nobeastsofierce - Fotolia


How to define user access controls for cloud content services

As companies move content to the cloud, they need to sort out how to secure access to that information.

Cloud computing has enabled various enterprise applications today. Many companies have turned to cloud-based software because it's more cost-effective and easier to maintain than software managed in-house by enterprise IT shops. For companies with content management systems, the cloud has also enabled mobile workers to access their files on the road and for third parties to share project files without needing a login and password assignment.

But as companies consider the potential benefits of cloud-based apps, they need to weigh concerns about security and consider new approaches to securing content. The traditional model of securing the network perimeter is no longer adequate in the cloud, which extends a company's perimeter beyond its four walls. So, as cloud-based content services have gained currency, security at the content level has become more important. A focus solely on perimeter-based security has now given way to more attention to fine-grained user access controls that target the content itself as well as the identities of those accessing that content. 

With proliferating options, it's just a matter of time before business users ask IT administrators to help them establish content sharing in the cloud. When this happens, one of the first steps content managers should consider is content-based access controls.

When content is stored on premises, content administrators have several mechanisms available to control access. The identity of users, their roles in the organization and the user privileges that content administrators establish define an organization's policies and access control rules. Many of these features are available in cloud services and should be used to protect content in the cloud.

Models for securing content

Here are several controls available in cloud content services that you might want to consider as more of your content moves off premises.

File access controls. A common feature of cloud content services is the ability to share files. Unless you upload publicly accessible content, file access controls are a first line of defense to protect your content. These features typically include the ability to create folders, upload content and share content with specified users or with anyone with a file-specific URL that you provide to them.

User-based content access. To further refine the access controls on content, you can place restrictions on what operations users can perform. For example, you might want to designate view-only or upload-only permissions access to some users. This kind of control is useful when a content service supports workflow operations that separate the tasks of participants, such as content generators, reviewers and approvers.

Password-controlled access. Some cloud content services also support password-controlled access to sensitive files. This is useful when restricted-access files reside within folders that enable broader access than should be granted to sensitive files. Expiration dates may be set as well in some services to enforce document retention policies.

Reporting and monitoring tools. Content administrators may monitor operations using portal-based file and user reports, as well as alerts triggered by events you define. These reporting and monitoring tools can also control costs. Users may unintentionally accumulate files which are no longer needed or could be migrated to lower cost, archival storage. Content administrators can use reporting features to help identify unnecessary content and enforce document retention policies.

User identities. User identities are key building blocks for securing content in the cloud and enterprise directories, such as Active Directory or lightweight directory access protocol servers, are repositories of identity information. Content management operations can be significantly streamlined if you integrate your enterprise directory with your cloud content management service. When your Active Directory is integrated with Amazon WorkDocs, for example, users may sign into the service with corporate credentials and administrators can use enterprise roles to assign privileges.

For organizations that must comply with industry or government regulations, it is important to consider how cloud content will be protected. Many of the enterprise-scale services are certified to support the needs of major regulations, such as the Health Insurance Portability and Accountability Act and HITECH in the healthcare industry, along with the SAS 70, SSAE 16 and Safe Harbor certifications that cross industries.

Depending on the sensitivity of your data, you might want to consider managing your own encryption. Most, if not all, major content providers encrypt content when it is stored on their systems. If you are concerned that allowing a third-party provider to control the encryption and decryption of your data presents unacceptable risks, encrypt data prior to uploading it. If this is needed only occasionally, ad hoc management practices may be sufficient. But if you intend to implement widespread use of user-managed encryption you should be prepared for substantial management overhead, including encryption key management and additional monitoring.

The cloud offers advantages for delivering content management services and security features are sufficiently mature to attract many businesses. As you move to adopt cloud-based content services, consider security requirements and user access controls available to you.

Next Steps

Options abound for content-based security

Protect your data from internal threats

Cloud file sharing challenges ECM turf

Dig Deeper on Cloud-SaaS content management (ECM)