Cloud Storage and the Zero Knowledge Myth

Ever since the Snowden revelations, there has been a lot of talk about encryption as a means to thwart unwanted snooping, both from governments and private interests. We've had encrypted communications for so long now that most people take it for granted. A simple "https" in a browser URL is enough to assure most people that a site is "secure". However, Post-Snowden, the conversation about Internet security in the cloud era has turned towards storage encryption - specifically about how to assure information remains confidential when it's in the possession of another party.

Big tech companies have gone to great lengths to reassure their users that their data is safe. Pick a cloud service at random, chances are their website has some kind of security explainer page which describes all the measures in place to protect user data. Encryption has become a magic word in this context - "hey don't worry about a thing, we use ENCRYPTION!"

Of course, any security professional will tell you that encryption has little value if you don’t control the decryption keys, and so the transparent, under-the-hood encryption offered by a lot of service providers will be decried as worthless by many people.

This stance has prompted some players in the market to implement security mechanisms they claim will prevent them from ever accessing user data, even if they wanted to (or are compelled to). They use buzz words like "zero knowledge" to give the impression that their claims are backed by hard mathematics, when in reality what they’re selling is little more than snake oil.

For anyone unfamiliar with the term “zero knowledge”, in cryptography it basically refers to being able to prove you know a secret without revealing anything except the fact that you know the secret. When cloud service providers talk about zero knowledge they are usually being a bit loose with the definition. They use it to describe encryption and decryption that happens on the user's computer, rather than on their servers, and therefore they have “zero knowledge” of the decryption keys.

It's a nice idea, a security blanket for anyone who is particularly paranoid about the confidentiality of their data. Here's the thing though, in the context of cloud computing, zero knowledge is a myth.

That's a pretty bold statement for anyone who works in cybersecurity to make, but I'm going to go even further. I assert that If you're doing cloud security the right way, zero knowledge encryption is unnecessary. I'll go even farther still, and say that if you happen to disagree, you fundamentally misunderstand cloud computing as a concept.

So, now that I've dug myself a nice deep hole, do I care to try climb out of it?

Consider this: the need for zero knowledge encryption is based on the assertion that the service provider cannot be trusted. However, in cloud computing, the entire security model is predicated on trust, because ultimately, that's all you have. If you don't trust the service provider not to misuse any data you store on their servers, why would you trust their client software to run in your browser or install on your computer? The zero-knowledge model cannot work in a cloud computing environment because it depends inherently on trust which it asserts does not exist in the first place.

It's also worth asking, if you cannot trust the service provider, why use their services at all? Because cloud storage is cheap? Because cloud storage has better redundancy & availability? Justification along these lines implies trust in the service provider's ability to preserve availability (and to a lesser extent, integrity), but not confidentiality. Aside from the inconsistency in this reasoning, there's a point to be made that if your data is so sensitive that you don't think your cloud service provider's internal controls are good enough, perhaps the cloud isn't the right place for it.

So, what is the "right way" to do cloud security? It starts with accepting that by choosing to use cloud services at all, you are surrendering control of your data, and that your security strategy needs to adapt accordingly. Fundamentally, adopting cloud services means placing your trust in the internal processes and controls of the service provider - your security strategy should reflect that. Stop thinking of the service provider as an adversary and engage them as a trusted ally. I'm not suggesting that all service providers are trustworthy - it's up to each organisation to evaluate and determine whether they trust a provider or not. My point is that if you can't get past the issue of trust to begin with, then your security strategy is doomed from the start.

Security hard heads will probably say my opinion here is naive or short sighted, but really, trust as the keystone of security strategy is nothing new. Outsourced IT and co-location hosting carry essentially the same risks as using cloud services, the only difference is that cloud has abstracted the service even further from the underlying infrastructure. If you were OK with outsourced IT, you can't realistically object to using cloud services based on security concerns.

Ultimately, cloud computing is the future for cybersecurity, and business IT in general. If we're going to be effective as cybersecurity professionals, we need to make sure our mindset when it comes to security is aligned to the ways business wants to use cloud, rather than using our mindset to try and constrain the way cloud is used. If we do not, we will be back where we were 10 years ago, eternally branded as blockers of innovation and fighting against users constantly trying to circumvent our efforts.