"User Defined Encryption" is the only way to keep data private in the cloud.
Recent revelations about data mining have placed the spotlight on the privacy and safety of our data in social networking platforms. Familiar actions for protecting our data online include creating stronger passwords (and changing them frequently), turning on two-factor authentication, checking and adjusting our sharing preferences on platforms regularly, using private browsing mode whenever possible and last but not the least thoroughly understanding the privacy policies and terms of use of online services before we agree and sign-up for them.
However, apparently, all this is not enough to protect our data!! In a recent interview with Recode, in response to the recent Facebook scandal, Tim Cook stated
“The only way to protect your data is to encrypt.”
The problem of data protection in social networks is complex, to say the least. The overarching goal (and consequent requirement) of such platforms is to share our data with a broad set of people (businesses). So, is encryption a viable solution for such applications? The short answer is NO, not really! In a longer post, I will explain why encryption is not a solution for social networks in general. However, what about our data in the cloud?
As it turns out, even for the humble cloud, Tim Cook’s deceptively simple solution brings up more questions than answers at first. Specifically, consider the following questions in the context of the cloud:
- Who are we trying to protect our data from and is encryption the solution?
- Who should control our data encryption?
- Is encrypted data just as easy to use and share as regular data?
1) Take the first question. In the cloud, we want to protect our data from all sorts of scammers, hackers, phishing agents, i.e., all those “malicious third parties” who should have no business looking into our data. However, we also want to share our data with colleagues, friends, and family.
- The cloud platforms are no doubt, better equipped than most of us to protect our data from such harmful third parties! Just look at all the security of the Google cloud platform for instance.
- Also, applications in the cloud are architected to let us share data with well-defined groups of other users (our colleagues, friends, and family). They often provide sufficiently granular controls to enable access-permission management at per-file/folder level.
Also, there seems to be enough encryption going on in the cloud already!
- Most cloud services today use TLS based encrypted communication protocol (the basis for the now ubiquitous HTTPS protocol). Encrypting data at rest in data-centers has become an industry standard (Example: Google data center encryption). So, this should be good enough, right?
Given all of the above, we may be tempted to jump to the conclusion that the cloud is already a very secure place for our data! And it is indeed more secure, as far as it comes to protection against malicious third parties.
So, do we still need MORE ENCRYPTION, as Mr. Tim Cook seems to suggest?
The answer is YES we need more encryption because our data is not sufficiently protected from the cloud service itself! In other words, our data in the cloud is not very private in spite of all the encryption of data in motion and encryption of data at rest. The platform has full access to all your data at all times.
2) So, how does more encryption protect our data any more than all the encryption that the cloud services have put in place already? The answer lies in the response to the second question above --- “Who should control our data encryption?”
The answer is:
“We, the user of the service should control our data encryption to ensure true privacy”.
This is the only way to prevent the platform from looking into our data and keeping it truly private. One must realize that the platform has tremendous interest in mining our data. If not for anything else, but just to make the service cater to our needs better, it wants to learn how we access the service, what information we consume, generate, share!
All this is great, but shouldn’t we have a say in what information is ok to access and what should be left alone! Because there is a difference between sharing a tax document with your accountant and sharing with your family, your 6-year old’s opinion piece on why springtime is the best season ever. Depending on who you are you may have a widely differing preference as to which of these documents’ contents is ok to mine and which is not.
As another example, consider a business that uploads a sensitive document detailing a high-value contract, a sales proposal, or when an engineering team collaborates on files containing new chip designs and communication protocols, shouldn’t the organization and its employees retain the right to tell the platform what information is beyond limits and what isn’t?
One way to do this would be an easy-to-use “consent granting mechanism”, where the owner explicitly grants the platform the permission to mine the contents of a particular file. However, there are no consent-granting mechanisms that work in this way. Even if a platform like Google came up with such a framework, it will not extend to the other platforms that we often use in conjunction, such as Slack and OneDrive. Platforms talk to each other and exchange data seamlessly all the time, and this creates extreme problems in ensuring a uniform data privacy posture across these diverse cloud-based platforms.
So, lacking a powerful consent-management framework that is universally adopted, the data owner has to take charge of his/her own data privacy -- We should be able to decide which data should be private, and inaccessible to even the platforms providing us the service.
Therefore, User-controlled encryption is the most effective way to protect personal data and ensure complete privacy when using cloud platforms.
3) This brings us to the third question -- what about the ease of use and sharing data that is encrypted by the user? Can the data remain usable and shareable even under such encryption?
Luckily, the answer is “YES it can”, for a surprisingly large class of applications. In particular, for file storage, sharing and collaboration platforms like the google drive, Dropbox, Slack, OneDrive and the likes, a “data privacy” service like GarbleCloud makes it possible to preserve functionality while supporting user-controlled encryption of the data. Users of the supported platforms can access, search, share and collaborate on encrypted files and folders across multiple cloud-based platforms, thanks to GarbleCloud’s patented technology. Going even further, GarbleCloud enhances the native capabilities of many of the connected services by extending powerful features of one to another and making them interoperable.
Such technology needs to be user-friendly and robust as well. User-controlled encryption should be as easy as using a password, but be as strong as unbreakable industry-grade encryption.
Garblecloud’s unique 3-tier encryption key management and sharing framework are exactly architected for this. GarbleCloud gives the user simplicity of password-based file-locking while delivering industry-grade encryption (AES 256-bit encryption). Sharing of encrypted files and folders is an order of magnitude safer than other services since users are not required to share passwords amongst themselves in order to access encrypted content. GarbleCloud does all the heavy lifting of symmetric/asymmetric key encryption, key sharing, rotation etc., transparently in the background to make sharing seamless and encryption robust.
So, all you privacy-loving citizens of the cloud, go ahead and give GarbleCloud a try (sign up with a Gmail account at https://app.garblecloud.com/login) and let us know what you think.
In Conclusion:
Very cool article!