What You Need to Know about Encryption in M-Files

The emerging melee between Apple and the US Justice Department has brought international attention to the concept of encryption.  Without taking sides, I believe that cloud vendors should follow the legislation and assist legal authorities when possible. However, intentionally building “backdoors” to software isn’t a good approach either.  Ultimately, I think Bill Gates said it best when he stated, “this conversation is a good one to be having.”

Cloud Vendors and Clients

The business model for many cloud vendors is to offer a “service” in order to secure and store client data. I want to emphasize the fact that the data belongs to the client. I raise this because it’s important for clients to understand that cloud vendors manage and secure their (i.e., the clients) data. Transparency, communication and engagement between clients and vendors is important. The Apple/DOJ court case should spur clients to ask their cloud vendors exactly how their data is encrypted and secured.

Encryption in M-Files Cloud Vault

M-Files Cloud Vault leverages multiple encryption technologies, some are standard and required for all M-Files cloud deployments, and others are optional. Data is encrypted both “in transit” and “at rest.” Encrypting data “in transit” means that all network connections between users’ devices and the M-Files cloud infrastructure are encrypted. This prevents unauthorized parties, who may be monitoring network traffic, from accessing data during the upload or download process.  Encrypting data “at rest” means all of your inactive data (or data in storage) is also secured. The encryption of data “at rest” consists of three elements: data to be encrypted, the encryption algorithm, and the encryption key. The M-Files server must have access to all these three elements to decrypt the data.

Preventing “Backdoors”

M-Files prevents unauthorized access to data in the cloud in several ways – first, users access their data using only the M-Files clients and API. Second, the M-Files server ensures that users are authenticated and validates their access rights to the data. Third, security can be further enhanced in a number of ways, including multi-factor authentication and automatic metadata-driven permissions, among others.

The M-Files server stores files in Azure Blob Storage and metadata in Azure SQL Database. The system is designed so that only the M-Files server software can access repositories directly. However, it is technically possible to access these repositories directly in Azure if the unauthorized user has the correct credentials and has fulfilled other security requirements for access. That’s why it is important to encrypt the information of these repositories in such a way that only the M-Files server is able to decrypt the data and pass it to the user.

Since most organizations have some of their information stored in the cloud, I thought it might be worthwhile to share some recommendations regarding encryption:

• We believe that cloud vendors should act as a “service” that gives organizations the ability to find their business critical data quickly and accurately without making it vulnerable to access by unauthorized parties.
• Organizations should expect cloud vendors to encrypt data both in transit and at rest.
• Choose vendors that offer encryption where the client controls access to the encryption key and the key is stored separately from the data. Cloud vendors should then be given access to the key so that they can process the data. The client maintains the right to revoke access to the key at any time. This makes hacking more difficult since the key, and the data are stored in different locations, and they are controlled by two different parties.

Please feel free to reach out and let us know if you have any questions, or just want to learn more about encrypting data in the M-Files cloud!

In case you are interested here’s more about M-Files security, access controls, data loss prevention, authentication and encryption.