Dropbox Password Shutoff Highlights Importance of Proper Data Encryption

Competing cloud file storage providers are scrambling to woo disgruntled Dropbox users with promises of secure and private data.

As Dropbox tries to appease irate customers after the weekend debacle where it accidentally turned off passwords to all user accounts, debate rages about the security of the encryption scheme used to protect data on cloud services.

It's not "surprising" that companies embrace online storage solutions such as Dropbox because they are very convenient and allow companies to expand storage capacity easily, Bassam Tabbara, CTO and co-founder of online storage company Symform, told eWEEK. However, the Dropbox incident should act as a reminder for organizations to "carefully evaluate" how safe their data really is.

Tabbara recommended that data should be encrypted before it leaves the enterprise. Dropbox relied on server-side encryption, which meant the files were encrypted in the cloud, not locally. Even though the file transfers themselves were encrypted as Dropbox used HTTP over SSL, having the keys on the server meant the cloud provider has ultimate control over the data, not the user.

Key management is "too complex" to push down to the user, Mushegh Hakhinian, a security architect at cloud provider IntraLinks, told eWEEK. "It sounds good on the surface for end users as they get full control but inevitably it means that they take on additional costs and responsibilities," Hakhinian said.

There needs to be a layered approach, where master keys are used to protect other keys used to encrypt user data, Hakhinian said. More importantly, the company has to ensure those keys are securely stored in a data center.

Wuala, an online storage service provided by external storage company LaCie follows a layered approach advocated by Hakhinian. "Encrypting your files before they are sent to the cloud makes Wuala inherently more secure than solutions that rely on server-side encryption," Luzius Meisser, CTO of Wuala, wrote on the company's blog June 21. However, Meisser shies away from claiming this system is "100 percent secure."

"If the user chooses an easily guessable password like '12345,' security is somewhat limited," Meisser told eWEEK.

That's because Wuala derives a master key from the username and password to encrypt a file stored on Wuala's servers. The file contains a list of all the encrypted files belonging to the user as well as its unique key. The master list is encrypted with a master key. All Wuala has is a file that's already encrypted with the master key, which is generated from the user's local machine each time the user logs in, Meisser said. Wuala doesn't store passwords on the server and it's not stored as a cookie locally, so there's no way for anyone to access the information stored on the servers without correct login credentials, Meisser said.

"We couldn't expose our users' data to others (neither accidentally nor intentionally)," Meisser said.

Problems like what happened with Dropbox aren't an issue with services like Wuala because the files are already encrypted on the user's local computer before it is uploaded onto Wuala's servers, Meisser said. If an unauthorized user ever accidentally stumbles into a Wuala account, the files are encrypted and inaccessible.

Organizations are increasingly using services such as Dropbox, typically driven by employees who also use it at home and want a way to securely move data back and forth, Geoff Webb, a product manager at Credant Technologies, told eWEEK. Dropbox and similar services are useful, but organizations should never rely on controls put in place by a third-party for their security, Webb said.

Organizations should understand how the data is encrypted, which keys are used and what will be compromised if the key is lost, Tabbara said. Hakhinian agreed, noting that many providers claim to have implemented "military grade AES-256 encryption" but all its means is that "they are merely smart enough to do basic research and to call out crypto-APIs of the language they use for coding."

"Find a vendor with properly implemented cryptography," before entrusting them with the organization's data, Hakhinian said.