Why Box hasn't solved the cloud encryption conundrum

Davey Winder takes a closer look at Box's recent cloud data encryption push and finds the vendor still has some work to do

Cloud security

I have often been accused of sounding like a broken record when it comes to data encryption in the cloud, so you might think I'd be pleased Box has announced the launch of its Beta 'Box EKM' solution. Unfortunately, it takes a lot to please me and this isn't enough.

Advertisement - Article continues below

Enterprise Key Management (EKM) is designed to enable enterprises to "control their own encryption keys, while still leveraging Box's best-in-class content management and collaboration capabilities," the cloud storage firm says. This appears to solve the perennial problem of how the enterprise can maintain control over encryption keys while enabling the kind of collaborative and management functionality demanded of cloud services.

If you want to leverage features like deduplication, search indexing, in-line virus scanning, content previews, and information rights management, then the cloud provider needs access to unencrypted data. Or at least it does until the promise of Homomorphic Encryption (HE) is realised at some point on the technological advances horizon.

So, just how practical, in security terms, is the Box EKM solution?

I'm not knocking Box, because its processes are backed by a raft of content security policies that mitigate data loss by alerting users to unusual download activity or file sharing.

Advertisement - Article continues below
Advertisement - Article continues below

What Box offers is a system involving the provisioning of hardware security modules (HSMs) which are essentially dedicated key management appliances. The enterprise has full control over the management of these HSMs, provisioned at Amazon Web Services and their own datacentre, but gives Box a secure connection to them.

Files uploaded to Box are then encrypted with a unique key, as usual, but that key is then sent to the HSM which is encrypted with the customers own key. With me so far? The idea being that from this point in the process the enterprise has full control over the decryption keys, and Box is only able to access the files with approval.

The HSM also provides an audit log of all transactions directly to the customer, so the enterprise can ensure no unauthorised access to data has occurred. Good stuff, right? Possibly, as far as it goes, which isn't far enough, I'm afraid. Unless data is fully encrypted on the client side, the circle of trust cannot be considered unbreakable, because server side questions will always come into play. How that client side encryption impacts upon service functionality is another question, of course, and security always comes down to balancing potential risk against practical realities.

Advertisement - Article continues below

I'm not knocking the security at Box. It does as good a job as any with layered encryption in transit via TLS and multi-layered encryption at rest with 256-bit AES. Its processes are also backed by a raft of content security policies that mitigate data loss by alerting users to unusual download activity or file sharing.

What I am knocking is the idea that Box EKM is some kind of panacea to the data privacy problem, and - in particular - to the 'can the government access my stuff' question.

Box argue it cannot cede to government requests for data access unless the customer authorises it as it has no access to the encryption keys. Without EKM, such a request could be made and done without the customer knowing if that valid request demanded secrecy.

Here's the thing though, unless the data is encrypted by ME and BEFORE it gets sent anywhere, how can I be 100 per cent sure it is secure? Other cloud vendors actually make a point of having a 'zero knowledge' approach to data privacy, whereby the cloud server never sees plaintext data and the cloud service never has the keys even for a moment by encrypting data on the client side.

Advertisement - Article continues below

Some enterprises will employ an encryption gateway product that detects when sensitive data is about to leave the corporate network perimeter and encrypt it before it does. Obviously, these introduce additional problems into the cloud data security equation, such as infrastructure overheads or the 'don't lose your bloody key or you lose your bloody data' conundrum. But hey, nobody said that ensuring cloudy data privacy was an easy nut to crack.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now

Most Popular

Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020