Why Client-Side Encryption Is the Next Best Idea in Cloud-Based Data Security (original) (raw)

by Tunio Zafer, CEO at pCloud

Data security is a top of mind concern for both consumers and business users. In today's always-on digital climate, the complex and constantly evolving range of security threats is intimidating, leading many of us to consider whether or not our data can ever truly be safe from theft or loss.

High-profile data security breaches haven't helped. From Edward Snowden's leak of classified NSA documents to the 2014 celebrity photo hack to the now infamous data breach at Sony, a steady stream of ominous media stories only reinforces our collective belief that real data security is more fantasy than reality.

Although it may be impossible to ever completely guarantee protection from potential data loss, client-side encryption is emerging as a viable alternative to end-to-end encryption and other less robust technologies-equipping today's personal and business users with the highest possible level of security for sensitive data and files.

Why We Need More Secure Cloud Storage Options

Historians mark the 1963 assassination of President John Kennedy as a turning point in America's collective consciousness. In many ways, the Kennedy assassination shattered the sense of safety, security and optimism that the Camelot myth represented, opening the nation's eyes to new realities and leaving apprehension and mistrust in its wake.

Something similar has happened over the past several years in the data security realm. Although the possibility of security breaches has always been a concern, it was an issue that many businesses and Internet users relegated to the backburner—an out of sight, out of mind issue that rarely warranted a closer look.

However, a string of high profile security breaches dispelled the illusion of security in the Digital Age, leading many of us to wonder how secure our data and files really are.

The Sony Leak
One of the most highly publicized security breaches of 2014 happened in November, when Sony was targeted by a group of hackers who identified themselves as "Guardians of Peace." The breach was widely believed to have been the work of North Korea in response to The Interview, a Sony film that depicted the assassination of North Korean leader Kim Jong Un.

Stolen data included cuts of films in production and company emails that were subsequently leaked online. These emails contained sensitive email communications between Sony Pictures chair, Amy Pascal and producer, Scott Rudin—the content of which led Sony to fire Pascal in early 2015.

While the Sony hack ultimately generated significant publicity for The Interview, it also raised concerns among the general public-if a large corporation like Sony can't prevent its files from being stolen, how can everyday consumers reasonably expect to prevent unauthorized access to their private files?

The Dropbox Breach
Dropbox is a popular file hosting service that millions of personal and business users rely on to share and store files. But over the past few years, Dropbox has suffered from several security breaches—most recently in October 2014 when a Reddit thread revealed logins for a large number of Dropbox accounts.

The hacker claimed to possess login access to approximately 7 million Dropbox accounts, which would be leaked in exchange for bitcoins. Dropbox denied responsibility, shifting blame to third-party service providers. However, for many users, the damage had already been done.

Because Dropbox uses end-to-end encryption—which I'll explain more in-depth later—users run the risk of putting their shared files in the hands of third party vendors. Though it's promoted as a "safe" option for cloud storage users, end-to-end encryption is not enough. The latest Dropbox breach demonstrated the vulnerabilities that continue to exist, even in services that place a high value on the security of users' personal data and files. When passwords and logins are archived on the server side of the exchange, it may be impossible to ever completely neutralize the potential for unauthorized access and data loss.

The Celebrity iCloud Scandal
One of the more salacious high-profile data breaches occurred in September 2014 when nude photos of multiple celebrities started to make their way across the Internet. Further investigation revealed that the photos were stolen from the celebrities' iCloud accounts, but Apple was quick to deny blame, claiming that no one had hacked its system.

It eventually emerged that Apple and iCloud accounts lack security measures against brute force attacks in which hackers simply guess at account passwords until they gain access to stored files. Although Apple already provided a two-step verification process for devices, it was difficult to access and rarely enabled by users. Not long after the photos went viral, Apple released a major security patch to address the problem.

The celebrity iCloud breach caused many famous and not-so-famous Apple users to second guess the security of images and files stored in the cloud, and highlighted the weaknesses that continue to plague services that rely exclusively on end-to-end or server-side encryption techniques.

