Encryption has been a hot topic for the past 12 months as individuals and businesses have become increasingly conscious of surveillance campaigns, as well as malware such as CryptoLocker that flips the table and makes encryption into a destructive, rather than protective, feature. During this time period, Web companies such as Yahoo have finally come around on offering SSL and HTTPS by default to all users, ensuring safer communications and better data privacy.
Still, encryption isn’t evenly implemented across the Web, and cloud storage services are some of the most significant soft spots. Products such as Dropbox and SugarSync have considerable mind share among consumers, and their popularity has spilled over into the enterprise, with a growing number of businesses now eager to integrate easy file sharing into their IT operations. But how secure are these services that were originally designed as consumer solutions?
An entire ecosystem of third-party add-ons and alternatives has sprung up to assuage the concerns of security-minded organizations. For example, Boxcryptor and Cloudfogger both enable encryption of local files before they’re uploaded, while enterprise-grade solutions from providers such as Egnyte give companies a way to seamlessly interweave local and remotely hosted file management. In other words, there’s an ongoing land grab for enterprise file sharing and cloud storage, and encryption and security mechanisms have turned into key product differentiators. How did things end up like this?
While there’s no shortage of developers offering file encryption, Dropbox and its ilk have so far refrained from enabling similar features by default, creating inherent weakness in the cloud service market, no matter how many third-party remedies pop up. A recent server glitch at Dropbox highlighted the high stakes of keeping cloud data safe – while the incident was brief and relatively harmless, it raises the question of what could happen to millions of unprotected files in the event of a malicious breach.
Dropbox glitch may make the cases for encryption by default
Some cloud storage services have already implemented encryption, perhaps in response to revelations about the U.S. National Security Agency’s surveillance programs. Google Cloud Storage, the company’s platform for developers and businesses with operations in the cloud, shifted to encryption by default last summer, but Google did not extend the same features to its consumer-facing Google Drive service.
Dropbox, one of the oldest and most prominent consumer cloud solutions and one that now boasts more than 200 million users, does not use encryption by default. However, the company states that its employees operate in a zero-knowledge environment, meaning that they don’t know the contents of any customer files stored on the service.
Still, it’s hard for Dropbox users to verify this claim, and the company and its fellow storage providers are fast becoming the exception rather than the rule as more providers move to always-on encryption. Encryption certificates can cover more bits than ever before, and encryption for data at rest can now be done through hardware, making the prospect of a mostly encrypted Internet seem much more realistic.
Cloud storage providers’ rationale for avoiding default encryption is unclear, although it could be related to legal scrutiny or technical considerations. All the same, users are being asked to place a high level of trust in these companies and take them at their word when they say that they operate secure environments.
Recent incidents suggest that there’s still work for cloud storage companies to do in securing files. During what it called a routine maintenance operation, Dropbox saw a chunk of its core services taken offline and/or rendered unstable for several days. This wasn’t Dropbox’s first outage – trouble with Amazon Web Services led to downtime in 2012, while uploading syncing via desktop client was adversely affected in early 2013 – but it may have been the most consequential, with some users of advanced packages such as Dropbox for Teams upset at the lack of communication and the length of the delay, which was caused by prolonged database retrieval operations.
The Dropbox incident wasn’t a “hack” per se, and there’s no evidence that sensitive data was exposed or that users were put in harm’s way. But the event points to the fragile nature of hyperscale services – if a server OS upgrade can go bad and affect millions of users, then it may be worth thinking about what a lack of encryption by default could lead to.
Encryption by default is already picking up momentum – why are storage providers on the fence?
The NSA revelations, along with recent cybersecurity breaches in the retail sector, have led some Web companies to enforce encryption by default. Yahoo Mail got HTTPS by default earlier this year, a move that came in the midst of ongoing security troubles with malware-laced display advertisements and attempted database hacks.
Similarly, Yahoo-owned Tumblr recently announced that it would be adding HTTPS as an option. It stopped short of making it the default, perhaps due to technological challenges, and some observers have questioned the move, especially in light of the number of users who access Tumblr and similar services via mobile apps.
“The addition of SSL is surely better than plain old HTTP and makes sense especially when the user accesses the service via a mobile application,” Bitdefender senior analyst Bogdan Botezatu told PC World. “However, SSL only makes sense if it is enabled by default, because the regular user won’t likely alter the default account settings.”
Indeed, many users connect to unsecured, untrusted mobile networks such as public Wi-Fi. By doing so, they run the risk of man-in-the-middle attacks that intercept traffic and use it to take over accounts. While a hijacked Tumblr account would certainly be damaging to an individual’s privacy and security, the fallout would likely be more significant if a service such as Dropbox or Microsoft OneDrive were affected.
There are obstacles to implementing encryption. Only 35 percent of the 4,800 business and IT managers surveyed by the Ponemon Institute work at organizations with encryption strategies, underscoring the challenges that remain. But cloud storage providers should be especially proactive about encrypting data, given the scale at which they operate and the level of trust they have from consumers.