More and more businesses and individuals are turning to the cloud, but security is still the main obstacle to its adoption. The concern most often expressed is the loss of control over one's data, particularly if the Cloud Service Provider (CSP) is foreign, as is the case with the public cloud giants Amazon (AWS), Microsoft (Azure) and Google (GCP).
There are many feared events: data seizure by the US government (cf. Cloud Act, NSA), compromise of the cloud by a hostile state (cf. cyber attacks from Russia or North Korea), breach of confidentiality by CSP staff, etc.
This article looks at the simplest use case: using the cloud for file storage, where the customer uses a SaaS offering of the 'drive' type (OneDrive, Google Drive, Dropbox) or the 'object storage' type (AWS S3, Azure Blob Storage).
How can data confidentiality be protected in the face of these threats? The answer, of course, lies in encryption, but not just any old way!
Let's look at several alternatives, in ascending order of safety.
Unencrypted data: let's move on quickly, this offers no security whatsoever, not even in the face of a curious system administrator within the supplier.
Server Side Encryption (SSE) with encryption keys managed by the CSP: in this case, the cloud host itself encrypts the data with its own keys when it is stored, without the user having to do anything other than tick a box (AWS), if this is not automatically activated (Azure). This protects against certain basic threats, such as the reuse of storage media from client A for client B, or the theft of hard disks from a data centre. However, it is clear that, insofar as the supplier manages the keys, this provides only limited confidence.
Server-side encryption (SSE) with encryption keys supplied by the customer: otherwise known as Bring Your Own Key (BYOK), this method does not, in my view, provide any real additional security compared with the previous method. Admittedly, in this case the CSPs declare that they do not store the keys supplied by customers, but technically they could do so if they wanted to or if they were forced to.
Client Side Encryption (CSE): also known as zero-knowledge, this is undoubtedly the most secure alternative. The client encrypts the data with its own key before outsourcing it to the cloud; the CSP has no knowledge of this key at any time. In this case, even an attacker who managed to compromise an entire cloud could only recover unintelligible encrypted data. Data confidentiality is guaranteed as long as the customer's endpoint is not itself compromised.
There's no doubt about it: client-side encryption is *the* solution for protecting your data in the cloud.
Some providers already offer this, either free of charge or for a fee: Sync, pCloud, Mega, Icedrive, SpiderOak. Note that Icedrive does not even trust AES, which it considers suspect, preferring Bruce Schneier's Twofish.
That said, CSE is not yet off the ground and is mainly limited to the use of backup to the cloud. Why is that?
Its weakness is the flip side of its strength: because the server cannot see the data in clear text, it is unable to index it and extract its value. This greatly limits business uses: even a simple keyword search in a file becomes problematic on the server side. Indexing ends up being carried out by mirroring the data on the client side, on its unencrypted local copy, which is not really in the spirit of the cloud.
Are we therefore obliged to sacrifice the computing performance of cloud servers, and carry out the "heavy-lifting" on the client side?
It would appear not, as new techniques are emerging that allow the server to search directly on the encrypted data. A very promising method is explained in the paper that can be downloaded from [1]: it is based on the generation of an encrypted index by the client, which allows the server to retrieve the corresponding documents, without knowing their content or even the keyword searched.
This research will undoubtedly continue, giving us real hope of being able to combine the power of the cloud with data protection.
[1] https://info.ionic.com/hubfs/IonicDotCom/Resources/Assets/Securing%20the%20Cloud%20with%20Client-Side%20Encryption.pdf