Why Box hasn't solved the cloud encryption conundrum
Davey Winder takes a closer look at Box's recent cloud data encryption push and finds the vendor still has some work to do
I have often been accused of sounding like a broken record when it comes to data encryption in the cloud, so you might think I'd be pleased Box has announced the launch of its Beta 'Box EKM' solution. Unfortunately, it takes a lot to please me and this isn't enough.
Enterprise Key Management (EKM) is designed to enable enterprises to "control their own encryption keys, while still leveraging Box's best-in-class content management and collaboration capabilities," the cloud storage firm says. This appears to solve the perennial problem of how the enterprise can maintain control over encryption keys while enabling the kind of collaborative and management functionality demanded of cloud services.
If you want to leverage features like deduplication, search indexing, in-line virus scanning, content previews, and information rights management, then the cloud provider needs access to unencrypted data. Or at least it does until the promise of Homomorphic Encryption (HE) is realised at some point on the technological advances horizon.
So, just how practical, in security terms, is the Box EKM solution?
I'm not knocking Box, because its processes are backed by a raft of content security policies that mitigate data loss by alerting users to unusual download activity or file sharing.
What Box offers is a system involving the provisioning of hardware security modules (HSMs) which are essentially dedicated key management appliances. The enterprise has full control over the management of these HSMs, provisioned at Amazon Web Services and their own datacentre, but gives Box a secure connection to them.
Files uploaded to Box are then encrypted with a unique key, as usual, but that key is then sent to the HSM which is encrypted with the customers own key. With me so far? The idea being that from this point in the process the enterprise has full control over the decryption keys, and Box is only able to access the files with approval.
The HSM also provides an audit log of all transactions directly to the customer, so the enterprise can ensure no unauthorised access to data has occurred. Good stuff, right? Possibly, as far as it goes, which isn't far enough, I'm afraid. Unless data is fully encrypted on the client side, the circle of trust cannot be considered unbreakable, because server side questions will always come into play. How that client side encryption impacts upon service functionality is another question, of course, and security always comes down to balancing potential risk against practical realities.
I'm not knocking the security at Box. It does as good a job as any with layered encryption in transit via TLS and multi-layered encryption at rest with 256-bit AES. Its processes are also backed by a raft of content security policies that mitigate data loss by alerting users to unusual download activity or file sharing.
What I am knocking is the idea that Box EKM is some kind of panacea to the data privacy problem, and - in particular - to the 'can the government access my stuff' question.
Box argue it cannot cede to government requests for data access unless the customer authorises it as it has no access to the encryption keys. Without EKM, such a request could be made and done without the customer knowing if that valid request demanded secrecy.
Here's the thing though, unless the data is encrypted by ME and BEFORE it gets sent anywhere, how can I be 100 per cent sure it is secure? Other cloud vendors actually make a point of having a 'zero knowledge' approach to data privacy, whereby the cloud server never sees plaintext data and the cloud service never has the keys even for a moment by encrypting data on the client side.
Some enterprises will employ an encryption gateway product that detects when sensitive data is about to leave the corporate network perimeter and encrypt it before it does. Obviously, these introduce additional problems into the cloud data security equation, such as infrastructure overheads or the 'don't lose your bloody key or you lose your bloody data' conundrum. But hey, nobody said that ensuring cloudy data privacy was an easy nut to crack.