The JPMorgan Chase Attack
In the autumn of 2014, one of the nation's largest financial services firms, JPMorgan Chase, made news when it was revealed that the company had been the victim of a wide-scale cyberattack, resulting in the loss of data for 76 million households and 7 million businesses.

While JPMorgan Chase insisted that only names and contact data (rather than account numbers or passwords) had been compromised by the attack, it was later disclosed that hackers gained unauthorized access to data by exploiting a single employee's password.

The truly alarming aspect of JPMorgan Chase security breach was the amount of havoc cybercriminals could create by gaining access to just one employee account. While the incident had serious implications for financial sector firms, personal and business users saw it as yet another example of the vulnerabilities that exist in many of today's most critical security mechanisms.

The Snowden Incident
No discussion of high-profile security breaches would be complete without mentioning the NSA (National Security Agency) security scandal. In 2013, Edward Snowden, an NSA security contractor, allegedly stole 1.7 million intelligence files and leaked 50,000-200,000 top-secret NSA/GCHQ (Government Communications Headquarters) documents online.

The leaked files created shockwaves because they showed that US and UK intelligence agencies were engaged in widespread online surveillance. Snowden is currently living in an undisclosed location in Russia, but denies that the number of files he stole is anywhere near the government's 1.7 million estimate.

Nonetheless, the Snowden incident had several implications for consumers and business users. In addition to further demonstrating the existence of holes in data security (even for the nation's most security-conscious agencies), the release of NSA data raised alarms by demonstrating the government's willingness to conduct surveillance on individual's files and online activities.

It's important to note that the above security breaches are not isolated examples, but rather evidence of a growing trend of incidents that underscores the vulnerabilities of common security processes and protocols. Whenever data and passwords are transmitted between devices or servers, the potential for a breach of files and data will always exist.

At the same, the demand for truly robust data security is at an all-time high for both private and business users. Now more than ever, users need technologies that deliver peace of mind when it comes to the security of sensitive files and data—and that's where client-side encryption enters the picture.

Client-Side Encryption vs. End-to-End Encryption

The high-profile hacks at Sony and other organizations shine a light on the fact that improved server protection is a serious concern for anyone who stores data, files and photos in the cloud. Historically, service providers have relied on end-to-end encryption to protect data and files-a strategy that is coming under increasing scrutiny as a less-than-optimal way to protect sensitive information from unauthorized access.

End-to-end encryption technology is designed to provide uninterrupted protection for the transmission of data between two parties. Data is encrypted on the sender side, in a manner that can only be decrypted by the receiving party. The process does not require the involvement of a third party, ensuring that data and files are only readable by intended recipients. While end-to-end encryption protects data during the exchange between users and cloud-based service providers, it's still possible for servers to access and view stored files.

Client-side encryption is an advanced, asymmetric cryptography method in which data is encrypted before it is transmitted to servers in a network. Unlike end-to-end encryption, client-side encryption features a passphrase that is not available to the servers, making it impossible for service providers to decrypt hosted data. In essence, client-side encryption is a zero-knowledge application that insulates stored data and files from server-side access.

Client-side encryption is widely recognized as an exceptionally robust data security strategy. By eliminating the potential for data to be viewed by service providers (or third parties that compel service providers to deliver access to data), client-side encryption ensures that data and files that are stored in the cloud can only be viewed on the client side of the exchange. This prevents data loss and the unauthorized disclosure of private or personal files, providing increased peace of mind for personal and business users.

Another way to approach client-side encryption is by considering the security of your personal residence. You have a physical key that provides access to your home and the valuables it contains. If you are the only person that has a key to your home, then your valuables are completely secure—no one else can gain access to your home because the key remains solely in your possession.

Now let's suppose that you give a trusted friend a key to your home, too. Although you believe that your valuables are safe, you can never be completely confident in the security of your possessions. If the key is stolen from your friend or if someone forces your friend to give them the key, your possessions could be compromised. In a different scenario, your friend could even enter your home without your permission.

End-to-end encryption is similar to giving someone else a key to your home. Even if you trust the service provider, you can never be completely confident that your data and files are protected from unwanted intrusion. Client-side encryption presents a more secure option because you are the only party with a key (password) to your most valuable possessions (data, files and photos).

