Some cloud storage providers who hope to be on the leading edge of cloud security adopt a "zero-knowledge" policy in which vendors say it is impossible for customer data to be snooped on. But a recent study by computer scientists at Johns Hopkins University is questioning just how secure those zero knowledge tactics are.
Zero knowledge cloud services usually work by storing customer data in an encrypted fashion and only giving customers the keys to unencrypt it, rather than the vendor having access to those keys. But the researchers found that if data is shared within a cloud service, those keys could be vulnerable to an attack allowing vendors to peer into customer data if they wanted to. The study casts doubt over these zero-knowledge clouds and reinforces advice from experts that end users should be fully aware of how vendors handle their data.
+ MORE AT NETWORK WORLD: Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab | DDoS Attackers Change Techniques To Wallop Sites +
Zero knowledge cloud vendors examined by the researchers - in this case Spider Oak, Wuala and Tresorit - typically use a method where data is encrypted when it is stored in the cloud and only unencrypted when the user downloads it again from the cloud. This model is secure. But, the researchers warn that if data is shared in the cloud, meaning that it is sent via the cloud service without the user downloading it on to their system, then vendors have an opportunity to view it. "Whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers' files and other data," lead author Duane Wilson, a doctoral student in the Information Security Institute at the Department of Computer Science at Johns Hopkins University, was quoted as saying in a review of the report. View the full PDF of the report here.
It's common for these vendors to rely on a middle-man service which verifies users before providing keys to unencrypt the data. The researchers found that providers sometimes provide their own verification. This presents an opportunity for vendors to potentially issue fake credentials that would unencrypt the data and allow providers to view the information. It's similar to a traditional "man in the middle" security attack.
The researchers say they found no evidence of customer data being compromised, nor have they identified any suspicious behavior by vendors, but the researchers said it could be a vulnerability. "Although we have no evidence that any secure cloud storage provider is accessing their customers' private information, we wanted to get the word out that this could easily occur," said Giuseppe Ateniese, an associate professor who supervised the research. "It's like discovering that your neighbors left their door unlocked. Maybe no one has stolen anything from the house yet, but don't you think they'd like to know that it would be simple for thieves to get inside?"
Sign up for CIO Asia eNewsletters.