Letting somebody else watch over your data isn’t exactly an easy decision, no matter the degree of convenience offered by cloud storage.
In fact, I think it’s the digital equivalent of letting someone take control of your bedroom closet. That’s why, it’s important to find a cloud storage service that shows a commitment to trust, demonstrated by more than just words.
I’m talking about architecture here, as opposed to policy and worse, buzz phrases like “military-grade security.” By carefully selecting a cloud service provider, you can gain confidence in the fact that it won’t betray your trust, for one very simple reason.
It can’t. Below, I’ll cover some of the best approaches to cloud security practiced today. And offer my recommendations for cloud storage services that physically can’t give up your data, even if the government comes calling.
Table of Contents:
What is Encryption?
Encryption is a way of scrambling plain text data to keep unwanted parties from reading it. It is derived from the Greek word for “hidden,” kruptos.
Scrambled data, known as ciphertext, can only be unscrambled with a decryption key. Otherwise, it’s total nonsense.
1. Encryption In-Transit
One of the easiest ways for unwanted parties to steal your data is via eavesdropping when your data is in motion over a network.
Such movement is referred to as “in transit,” and interception of data in transit is known as a man-in-the-middle (MiTM) attack.
Cloud services (or any other service that transfers data across the Internet) should have a security protocol implemented, to ensure trust between applications and servers.
Such protocols are TLS (Transport Layer Security), and it’s predecessor, SSL (Secure Socket Layer). Note that today, many professionals and laypeople alike use TLS and SSL interchangeably, often referring to them as TLS/SSL.
That’s because SSL 3.0 was the basis for TLS 1.0, so many people regard the latter as actually just a new version of SSL. TLS/SSL works by requiring parties on either end of a data transfer, to authenticate, using a mutually trusted certification authority.
Data getting transferred is encrypted, and only trusted recipients can decrypt that data.
2. Encryption At-Rest
While encryption in transit is standard practice, surprisingly, encrypting that data while it is “at rest” is not.
While many cloud services will protect data while it gets sent from your computer to their servers or vice versa, they’ll leave your data unencrypted while it’s sitting idle, at rest, on their servers.
The problem with this system is, that it makes your data vulnerable to security breaches. As sophisticated as a company’s cyber security team might be, they’re outnumbered, and such attacks are only on the rise.
For example, according to the Identity Theft Resource Center (ITRC), in 2015, there were 781 reported breaches– the second highest annual total since tracking began in 2005. A good cloud storage service will keep data scrambled at rest, preferably with 256-bit AES encryption.
3. Ciphers
While TLS/SSL bring a necessary layer of security, that security is only as good as the cipher used to protect it.
A cipher is the method of encryption. It’s how you go from plaintext to ciphertext, and back. Breaking a cipher comes down to guessing the key to that cipher.
A key is a decoder that gets plugged into the cipher algorithm and can be used to scramble or unscramble your plaintext data. The more complex the key, the harder it is to guess, even for a relatively powerful computer executing a brute force attack.
A brute force attack is a program that runs through guesses until it guesses right.
4. From DES to AES
From 1977 to 2001, a 56-bit key algorithm known as the “Data Encryption Standard,” or DES, was the cipher of choice.
However, a series of cipher cracking challenges sponsored by the cyber-security consultancy in the late 90s, proved DES’s days got numbered.
Capping these difficulties was DES III. A $250,000 supercomputer known as “Deep Crack,” developed by the Electronic Frontier Foundation, cracked DES with a brute force attack in just over 22 hours.
Thanks to the rapid evolution of processing power, it’s become apparent that a new and more robust standard was required. And so, the U.S. National Institute of Standards and Technology, developed the Advanced Encryption Standard, or AES.
It was a very smart move. Today’s fastest supercomputers can crack DES keys in about 399 seconds (6.65 minutes).
Cracking a 128-bit key, meanwhile, would require 1.02 x 10^37 years, which is longer than the Universe has been around. A 256-bit key, such as AES, would take 3.31 x 10^56 years. Suffice it to say; AES is aimed towards longevity.
6. Zero-Knowledge Architecture
A key management process, in which a cloud service provider puts data access squarely in your hands, is known as “zero-knowledge architecture.”
For those serious about protecting their data, it’s the ultimate safety measure. Of course, hold onto your password tightly, for if it ever gets lost, then it’s bye-bye data forever.
