Cryptographic Cloud Storage
Posted by Hemprasad Y. Badgujar on February 25, 2013
survey the benefits such an architecture would provide to both customers and service providers and give an overview of recent advances in cryptography motivated specifically by cloud storage.
Cloud Storage Vendors Offering Encryption as a Service
Cloudfogger: The current version is more versatile and easier to use than the original. You access most Cloudfogger functions from the right-click context menu in the file system (e.g., Windows Explorer). Security is of course the most important aspect of encryption software, and Cloudfogger has that well covered too with AES 256-bit encryption algorithm and PBKDF2 key derivation. It also provides client-side password recovery.
Cloudfogger provides client-side encryption for all files in any folders (up to 5 for the free version) you want to select. It integrates seamlessly with Dropbox, SkyDrive, Box, Google Drive, or any other cloud storage service. The cloud only sees encrypted files since that is all that actually exists in the folders. The files are visible locally as unencrypted files when you are signed in to the Cloudfogger app though. Cloudfogger implements these two views – internal and external – using on-the-fly encryption. Folders that you “Fogg” (auto-encrypt) serve as encrypted file containers. Fogging also applies a file system overlay that presents the folder contents to the user as unencrypted files.
Cloudfogger has quickly become part of my backup solution. I use Cloudfogger to encrypt a few selected folders in Dropbox, SkyDrive and Google Drive. Now my encrypted files are synced between all the computers that I install Cloudfogger on. Because Cloudfogger encrypts one file at a time, open files are synced as soon as you save them. Cloudfogger currently provides client apps for Windows, Mac OS X and Android, with iPad and iPhone coming soon.
You can also encrypt and decrypt non-synced folders or single files via the Windows Explorer context menu. That’s handy when you only want to encrypt a few files. For example, when you want to take them with you on a USB drive.
BoxCryptor provides most the same functions as Cloudfogger does. It is integrated with the file-system in a different way though. BoxCryptor uses an encrypted virtual-drive interface that is linked to an ordinary folder. Cloudfogger encrypts a single folder that it augments with a virtual-folder overlay to give cleartext access. I prefer the single folder solution, but other users prefer the virtual drive. For Windows, Mac, iPhone, iPad, and Android
However, the BoxCryptor approach leaves users open to fatal mistakes. All files to be encrypted must be placed in the virtual drive or they will not be encrypted. Any files placed directly in the “encrypted folder” [their name] are not encrypted. You must go through the virtual drive to encrypt the files. That could be hard to remember, and there is no indication of mistakes. Of course files you see in the “encrypted folder” that were inserted there by the virtual drive are encrypted.
TrueCrypt is a top-rated product for most uses, but there is a potential backup trap when it is used for files that will be synced or stored in the cloud. Encryption programs that create encrypted “volumes” (files that contain encrypted files) do not change the size of the volume (container file), and often – intentionally – do not change the modified date of the volume, even though files in the volume have been changed or added. The result can be that your cloud service does not recognize that the volume file has changed, and will fail to update the online copy.
TrueCrypt is an example of an encryption program that does not change the modified date of volume files (encrypted file container). However, some cloud backup services – Dropbox for example – check the hash value of volume files, not the date, and if that changes Dropbox stores the latest copy of the volume file. If you’re using Dropbox, that makes TrueCrypt an excellent way to implement client-side encryption for your most sensitive files. SkyDrive, monitors the modified date – not a hash value – so TrueCrypt volumes are not updated in the cloud by SkyDrive after their content changes client-side.
“With encryption use increasing, it prompts the need to better control and unify the management of data and policies, while reducing capital and operational costs,” he said. “These are weighed down by disparate encryption technologies arising from varying security, compliance and risk requirements.”
Standardizing the way data is encrypted in data centers will contribute to reducing costs. “Through the ‘crypto-as-a- IT-service’ model, organizations can deploy highly secure and standardized crypto services to individual businesses units, while ensuring protection, control, and governance of data, as well as cost efficiency,” he added.
Some of the technologies accelerating the transition to encryption as a service (EaaS) include hardware-based encryption key storage, centralized data protection schemes for applications, databases, storage and virtualized environments, and role-based access controls. These next gen technologies are aimed at improving the encryption solutions available at data center level.
New capabilities for data centers
Encryption involves two parts: algorithms to scramble the data and keys to unscramble it. EaaS involves centralizing the problematic part of encryption: key management. It aims to make cryptographic functions more easily available, both within a network and in cloud environments.
“Enterprise customers want to ensure that nothing leaves their data center without being encrypted and they want to keep control of that encryption by generating and storing their own keys,” said Andres Rodriguez, CEO of U.S. based enterprise storage companyNasuni. “They also want to make sure whatever access control is in place remains in place. This is only possible when dealing with pure data — so storage as a service — and not with complete applications as in software as a service.”
Traditional methods of handling encryption keys become unwieldy if not impossible in this situation because using cloud-based service solutions potentially means sending unencrypted information to the cloud software, and retrieving it in the same way.
“When delivering software as a service customers must trust the people and processes in their service provider,” said Rodriguez. “This security model is not nearly as robust as the cryptographic protection that can be applied to pure data.”
In other words, if users at your company are relying on cloud-based software for processing sensitive data, you can keep it safe by managing the encryption at the data center level. Nasuni’s technology, for example, allows companies to use cloud storage but still encrypt data at their premises with keys they generate themselves.
“The Nasuni storage services allow companies to tap into the cloud’s access to elastic storage capacity, with a built-in data protection model and the power to synchronise data globally,” Rodriguez added. “That’s a big change that makes the cloud enterprise-ready and brings some extraordinary new capabilities into data centers.”
Next gen storage solutions
The Nasuni solution looks just like another file server to users and, because the most frequently accessed files are also stored on site, performance is no different. Storage as a service offerings make use of the best of the cloud: unlimited storage, no requirement to back up, and the ability for multiple sites to access the same storage volume without resorting to complicated replication schemes or WAN accelerators.
Next gen storage solutions that include encryption technology also add in peace of mind.
“With crypto as a service you don’t need to worry,” said Gonen. “You throw data at it and it does all the key management and key backups. It’s all done centrally. All the user needs to know is what data to protect and who needs to be given access. People have been afraid of encryption for a very long time, so the ‘as a service’ model makes it easier for them to consume.”
“Great security is about the transparency of the implementation,” said Rodriguez. He advises looking for products that are based on rigorously tested solutions. “OpenPGP benefits from having had some of the best security minds in the world peer reviewing its specification for the last two decades.”
Enterprise networking and encryption are slowly converging and it will be interesting to see how the disciplines overlap over the next few years. “The last few years have been great; encryption suddenly became cool,” said Gonen. “This is the next generation of information security.”
Elizabeth Harrin is Computer Weekly’s IT Professional Blogger of the Year 2011. She is also director of The Otobos Group, a business writing consultancy specializing in IT and project management. She’s the author of “Social Media for Project Managers” and “Project Management in the Real World.” She has a decade of experience in IT and business change functions in healthcare and financial services, and is ITIL v3 Foundation certified.