Your Cloud in my Company: Modern Rights Management Services Revisited

Martin Grothe, Paul Rösler, Johanna Jupke, Jan Kaiser, Christian Mainka, Jörg Schwenk

11th International Conference on Availability, Reliability and Security (ARES 2016)


Abstract

We provide a security analysis of modern Enterprise Rights Management (ERM) solutions and reveal security threats. We first take a look on Microsoft Azure, and discuss severe attack surfaces that companies enabling Azure in their own trusted infrastructure have to take care of. In addition, we analyze Tresorit, one of the most frequently used End-to-End encrypted cloud storage systems. Tresorit can use Azure and its Rights Management Services (RMS) module as an additional security layer: a user should be able to either trust Tresorit or Azure. Our systematic evaluation reveals a serious breach to their security architecture: we show that the whole security of Tresorit RMS relies on Tresorit being trusted, independent of trusting Azure.

[pdf]

tags: AD, Azure, Cloud, ERM, RMS, Tersorit