Why Box hasn't solved the cloud encryption conundrum

Cloud security

I have often been accused of sounding like a broken record when it comes to data encryption in the cloud, so you might think I'd be pleased Box has announced the launch of its Beta 'Box EKM' solution. Unfortunately, it takes a lot to please me and this isn't enough.

Enterprise Key Management (EKM) is designed to enable enterprises to "control their own encryption keys, while still leveraging Box's best-in-class content management and collaboration capabilities," the cloud storage firm says. This appears to solve the perennial problem of how the enterprise can maintain control over encryption keys while enabling the kind of collaborative and management functionality demanded of cloud services.

If you want to leverage features like deduplication, search indexing, in-line virus scanning, content previews, and information rights management, then the cloud provider needs access to unencrypted data. Or at least it does until the promise of Homomorphic Encryption (HE) is realised at some point on the technological advances horizon.

So, just how practical, in security terms, is the Box EKM solution?

I'm not knocking Box, because its processes are backed by a raft of content security policies that mitigate data loss by alerting users to unusual download activity or file sharing.

What Box offers is a system involving the provisioning of hardware security modules (HSMs) which are essentially dedicated key management appliances. The enterprise has full control over the management of these HSMs, provisioned at Amazon Web Services and their own datacentre, but gives Box a secure connection to them.

Files uploaded to Box are then encrypted with a unique key, as usual, but that key is then sent to the HSM which is encrypted with the customers own key. With me so far? The idea being that from this point in the process the enterprise has full control over the decryption keys, and Box is only able to access the files with approval.

The HSM also provides an audit log of all transactions directly to the customer, so the enterprise can ensure no unauthorised access to data has occurred. Good stuff, right? Possibly, as far as it goes, which isn't far enough, I'm afraid. Unless data is fully encrypted on the client side, the circle of trust cannot be considered unbreakable, because server side questions will always come into play. How that client side encryption impacts upon service functionality is another question, of course, and security always comes down to balancing potential risk against practical realities.

I'm not knocking the security at Box. It does as good a job as any with layered encryption in transit via TLS and multi-layered encryption at rest with 256-bit AES. Its processes are also backed by a raft of content security policies that mitigate data loss by alerting users to unusual download activity or file sharing.

What I am knocking is the idea that Box EKM is some kind of panacea to the data privacy problem, and - in particular - to the 'can the government access my stuff' question.

Box argue it cannot cede to government requests for data access unless the customer authorises it as it has no access to the encryption keys. Without EKM, such a request could be made and done without the customer knowing if that valid request demanded secrecy.

Here's the thing though, unless the data is encrypted by ME and BEFORE it gets sent anywhere, how can I be 100 per cent sure it is secure? Other cloud vendors actually make a point of having a 'zero knowledge' approach to data privacy, whereby the cloud server never sees plaintext data and the cloud service never has the keys even for a moment by encrypting data on the client side.

Some enterprises will employ an encryption gateway product that detects when sensitive data is about to leave the corporate network perimeter and encrypt it before it does. Obviously, these introduce additional problems into the cloud data security equation, such as infrastructure overheads or the 'don't lose your bloody key or you lose your bloody data' conundrum. But hey, nobody said that ensuring cloudy data privacy was an easy nut to crack.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.