Trust is silver, Zero-Knowledge is gold: how to recognize truly secure cloud storage providers
More and more companies are increasingly storing their data in the cloud: we’re talking about secret product concepts, research results, financial data and strategy plans. That being said, no company can afford to put any of their information, much less their most sensitive data at risk. It is more paramount than ever for businesses to protect their data against manipulation, leakage and theft – especially since the advantages of the cloud come with considerable risks attached.
When it comes to storing and sharing documents with cloud providers, the most important thing to be aware of is that the entire journey of data transmission from sender to recipient – if not fully covered by end-to-end encryption – holds critical weaknesses which can result in a data breach. And said data breaches – whether due to cyber-attacks or as a result of human error – create long-term costs and severe reputational damage for businesses.
So, what it boils down to is this question: is your valuable data capital in good hands with mainstream cloud providers? Let’s take a look at the market leaders like Dropbox, OneDrive and Google Drive to see how they measure up in terms of technical security.
The promises they make
As a result of scandalous data breaches, all the providers are emphasizing their commitment to the highest security standards. Dropbox maintains:
“The security of your data is our highest priority and all files stored on Dropbox servers are encrypted.”
They assure their users that they are in control of their data – as OneDrive claims:
“You control your data. When you put your data in OneDrive, you remain the owner of the data.”
But how do these ambitious statements stand up to a technical security test?
Clarity in the jungle of encryption terms
Even though cryptographic references can read like techno-jargon at first glance, it is vital to be familiar with the basics. According to the state of technology, “end-to-end-encryption” and “zero-knowledge” are considered the highest possible measures of security. Despite the fact that the majority of providers advertise that they encrypt user data, in reality, they are only applying a form of partial encryption.
But data traffic must pass several stages and at each transmission phase these questions must be raised: Is my data encrypted? If yes, where are the encryption keys stored? And who can access my data?
The type of encryption quoted by mainstream providers refers to encrypting data at rest and data in transit. In this regard, all three service providers follow the same strategy relying on standard encryption methods.
- Dropbox encrypts data at rest with a strong 256-bit Advanced Encryption Standard (AES). To protect data in transit, Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS), which creates a tunnel protected by at least 128-bit AES encryption.
- The encryption principles applied by OneDrive are very much the same: while transiting to the server, data is protected by using TLS encryption. Once it is stored on the server, Microsoft uses 256-bit AES encryption.
- Google also applies encryption on multiple levels. The entire data transmission between users and G suite services takes place via HTTPS-tunnels (Hypertext Transfer Protocol Secure). Furthermore, Google claims proudly that as a pioneer in the industry, they provide Perfect Forward Secrecy (PFS) for all their services. To protect email communication with external parties, Google encrypts the message transfer with other mail servers with TLS. Data at rest is also encrypted.
Partial encryption exposes your valuable data to unexpected dangers
In transit and at rest encryption do not fully cover the entire data transmission route. Thus, there are some conceivable scenarios in which a hacker would be able to access your data, hassle-free ̶ for example: at the end points of a communication channel, on the processing server etc. Below we’ve highlighted some key problems with the encryption practice commonly used by mainstream providers:
- Server-side encryption: They provide server side-encryption. In other words, files can leave the user device unencrypted and will only be encrypted on the providers’ server. If a malicious attacker manages to breach the user’s device, data can easily be compromised. Dropbox refers to their own system vulnerability on their site:
“Dropbox doesn’t provide for client-side encryption. Dropbox also doesn’t support the creation of your own private keys.”
- Unencrypted channels: Although all providers insist that data is transit is encrypted, what they’re referring to is the communication channel, not the data itself which passes through. If an attacker succeeds in decrypting the channel, the data can easily be accessed and viewed. Beware: danger lurks at the channel endpoints as well.
- Enhanced control is not a guarantee: For particularly important data worthy of protection, OneDrive has released a new feature called a “personal vault” with enhanced security options. Despite the 2-factor authentication and automatic blocking function, it is basically just a normal folder. The enhanced password protection used by Microsoft is not comparable to the level of security provided by end-to-end encryption. In contrast to this technically unbreakable encryption method, passwords are easy to circumvent.
- Key management by providers: Server-side encryption means that files are encrypted, but providers often manage encryption keys within the same environment as the encrypted files. This is essentially like locking a safe with a key and then putting the key next to it. You can read more about key encryption on OneDrive’s site:
“Each file is encrypted at rest with a unique AES256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault.”
- Disclosing data for law enforcement: Cloud providers can access your data and will also hand over user information upon government requests if they are legally obliged to do so. An example for this binding force is the US Cloud Act, which governs how US companies handle user data and enables US authorities to access information if necessary. Google states: “When we are legally required to comply with these requests, we deliver that information to the authorities.”
Security indicators: zero trust, zero knowledge
So, there you have it: the encryption grade of mainstream cloud providers is not comprehensive enough to fully secure the data lifecycle. Due to these security gaps along the file transmission path, there are points at which data can be accessed in its unencrypted form, which opens up opportunities for attackers and destabilize the whole security system.
On top of that, due to their security architecture, Dropbox, Google and Microsoft are able to access your encryption keys and therefore, to decrypt your data. They routinely access your data because their business model depends on it; using your information, they can develop new services, improve their offerings, target you with personalized advertising and provide information to subcontractors and the authorities if necessary. And the more people who can access your file content, the higher the risk that it will be compromised – whether accidentally or deliberately.
In other words, big cloud storage providers treat security and privacy as an afterthought, unlike privacy-focused companies who prioritize these factors over convenience.
Tresorit, for example, employs end-to-end encryption which means the entire transmission route is protected without any weak points or backdoors. Client-side encryption ensures that no file can leave the user’s device in unencrypted format and that they are only decrypted after reaching the user device. In transit, double encryption is applied, covering both the data and the communication channel, while encryption keys remain solely in the user’s hand. Paired with the zero-knowledge principle, nobody can access user data, not even Tresorit developers themselves.