—and hence the supplier’s reputation. The business chose encrypted cloud storage to secure files.
• A software company’s human resources department needed to protect and store sensitive personnel files such as personal contact information, performance reviews, etc. HR had been using Google Drive but decided to shift to encrypted cloud storage to better protect employees’ sensitive data from everything from the prying eyes of IT admins to external attacks based on passwords and server compromises.
• A hedge fund needed to protect proprietary trading strategies and confidential client data. Originally using local PC and MSP-managed server storage, the fund decided to move to encrypted cloud storage to simplify data management (including the cost and complexity of backups and hardware/software maintenance).
• A security consultant wanted to store and share working documents and final reports with clients. The consultant viewed this data as extremely sensitive—an attacker breaching the auditor would basically get a roadmap to client vulnerabilities. Encrypted cloud storage provided an easy way to share information, but with the security that was essential to business.

Randy Battat is CEO at PreVeil

PreVeil is a member of the N‑able MSP Technology Alliance Program (TAP). TAP is a growing group of trusted vendors we’ve teamed up with to offer a variety of third-party integrations and services to help MSPs better serve their customers. This blog is part of the TAP blog series through which we will provide you relevant and interesting guest blog contributions from our TAP members.