Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Even the most secure cloud storage may not be so secure, study finds

Zero-knowledge products are a misnomer

Article comments

Some cloud storage providers who hope to be on the leading edge of cloud security adopt a "zero-knowledge" policy in which says it is impossible for customer data to be snooped on. But a recent study by computer scientists at Johns Hopkins University is questioning just how secure those zero knowledge tactics are.

Zero knowledge cloud services usually work by storing customer data in an encrypted fashion and only giving customers the keys to unencrypt it, rather than the vendor having access to those keys. But the researchers found that if data is shared within a cloud service, those keys could be vulnerable to an attack allowing vendors to peer into customer data if they wanted to. The study casts doubt over these zero-knowledge clouds and reinforces advice from experts that end users should be fully aware of how vendors handle their data.

Zero knowledge cloud vendors examined by the researchers - in this case Spider Oak, Wuala and Tresorit - typically use a method where data is encrypted when it is stored in the cloud and only unencrypted when the user downloads it again from the cloud. This model is secure. But, the researchers warn that if data is shared in the cloud, meaning that it is sent via the cloud service without the user downloading it on to their system, then vendors have an opportunity to view it.

"Whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data," lead author Duane Wilson, a doctoral student in the Information Security Institute at the Department of Computer Science at Johns Hopkins University, was quoted as saying in a review of the report. View the full PDF of the report here.

It's common for these vendors to rely on a middle-man service which verifies users before providing keys to unencrypt the data. The researchers found that providers sometimes provide their own verification. This presents an opportunity for vendors to potentially issue fake credentials that would unencrypt the data and allow providers to view the information. It's similar to a traditional "man in the middle" security attack.

The researchers say they found no evidence of customer data being compromised, nor have they identified any suspicious behavior by vendors, but the researchers said it could be a vulnerability. "Although we have no evidence that any secure cloud storage provider is accessing their customers' private information, we wanted to get the word out that this could easily occur," said Giuseppe Ateniese, an associate professor who supervised the research. "It's like discovering that your neighbors left their door unlocked. Maybe no one has stolen anything from the house yet, but don't you think they'd like to know that it would be simple for thieves to get inside?"

Representatives at Spider Oak, one of the vendors mentioned in the report who market having a "zero knowledge" service, said they agree with some aspects of the study's finding. Spider Oak encourages customers to use a desktop application to transfer files instead of doing so through the company's web portal. Using Spider Oak's desktop application will ensure end users are verified to unencrypt the data, eliminating the opportunity for the vendor to compromise the data. Upon signing into Spider Oak's service users are required to check a box indicating that they understand that to achieve true zero knowledge that a desktop application must be used.

SpiderOak says it hopes to allow collaboration services around its cloud platform, meaning data would be transferred within its cloud. To enable this functionality Spider Oak says it plans to use a combination of RSA secure identifications along with a key and encryption platform. It also hopes to provide users a way to securely verify the identity of whoever is viewing the files. Some vendors, like encrypted communication provider Silent Circle, use a voice recognition tool to provide this functionality, and Spider Oak says they are investigating similarly "elegant" ways to verify that data is only shared with people approved by its owner.

Senior Writer Brandon Butler covers cloud computing for Network World and NetworkWorld.com. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW. Read his Cloud Chronicles here.  



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *