I think about system which should store and provide access to documents with confidential information. And i found out at least two interaction models, whose safety I would like to evaluate.
The story: user can upload own PDF documents, and than can download them in any time.
Some role in back-office can view those documents.
Data encryption at storage level. If storage will be hacked, hacker can’t decrypt raw data.
It is desirable that none of the systems can decrypt the data on their own.
Two roles: document owner – can upload and view document, back-office officer – can view document. View operation will be audited.
End user can send document to different business processes.
Back-office role can view documents uploaded by users.
We need to figure out:
- how to encrypt and store documents
- how to provide access to the documents (to the end user, and back-office officer)
- how to design interaction between this systems
- create service which handle file encryption, uploads and downloads
- store documents in the cloud storage (S3 or GCS) and use encryption model provided by the cloud
Option A: public storage service (end-user can use storage service)
- expose service to the end user: this service will have authorization mechanism (JWT)
- service will provide extra access mechanizm to the documents with IAM. This mechanism will be used by the back-office.
Option B: private storage service
- user send documents to “business processes”
- every business process use storage service as implementation detail (verify user, and proxy document to storage)
I think both designs has weak security model. Which option is more safe from your point of view and why?