Many organizations are moving their file storage to the cloud. The convenience of being able to access files from anywhere, and the cost benefits of the cloud are accelerating this migration. Most organizations have chosen one of the big three – Box, Dropbox, or Microsoft OneDrive. There are many factors to consider when making the decision on which vendor to use, including price, compatibility with other systems, functionality etc. But one factor that always needs to be examined is security.
One of the most important security features for cloud storage is encryption. File encryption is a service offered by cloud storage providers whereby your data, or text, is transformed using encryption algorithms and is then placed on a storage cloud. Below, I’ve summarized how Box, Dropbox and OneDrive encrypt your files, and how the encryption keys are managed.
Box encrypts your files at rest using 256-bit AES encryption, and is further protected by an encryption key-wrapping strategy that also utilizes 256-bit AES encryption. As a separate feature for enterprise clients, Box also allows customers to manage their own encryption keys using Box KeySafe. Using KeySafe means Box can never see or access your encryption keys, something that is very important considering that cloud storage providers could be compelled to turn over your data to governments due to legislation such as the US Patriot Act. KeySafe also stores all key usage in an unchangeable audit log.
Dropbox encryption uses 256-bit AES encryption to protect files at rest. The Dropbox encryption service handles all processing for all Dropbox applications. The service splits each file into blocks, and each block is encrypted using AES encryption. Dropbox doesn’t allow customers to manage their own encryption keys. Dropbox publishes a transparency report to share how often they receive government data requests, as well as their government data request principles which guide their responses to those requests. Dropbox say their principles include being transparent, and fighting overly broad requests.
OneDrive encryption for data at rest includes two components – BitLocker disk-level encryption and per-file encryption. BitLocker is currently deployed for OneDrive for Business and SharePoint Online. Per-file encryption is also currently being rolled out in OneDrive for Business and SharePoint Online in Office 365 multitenant. While BitLocker encrypts all data on a disk, per-file encryption uses a unique encryption key for each file. Before they’re stored, the keys to the encrypted content are themselves encrypted and stored in a physically separate location from the content. OneDrive encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. The encrypted content is distributed across a number of containers throughout the datacenter, and each container has unique credentials.
In September 2016 Microsoft announced the upcoming availability of customer-controlled encryption keys, sometimes referred to as “bring your own key.” It appears Microsoft is aiming to make this available in the fourth quarter of 2017. Microsoft says “Customer-controlled encryption keys provide an additional layer of security and privacy. You will be able to use customer-managed “master keys” to encrypt/decrypt the individual encryption keys used to encrypt each file. You will also be able to decide to change or revoke access to these keys to guarantee that Microsoft has no way to access encrypted files.”
Why Cloud Storage File Encryption is Sometimes Not Enough
The most stubborn security issues are often caused by user behavior. Dropbox, Box and OneDrive all automatically decrypt your files when you view or download a file, so a user can easily distribute the file with no encryption protection. As a result, your sensitive files could still end up in email, on a desktop or in other clouds where they are not protected.
In addition a recently-discovered security exploit called the man-in-the-cloud attack may allow hackers to bypass both Google Drive encryption and Dropbox Encryption. A skilled hacker could steal the user’s synchronization token — a code that identifies the user to the cloud service. The hacker would then be able to access the user’s account directly without even knowing their login credentials. They could then steal, delete or vandalize anything on the account.
How can you mitigate this risk? Applying a second level of encryption can solve these problems. Using a client side Information Rights Management (IRM) solution would be one possible solution. IRM can ensure that your information will always be protected. IRM solutions apply persistent encryption to files no matter where they are distributed or stored. In addition some IRM solutions allow you to manage your own keys to ensure the privacy of your information.
Whether you settle for the standard file encryption offered by Box, Dropbox and OneDrive, or opt to add additional encryption may depend on the sensitivity of the information you are storing in the cloud.