But, that’s the price of top-shelf security. In addition to encrypting data both in transit and at rest, imagine only one person on the planet has the key to decrypting it, you. Which means, a cloud service provider can’t use such data for, say, data mining your purchasing habits.
It also means, they can’t feed your data to the government, either secretly, or under the auspices of a warrant. And even if they did, it’ll still be in AES-256 ciphertext; that will take billions and billions of years to crack.
Even better, suppose that not only your data was encrypted, but its metadata was as well, such as:
Folder names
File names
File sizes
Access times
The Top Tier of Cloud Storage Services
These are the top three cloud storage providers that take their security protocols to the extreme.
Not only do they incorporate a modern approach to both in-transit and at rest data encryption, but even go so far as to cut themselves off from your data, thanks to zero-knowledge’s setup.
#1. Sync.com
For those who prefer to hear it from the source, Sync provides a detailed whitepaper of their security policy.
Much of Sync’s code, including their web panel, is open source. Why is that a good thing? It means that people with the technical expertise to do so, can evaluate aspects of that whitepaper for veracity, which greatly enhances Sync’s trustworthiness.
Our full Sync.com review offers a much more detailed rundown of everything this cloud storage service has to offer.
SSL/TLS is used as a top layer of data transfer security to discourage MiTM attacks
AES 256 encryption secures your private key
Data stored on Sync’s servers is encrypted (at rest encryption)
Zero-knowledge encryption for both file and metadata
Passwords are never transmitted or stored
Sharing and collaboration features are also zero-knowledge
Web panel is open source for greater transparency
Users can choose to enable two-factor identification in lieu of single-sign in
#2. SpiderOak
Just like Sync, SpiderOak is very forward about their security policies, even going so far as to publish a detailed whitepaper.
And just like Sync yet again, they’re a zero-knowledge service that hits nearly all the right bullet points. In fact, the only real downside to their service is that it’s not open source, which means many of their encryption claims can’t be independently verified.
However, SpiderOak does address this issue.
Specifically, they note that while it’s too expensive at this time to extricate shareable code from their primary backup solution, ONE, new solutions like their zero-knowledge password manager, Encryptr, will have its code uploaded to Github.
Have a look at our full review for more on what SpiderOak has to offer.
SSL/TLS is used as a top layer of data transfer security to discourage MiTM attacks
AES-256 encryption secures your private key
Data stored on SpiderOak’s servers is encrypted (at rest encryption)
Zero-knowledge encryption for both file and metadata
Passwords are never transmitted or stored
Sharing and collaboration features are also zero-knowledge
Users can choose to enable two-factor identification in lieu of single-sign in
Unlimited file versioning retention protects against ransomware attacks
#3. pCloud
pCloud incorporates zero-knowledge encryption with a twist.
First, you have to pay extra for it. Known as pCloud Crypto, it costs an additional monthly subscription fee of $3.99. Okay, that’s not exactly a good news twist. But what makes it palatable is the fact that it affords users the choice of either client-side (zero-knowledge) encryption, or server-side encryption.
Server-side encryption facilitates additional data experience options, like thumbnail previews, and media file playability, directly from the cloud. Unfortunately, pCloud doesn’t provide a detailed whitepaper, nor do they offer open source, independent verification of their code.
Check out our pCloud review for more details.
SSL/TLS is used as a top layer of data transfer security to discourage MiTM attacks
AES 256 encryption secures your private key
Data stored on pCloud’s servers is encrypted (at rest encryption)
Choice of zero-knowledge encryption for both file and metadata (costs extra)
In Summary….
So, there you have it. Three cloud storage services that take security seriously. Generally speaking, any major cloud storage option is probably going to encrypt your data while it’s in transit. And if it doesn’t, you should stay far, far away from it.
The same should hold true for encrypting data at rest, and as massive data breaches continue to catch the public eye, it’s a trend that’s likely to continue. Zero-knowledge architecture is a bit of a different scenario, as it comes down to personal choice.
It also happens to be the primary differentiator that sets:
Apart from the competition, and after careful review, these are the choices I’d make for myself. The truth of the matter is, most of us probably don’t need to worry about our data landing us in hot water.
For me, it’s about the principle of “right to privacy.” The simple security of knowing that my data is for my eyes only, unless I choose to share it. But, maybe I’m just funny like that. Thanks for sticking around till the end, and don’t forget to leave a comment below!
