Encryption can serve another purpose when using a service like Dropbox. "There's some concern that cloud storage providers will look at your data to target advertising at you," explained Richard Stiennon, chief research analyst with IT Harvest and an nCrypted Cloud user. In fact, last fall it was revealed that Dropbox was peeking at all ".doc" files uploaded to the system. The company said it needed to snoop on the files for de-duplication purpose, to scan for them for malware and to allow users to a preview documents without opening up a desktop program.
An elaborate key management system is also deployed to protect data encrypted by nCrypted Cloud. For example, keys for unlocking Brown's data aren't stored on nCrypted Cloud's servers where they could be obtained by a third-party. "We don't want access to those keys," Stamos said. "So if the Department of Justice or someone else comes to us, we don't want to ever expose our customers' information."
With nCrypted Cloud, each file is put into a 256-bit AES zip container. "That was important for us because we didn't want to build anything that was proprietary," Stamos explained. Each file has a unique password and each person has both a personal and corporate identity. Each identity has a private and public key pair. Passwords encrypted with the corporate identity has two public-private key pairs -- one for the owner of the file and one for their employer. "That guarantees that the corporation or institution will always have access to the information," Stamos said.
It also addresses a problem with devices that may contain both personal and institutional information because personal information can be encrypted using a personal identity. "If you leave work or quit, they can revoke your access to work files and be assured you don't have access to them," said Adrian Sanabria, an enterprise security analyst with The 451 Group. "At the same time, you can be assured that they can't revoke your access to your personal files."
"The catch is," he added, "you're the one categorizing what's work and what's personal. So the company is depending on the user to do that correctly, if at all."
Other measures are taken to ensure that nCrypted Cloud can't be forced to cough up a customer's private keys. First, the corporate private keys remain with the institution -- only the institution's public keys remain with nCrypted Cloud.
Second, it borrows an algorithm used to secure WiFi networks to secure a user's private keys. In nCrypted Cloud that algorithm is used to take a user's account ID, which is public information, and a password to generate a personal key that's used to encrypt their private key. That encrypted cocktail is stored in the nCrypted Cloud servers. "So the server has encrypted data that it will give to anyone who asks for it but they need the right credentials to unlock the private key," Stamos explained.
Sign up for CIO Asia eNewsletters.