Data security apps integrate with several different cloud providers via Kloudless, enabling them to offer solutions such as Data Loss Prevention across multiple content repositories without having to learn the ins-and-outs of each one.

Security-oriented apps commonly need to identify malicious or compromised files or objects. For example, by scanning through all content in a cloud storage tenant via admin account privileges. Once identified, the app can then “quarantine” the threat, by moving it out of reach to an isolated location. A lot of the time, that secure location is simply within an administrator account in the cloud service itself. This lets the DLP app preserve important information such as the file’s version history, its original creator, links to the file, and more.

However, quarantine functionality isn’t straightforward to implement a lot of the time. Consider Box, for example. The Box API docs make no mention of moving a file across users, via an admin account. The straight-forward implementation would be to download the file impersonating the user, and then upload it to the admin user’s account. This destroys all version history, however.

Fortunately, file collaboration permissions provide a simpler mechanism to achieve this functionality.

Transferring files via shared folders

Shared folders present one solution to preserve file history. First, the developer app impersonates the user whose file needs to be removed and creates a folder (Box docs) to share with the admin:

We use the As-User header to impersonate the user (Kloudless supports this concept via the X-Kloudless-As-User header, across several cloud providers). The Box-Notifications: off header prevents Box from notifying users of this background activity.

The app continues to impersonate the user to make the admin user a co-owner of the new folder (Box docs):

Note that if the admin user is not set up to automatically accept collaborations, the app must also update the collaboration (Box docs) with {'status': 'accepted'} as the admin to accept the pending collaboration.

The app then moves the file to the shared folder as the user, and moves it out of the shared folder as the admin. Here’s the API request to move the file out of the shared folder (Box docs):

The app then deletes the folder (Box docs) while impersonating the user that created it:

The admin user, or any other destination, now has access to the original file.

This approach works with several other cloud storage services as well, such as Dropbox and Google Drive. Some cloud providers may include more straight-forward ways to transfer files, such as OneDrive for Business.

Check out the Kloudless Move API endpoint for an example of an abstracted version that automatically transfers files between accounts in the manner shown above, or uses other approaches as required for a specific cloud storage service. The Kloudless Move and Copy API endpoints can also transfer data (without history) between two entirely unrelated cloud provider accounts by downloading the file from the source and uploading it to the destination.