LucidLink compliance

old.reddit.com / @/u/imscavok, https://old.reddit.com/user/imscavok

Does anyone have experience using LucidLink with CUI? I want to use it as an alternative to a NAS (we are fully remote).

LucidLink is a bit of a different concept, where they only store metadata, and they use third party cloud storage services for the actual data. We have users with large files that do not benefit from collaboration or any value added features you get from SharePoint, Box, Egnyte, etc. I have LucidLink set up to store data on AWS GovCloud S3, and have the S3 bucket set up in a way that will result in the storage cost being less than 10% SharePoint.

LucidLink itself wouldn't be compliant with DFARS 252.204 as a CSP, but the CUI would never actually touch their services so they should technically be out of scope. Does that sound right?

There are also no logs - LucidLink's philosphy is "zero-knowledge". But looking at 3.3.1, it doesn't seem like it's actually required that logs are generated for events at the individual file level. I'd be able to see them authenticate with the service on their device via SSO, and I can generate logs via the file system/sensitivity labels/DLP. It's not possible to access the storage via a browser.

We also don't have direct access to the encryption keys, but no third parties do either. The keys are exclusively located on the client devices and chained based on the root password+user SSO info.

Does it seem like a viable service?

submitted by /u/imscavok
[link] [comments]

published 6 months ago




See all items from the same source