Can consumer-grade data storage products offer the protection enterprises need to ensure sensitive corporate data is safe?
That’s the question some IT professionals asked amid reports that two researchers were able to infiltrate code for file-hosting service Dropbox, with some experts emphasizing encryption key ownership as a critical sticking point in true cloud security.
Researchers Dhiru Kholia and Przemysław Wegrzyn released a whitepaper at the USINEX security conference in August detailing how they were able to reverse engineer the Dropbox client – despite prior belief that this was not possible.
Once they had access to the Dropbox code, the pair was able to “bypass Dropbox’s two-factor authentication and hijack Dropbox accounts,” they wrote, giving them access to user files.
While Dropbox has released a statement refuting vulnerability in its client, data security experts say the real issue at hand is encryption key ownership. Steven Sprague, CEO of data security firm Wave Systems, told eWeek that encrypted files stored by Dropbox can still be accessed by the vendor, who retains ownership of the encryption key.
“The fact that they are stored encrypted is of no value if the keys are owned by Dropbox,” Sprague told the news source.
Geoff Webb of NetIQ agreed with this contention, explaining “you can't be sure of who has access to the keys themselves, and if the keys are compromised, the encrypted data is no longer protected.”
For IT managed services providers selling storage to business customers, the issue speaks to the value of being able to offer an online data storage solution with true private key encryption.
Intronis, for example, offers MSPs the option to protect files with a 256-bit AES private encryption key that is never stored in our data centers or transmitted over the internet. With this offering, we are unable to access or view the content of the data stored in our facilities, and as the service provider to your clients, only you retain a copy of the private key that encrypts and unlocks these files.
That could be a key selling point to risk-averse IT buyers who are skittish about cloud backup amid reports of security breaches with major public cloud and consumer-grade vendors. In the end, channel businesses armed with secure solutions are best able to ease enterprises’ fears regarding cloud security.