security – Design secure document storage

I think about system which should store and provide access to documents with confidential information. And i found out at least two interaction models, whose safety I would like to evaluate.


The story: user can upload own PDF documents, and than can download them in any time.
Some role in back-office can view those documents.

Requirements

  • Data encryption at storage level. If storage will be hacked, hacker can’t decrypt raw data.

  • It is desirable that none of the systems can decrypt the data on their own.

  • Two roles: document owner – can upload and view document, back-office officer – can view document. View operation will be audited.

  • End user can send document to different business processes.

  • Back-office role can view documents uploaded by users.

Design

We need to figure out:

  • how to encrypt and store documents
  • how to provide access to the documents (to the end user, and back-office officer)
  • how to design interaction between this systems

General decisions

  • create service which handle file encryption, uploads and downloads
  • store documents in the cloud storage (S3 or GCS) and use encryption model provided by the cloud

Option A: public storage service (end-user can use storage service)

model-a

  • expose service to the end user: this service will have authorization mechanism (JWT)
  • service will provide extra access mechanizm to the documents with IAM. This mechanism will be used by the back-office.

Option B: private storage service

model-b

  • user send documents to “business processes”
  • every business process use storage service as implementation detail (verify user, and proxy document to storage)

Question

I think both designs has weak security model. Which option is more safe from your point of view and why?

Related links