Key Takeaways
- Data encryption at rest and in transit poses security risks, since it can be read while it is unencrypted.
- End-to-end encryption prevents your data from ever being read by hackers or the cloud service provider.
- Zero-knowledge encryption keeps passwords secure, thus limiting access to your personal data.
If you’re shopping for cloud storage, chances are you want a provider that keeps your files secure. What should you look out for when choosing a secure cloud storage provider? We go over a few things to keep in mind while shopping.
Note that when we say “secure,” we mean that your files are safe from outside attacks, as well as from snooping by the provider itself. Sadly, not all cloud storage is created equal and finding a service that respects your right to security and privacy isn’t as easy as you may think.
“Secure” Cloud Storage
Many cloud storage platforms will try to get your business by claiming they’re secure because they’re using “military-grade encryption.” That sounds very impressive, but it just means that they’re using AES-256, an encryption protocol that has been approved for use by the United States government, in conjunction with SSL/TLS, which is used for almost all internet traffic.
At the time of writing, AES-256 hasn’t been broken, can’t be brute-forced in any practical time frame, and thus, is a great protocol to use. However, it’s often presented as being special somehow, while pretty much anybody can implement it, and they often do. It’s used by all kinds of services and apps to scramble information, from cloud storage to VPNs.
Data at Rest and in Transfer
When data is encrypted is much more important. Many cloud storage providers, maybe even a majority, use a two-step process. When you send data from your hard drive, they will use SSL/TLS to encrypt your data in transit, then once it arrives on their servers, decrypt it and re-encrypt it for storage using AES-256. When you download data, this process is reversed.
This may seem like a good idea at first glance, but there is an issue: for a brief time, your data is not encrypted while on the service’s server. This means that they can see what you’re storing and even access the files. If you’ve ever gotten in trouble with a cloud storage service for uploading copyrighted material (Google Drive is notorious for this), this is because they snooped.
Of course, we’re not going to make a stand for copyright violators, but this security architecture can be a serious issue if the provider is compromised in some way. If a cybercriminal were to have access to their servers, they’d have access to your files. There is a way to fix this, though.
End-to-End Encryption
The answer comes in the form of end-to-end encryption, which you’ll sometimes see referenced as EE2E. As the name suggests, this process encrypts your data from one end of the download/upload pipeline to another. Your files are encrypted on your hard drive and stay that way during transit and at rest until they’re back on your hard drive again.
When using end-to-end encryption, at no point can any unauthorized person access your files. If your provider somehow does experience a breach, all any hacker will find is a bunch of encrypted data which is useless without the password.
When it comes to both security and privacy, end-to-end encryption is much better than the encrypt-then-decrypt-again method. There doesn’t seem to be a good reason why the latter is still used, though there are indications that it’s less resource intensive—besides letting you keep an eye on your customers’ files.
Zero-Knowledge Encryption
Another important aspect to cloud storage security is something called zero-knowledge encryption, sometimes referred to as zero-knowledge access. Zero knowledge in this case means that the service you’re using doesn’t know what your password is.
This means that at no point can anyone from that service access your encrypted files. More importantly, even if there is a breach, your password can’t be leaked because nobody knows it. It’s a great system, but does have a downside: you can’t reset your password. Always make sure you use a password manager when creating an account with a zero-knowledge service, or you risk getting locked out permanently.
Keeping Your Files Safe
Between end-to-end encryption and zero-knowledge access, you can rest assured that your files will be safe while in the cloud. When choosing the best cloud storage, it pays to make sure that the provider you choose offers both. After all, they’re your files. Nobody else should be looking at them.
You could always manually encrypt your files before you upload them, if you need to use a service that doesn’t offer E2EE, though it does add several steps to the process.
