Tested thoroughly by the IAIT: The Enterprise Cloud from DRACOON

The Institute for the Analysis of IT Components (IAIT) has been producing high-quality, independent tests and video tutorials on new products and solutions in the field of information technology since 2007. In summer 2018, the team around Dr. Götz Güttich took a closer look at DRACOON in a product test.

DRACOON offers secure cloud storage for companies. With the solution of the German provider the data is encrypted on the client side, which means that all data is securely "stored" everywhere. Thus not even DRACOON as manufacturer can access stored customer data. In our test lab we have taken a close look at the functionality of the product.

DRACOON's cloud storage was specifically tailored to the requirements of companies. That is why there is not only the option to encrypt all data highly secure, but the system also offers a completely own branding with its own URL and design.

The scope of services also includes comprehensive administration functions that cover a multitude of application scenarios. For example, so-called data rooms can be set up to which only certain users have access. Within these rooms it is also possible to grant users only certain rights and to create data rooms within data rooms. In practice, for example, the user "Andreas", who works in the accounting department, could be given full write and read rights to all files (or subordinate data rooms) in the data room "Accounting", but at the same time only read rights to the sub-data room "Invoices" in the data room of the IT department.

The most interesting fact is that the DRACOON solution does not need a central administrator. The user who creates the account and creates the first data rooms has access to all data available in the cloud storage at the beginning, but he can appoint other users as administrators of the individual data rooms. As soon as these users have acquired administrator rights in their data rooms, it is possible to revoke the rights of the first administrator to access these data rooms, thus ensuring that only those employees who really need to see and modify the data to do their job can view and modify it. This functionality prevents the IT department from always having access to everything that is available in the company. This is particularly important when processing particularly sensitive data such as wages, salaries, personnel or even health data.

Available user roles

DRACOON distinguishes between five different management roles that can be assigned to users. For example, the "Configuration Manager" may change the system settings, while the "User Manager" has the possibility to create additional users.

The "data room administrators" in turn manage the rights and users within the data rooms, while the "data room users" can upload, delete and send data, depending on the rights assigned to them. The same applies to the creation of download and upload links. All administrator accounts have the latter rights anyway. In addition, external users can temporarily access data rooms via download and upload shares.

Encryption and access options

Overall DRACOON distinguishes between encryption on the client, on the server and during transport. While the server and the transport are always encrypted, the client-side encryption must be activated manually. By the way, to act DSGVO compliant personal data should always be encrypted on the client side.

Access to the cloud storage is possible in a number of different ways. In addition to the web application, which is used for secure control of the solution via the Internet and which also allows files to be uploaded and downloaded, clients for the desktop operating systems MacOS (from version 10.8.3) and Windows (from Windows 7) as well as the mobile operating systems Android (since version 4.1) and iOS (from version 9.3) are available in the form of a separate app. Furthermore, IT managers can integrate DRACOON into their Active Directory environment and a JSON/REST API supports the connection of third party solutions such as SharePoint and similar.

Further functions

In addition to the already mentioned features DRACOON also offers an Outlook Add-In to secure the delivery of mail attachments. Also of interest are the file versioning and the reporting tool, we will go into more detail later.

The test

For our test we used the free version of DRACOON, which includes all functions (except the branding features), is not limited in time and the only limitation is the storage capacity of ten GByte - quite generous for a free offer - and the number of users. To take advantage of this offer, users simply need to create an account on the manufacturer's website at https://www.dracoon.com/free, and then they can get started right away.

In addition to the free offer DRACOON also offers various enterprise versions that are subject to a fee: With the "Cloud Enterprise Solution" the data is stored in certified DRACOON data centres with unlimited data volume. This variant is available for 50 users and more. With the "hybrid solution", which is also available from 50 users, DRACOON is operated from the cloud. In this case the system stores the files in the customer's own data centre. The "on-premises version", on the other hand, allows installation and operation of the DRACOON solution in the customer's own data centre for 100 users or more. After setting up our account, we first created various user accounts, created data rooms, assigned rights and checked whether the system behaved as expected during operation.

We then installed the Windows client on various computers running Windows 10 and used it to automatically synchronize the cloud storage between these clients. We then used smartphones running Android 7 and 8 to access our data on the move using the Android client. Under iOS we used various iPads for this purpose. We also took a closer look at the functionality of the Outlook add-in and the reporting tool.

The test account

In order to get a DRACOON account, users only have to provide their name and e-mail address on the above mentioned website. Afterwards they will receive an email containing the URL to the DRACOON server, the user name (this is the email address) and the initial password as well as a link to the documentation.

After login with the new login data the user has to agree to the terms of use and change his password first. This is very good, because this way it is ensured that nobody continues to work with the password that was previously sent insecurely by email. After defining the new password the user lands on the start page of the DRACOON web application and can start working.

