At UMass Amherst, we’ve received a number of requests to activate Rclone for our Box.com instance – Rclone is currently disabled for our Box.com instance, but FTPS is enabled. In a meeting on the topic, I was asked if there are any security risks associated with enabling Rclone integration, and whether there are any performance benefits to using the Rclone integration over an FTPS connection to Box. I didn’t have a good answer at the time, and am wondering if anyone else has any insight on this.
Could you better explain what you mean by “activate Rclone for our Box instance?” Typically if a user has access to RClone, they can configure their own integration with Box (we even have a walkthrough with RClone and Box under review here. Are you saying that the university / research computing group has a Box account, and users are asking for you to authenticate? Or is it possible to deploy your own Box.com, and allowing integrations is something you have turned off?
Our university has an enterprise subscription to Box.com. For our University’s enterprise users, the Rclone integration is currently disabled.
So, presumably, this means:
- You have Box configured with SSO via SAML or something like that – users must go via an institutional login portal to access their Box accounts online, or use a separate Box-specific password for FTPS.
- You either have disabled OAuth authentication token use completely, or haven’t enabled it specifically for rclone?
So, it looks like, if this works the way I think it does, that there are a few things I can think of that you’d want to consider.
- OAuth credentials may last for significantly longer than ordinary SAML sessions. On the other hand, I guess your current FTPS access uses separate passwords, so that’s a bit of a worry as well. It looks like Box OAuth credentials last 1 hour but can be refreshed automatically indefinitely, which may be a concern – you may want to check whether there is a way for an admin to invalidate a user’s OAuth token.
- OAuth credentials may be stored locally on disk: an attacker with local data access or superuser privileges may have unlimited access to a user’s Box data as long as the credentials remain valid.
- rclone seems to have both a server feature and an experimental remote control feature, that you may consider worrisome things to have users run in conjunction with this.
From a performance point-of-view, I don’t have any figures – I’d assume it’s roughly comparable given they’re both using TLS. It may be a little easier to control the number of parallel transfers in rclone to get the most performance.
On the plus side, it should only use port 443, which is a little easier to configure a firewall for than FTPS.