Why, and how, encryption can make the cloud safer

March 5th, 2014

PrintBy Jieming Zhu, Special for Last Watchdog

(Editor’s note: In this guest Last Watchdog essay,  Jieming Zhu, CEO of AlephCloud, outlines the promise – and pitfalls – a encrypting data to make things safer.  AlephCloud supplies cloud-based security and privacy services.)

As commerce, communities, and collaboration move to public clouds, sensitive and private documents should be encrypted.

On the flip side, encryption can introduce new threats to privacy and security from diverse sources.

It may be necessary for a consultant, for example, to have access to company data since they are providing some useful function for the business. Or a government entity may have sovereign or law enforcement authority to access data, with an obligation to uphold the law and preserve national security.

The debate rages since Edward Snowden absconded with confidential NSA data.

While encryption is generally well understood, key management, which is complex, is not.

Jieming Zhu_175px


For example, if a company wants to store documents in the cloud, they can manage their own keys. But if they want to share files with parties outside the organization, that’s not so easy. And if a company is trying to share with multiple parties, each with different national legal frameworks, well that can quickly become a nightmare.

Here’s how current cloud providers approach the problem. In general, they encrypt files “in transit” to the cloud using SSL. But in order to index file content for search or provide preview capabilities (just two examples of capabilities the cloud provider may offer), they decrypt the file, index it, create the preview, and then encrypt it to disk as shown below.

What this means is that the cloud provider has access to the content—and could be obliged by a sovereign entity such as the government—to hand over the content.

A better approach is to divide, encrypt, distribute, and mediate keys—also using strong cryptography—such that only content owners and their assignees can reconstruct and use them. This is known as Federated Key Management.

This approach to managing encryption keys is powerful because it makes it possible to enforce something referred to as Zero Knowledge.

Zero Knowledge describes a state in which cloud providers and other entities cannot access confidential corporate data without the knowledge and, presumably the permission of the owner of the data.

Wider adoption of these approaches can help to protect our privacy and security, while also making it harder to mask criminal and subversive activities.