Manage data rooms and users

The next step was to set up various user accounts and data rooms and assign different rights to them. All this can be done relatively easily via the menu bar and the entries "Users & Groups" and "Manage Data Rooms". If client-side encryption is to be used for local encryption of data, it must first be activated under "Settings". To do this, the responsible employees must first define a system emergency password with which data can be decrypted if a user of a room has forgotten his personal decryption password. Once this has been done, the system generates the key pair and client-side encryption becomes active.

Users who want to use this technology must then define a personal decryption password on the start page. Afterwards, client-side encryption can be used for the existing data rooms. By the way, there is also the option of defining a specific data room password for a data room, which can be used to decrypt the data instead of the system emergency password. This makes sense, for example, for data rooms that contain data to which administrators who know the system password should not have access.

In general the administration of users and groups with DRACOON works the same way as with other solutions. There is the option to assign a user name and to specify an e-mail address. Afterwards the system sends an e-mail to the address just defined which contains information about the login and the initial login password. Even for the newly created users, after the first login it is necessary to change the password and accept the terms of use, then they can work with the system. However, they only receive the configuration options that their rights allow. This means that they are only allowed to use the data rooms to which they have access and only have the opportunity to perform actions that have been activated for them.

User rights & decentralized administration

By the way, the system distinguishes between the roles "Auditor", who can view the audit log, in which the user activities are logged and who is able to carry out evaluations with the research tool, and "Room Managers", who manage all data rooms of the top level. You can create, delete, rename, and assign quotas for rooms. However, they are only granted permission to access room content if a corresponding room administrator allows this.

In addition, there are the permissions "User manager" and "Group manager" for managing user accounts and groups. "Configuration Managers" can view and modify the system settings and "All Roles" explains itself.

Apart from the rights, when defining a user account, the authentication methods (Active Directory, E-Mail, OAuth, OpenID or Radius) can be specified, you can define in which groups the user is a member and specify which rights the user has in which data rooms.

Ransomware protection through recycle bin function

By the way, the recycle bin that can be activated is perfectly suited to defend against ransomware attacks. If such a malware attacks a client, it also encrypts the data in a connected DRACOON webspace, but it can be restored from the recycle bin at any time. The rights that can be assigned to the recycle bin of the data room include the functions "Empty", "Restore content" and "View previous file versions". As far as group administration is concerned, groups can be assigned the same roles and rights to data rooms, similar to individual users.

The definition of data rooms

When creating the data rooms, the responsible employees assign a name, limit the size if necessary and activate the recycle bin and file versioning if desired. There is also an option to automatically delete data from the trash after a certain period of time and to activate a room log. In addition, room administrators and room administrator groups can be added to the data rooms at the same place.

The client for Windows

After we had set up our user accounts with their rights and the data rooms according to our wishes, we installed the Windows client on several Windows 10 computers and uploaded various files from one computer to the DRACOON storage. As expected, the data was then synchronized to the other computers and the client software behaved similar to what we knew from other services like Dropbox or Box.

However, there is one difference: The DRACOON solution mounts the data storage as a drive and not as a folder. Therefore it needs one drive letter on the client computer - or several drive letters when accessing several different accounts.

The apps for Android and iOS

In the next step, we also installed the client programs for Android and iOS on the corresponding end devices and could also use the data on our DRACOON memory there. The access to client-side encrypted folders worked on all client systems without any problems, just like the work with the uploaded data. Also when working with access rights, user accounts and groups there were no surprises and everything worked as expected.

Sharing, the Outlook Add-In and the reporting tool

Let's conclude with a brief look at the other features of the solution. The "shares" allow uploading and downloading of files even for users without a DRACOON account. Limits and expiration times can be defined, but if desired passwords for access can be assigned, which are transmitted separately, for example via short message.

The Outlook add-in helps users to make sending file attachments via e-mail more secure. To do so, it separates the attachments from the e-mails after installation, loads them into a designated folder in the DRACOON memory and simply sends the recipients a download link where they can download the data. This behaviour can be deactivated at any time if required.

Now to the reporting tool: This provides users with auditor rights an overview of all access rights within the cloud storage, the data rooms and users and groups. The tool also helps to identify users with undesired rights, thus raising the security level. The solution is available as a web application at reporting.dracoon.com. If required, all existing data can also be exported as CSV files.

To maintain an overview, auditors can limit the output to certain time periods and set filters. There is also an event log available that can be searched and lists all actions of all users with downloads, authentications and so on.

Conclusion

DRACOON's solution offers a secure cloud storage that can be used just as easily as "traditional" cloud storage from US providers thanks to its wide range of functions and powerful clients - but scores points in comparison with a high level of security. This makes the solution a highly interesting alternative to these providers, not least because of the large number of collaboration options for employees, especially for European companies that have to comply with the GDPR.