Professional file sharing reloaded (why dual key encryption?)

YobiDrive Key is available since last week on Apple’s App Store and on Google play. This is a new and fun way to access cryptographically protected data in the cloud, starting with professional file sharing.

As stated in ESG’s analysis “Online File Sharing and Collaboration in the Enterprise”, data security and privacy concerns are the number one factor preventing wide scale adoption of public cloud computing services. But how to get to the expected data privacy in cloud storage, file sharing or other cloud based services ?

This brings us to our key concept: “confidentiality by design”

Most cloud services are developped on the same pattern:
– User identity is verified at “entrance”, so at sign in time, either weakly (user/password) or strongly (strong authentication with crypto token, SMS, …)
– Once identified, user accesses resources based on his identity.

This means that if for any reason the front authentication is bypassed, anybody gets access to your data. OK, there is SSL/TLS connexion, that secures the communications. Hard to break. But the password is often a weak point, and strong authentication is not so common. But most of all, your data can be reached from the inside, and that’s the main cause for concern.

“Nobody will read your data, we have strong policies and tons of certifications”. Sure? I will ask you a couple of questions, not about professional file sharing nor cloud storage, but about life, friends, and your bank.

Question 1: Do you have a bank account ?
I guess yes. This was the easiest one.

Question 2: Do you have friends ?
I hope so. At least you have neighbours, relatives, friends from neighbours. So if you don’t know so many people, for sure many do know you.

Question 3: Do you have friends, or at least people knowing you working at the bank ?
Probably yes. That’s basic statistics.

Question 4: Look at me right in the eyes ( I know, difficult exercice via a blog post, but try to figure it out ) and swear those “friends” never had a look at your account.

“This never happends !”. Of course…

OK. You see my point ? Confidentiality is not only a matter of policies and certifications, it also a matter on how difficult and visible it is to breach them.

Cloud storage and lines on your account follow the same rules: without a device that enforces confidentiality, there is no true confidentiality. The bank has such a device for years. It is powerful, small, light, and it has been made better and better over years:

It is called a key.

 

The key of your safe is a confidentiality enforcement device (you will never look at your key the same way, uh?), and your safe is the only real confidential place in the bank, because two keys are required, and the bank doesn’t have the second one, but you do. Same principle applies to secured file sharing, online storage or any business – or consumer – app based on out of premises storage: you need to protect data with two keys (in this case those will be encryption keys), so that neither the bank nor you alone can access the data behind the safe door.

Simple stupid, isn’t it ?