The Benefits and Limitations of Client-Side Encryption

For many users, client-side encryption offers a dramatic improvement over traditional, end-to-end encryption models because it ensures the security and integrity of files, photos and sensitive data.

Some of the benefits of client-side encryption include:

Stronger Cloud-based Storage
Client-side encryption clearly enhances users' ability to protect data and files. By denying viewing access to servers and service providers, client-side encryption ensures that the data and files that are stored in the cloud remain private, eliminating the possibility that sensitive information or photos can be accessed, stolen or leaked. For example, client-side encryption could have made a significant difference in the Sony leak, preventing the theft of unreleased films and the avalanche of negative publicity generated by Sony executives. Likewise, client-side encryption could have protected the individuals who were caught up in the celebrity iCloud scandal, ensuring that their private photos remained private.

Protection from Third-Party Access
Another significant advantage of client-side encryption is that it insulates users from third-party access. In addition to cloud-based storage service providers, hackers or even government agencies could potentially view the information contained within the user's files when data is protected with traditional encryption. But since hackers and service providers lack a passphrase, client-based encryption makes sure that stored data remains private. With client-encryption, service providers are unable to deliver access to data—even if they are legally compelled to do so.

During the course of the Snowden case, it was revealed that the NSA and other government agencies routinely engage in online surveillance activities. Whether Snowden's actions were lawful or not is irrelevant-the simple fact that government agencies can (and do) view the Web-based data and activities of law-abiding users is enough to warrant consideration for client-side encryption technology.

Security for Lost or Stolen Devices

Lost or stolen devices are a constant concern for personal and business users. Like end-to-end encryption, client-side encryption enables the owners of lost or stolen devices to retain access to data that is stored in the cloud and the ability to reset passwords helps ensure that personal, cloud-based files don't fall into the wrong hands.

But the most sophisticated client-side encryption technologies also enable users to encrypt data that is stored on their devices, further strengthening the security of photos, files and information. Whether data lives on the user's device or in the cloud, users have the flexibility to protect it with the same, robust encryption model.

But despite these benefits, client-side is not the right data security strategy for every user or situation. In fact there are certain situations in which client-side encryption can actually be detrimental to data access and file sharing.

Some of the limitations of client-side encryption include:

Reduced File Sharing Capabilities
Client-side encryption is not an appropriate data security strategy for all types of files and scenarios. Since only the user possesses the passphrase for decrypting data, it can be difficult to share files with other users. This can be especially cumbersome for the sharing of non-sensitive files or photos with friends, family and business teams.

Cloud storage should ultimately be treated like a virtual safe. Although many of us wisely store our most valuable possessions in safes or vaults, it doesn't make sense to keep everything we own locked in a secure, steel box—it just wouldn't be practical for retrieving everyday objects. Likewise, it's important to discriminate about the types of files and data that are protected with client-side encryption. The inability to conveniently share certain types of files may disqualify them for this level of security.

Non-Recoverability of Lost Passphrases
The other major limitation of client-side encryption is that unlike other encryption methods, it does not allow for the recovery of lost or forgotten passphrases. Client-side encryption is built around a simple premise: if you have a way to recover your data without a passphrase or private key, it means that your service provider potentially has access to your files.

Since most people are used to being able to recover lost passwords, client-side encryption requires a different mindset. Passwords take on a new level of importance based on the fact that a forgotten passphrase means that users no longer have access to encrypted files and data.

The risks associated with cloud-based data storage aren't going away. If anything, they are growing at an exponential rate as hackers and cybercriminals push to discover new ways to exploit vulnerable systems and accounts. End-to-end encryption and other traditional encryption techniques served a purpose, but consumers and business users are increasingly aware of the need for more robust security options.

Client-side encryption meets this need by creating a zero-knowledge environment for cloud-based data storage. Armed with an advanced client-side encryption solution, today's digital users can confidently archive personal and private information, files and photos online-knowing that they are the only people who can decrypt their files.

However, the need to conveniently share low-risk files and data with other users means that client-side encryption shouldn't be seen as a substitute for other data security technologies. Instead, client-side encryption should be viewed as an additional tool that personal and business users can rely on to achieve a significantly higher level of protection for their most important data, files and photos.