The importance of public cloud encryption for enterprise data storage

Cloud storage providers have beefed up their encryption offerings, but are they enough? Expert Dave Shackleford explains the importance of public cloud encryption.

Dropbox recently earned another top-level security certification, ISO 27001, as part of the cloud storage vendor's effort to improve security and become more appealing to enterprises. NSA whistleblower Edward Snowden, however, said that users should abandon Dropbox and other similar cloud services because they don't offer encryption. This tip will look at the importance of data and file encryption for enterprises using public cloud services, what encryption options are available and how companies should go about implementing cloud storage encryption.

Key management

Many enterprises wouldn't begin to consider the use of cloud storage services without some means of data protection. Fortunately, the major providers of cloud storage offer quite a few options today. Dropbox for Business uses standard SSL/TLS tunnels to protect data in transit between customer devices and their cloud environment, and implements 256-bit AES encryption for all data at rest within their environment.

Key management, however, is not entirely clear, which implies that keys are stored in the Dropbox environment. A Dropbox competitor,, also provides enterprise-class security with AES 256-bit encryption, and seems to take the same approach by storing keys in its own data centers.

Many enterprises wouldn't begin to consider the use of cloud storage services without some means of data protection.

Microsoft's OneDrive now also includes industry-standard encryption by default for all customers. Most of these providers will have keys stored in multiple separate locations, so it's unlikely that the keys will be readily compromised. Organizations should ask pointed questions about how keys are created, stored, revoked and managed by cloud storage provider personnel, and how key integrity and access controls are maintained over time.

Encryption options

Several cloud storage services are offering more secure alternatives for enterprises uncomfortable with the lack of encryption control in mainstream cloud storage environments. SpiderOak, Wuala and Tresorit offer cloud storage services that rely on zero-knowledge data transfer and storage, primarily by implementing client-side encryption before the data ever leaves the client. Wuala, for example, leverages AES-256 for encryption, RSA 2048 for signatures and for key exchange when sharing folders, and SHA-256 for integrity checks for all data bound for its environment. As a provider based in Europe, it also has the advantage of providing assurances for organizations that need to comply with EU data protection and privacy laws at the same time.

Implementing cloud storage encryption

Most security-conscious organizations realize the best practice for using cloud storage is to encrypt data before it goes into the cloud in the first place. However, many business users want more flexibility in how they implement encryption, with the choice of encrypting specific data types -- perhaps just the valuable or sensitive data -- or all data. Reasons for this will vary, but they often relate to performance and integration with applications, and in-house processes and practices that may require more flexibility.

The majority of cloud storage providers -- even those with client-side encryption -- do not have granular data encryption options available and leave the onus of data selection for encryption on the users themselves. Fortunately, numerous third-party solutions have become available for helping to protect data headed for cloud storage environments. One example is Boxcryptor, which integrates with Dropbox, Google Drive, Microsoft OneDrive and other cloud storage services. Boxcryptor allows integration with Active Directory and enforces filename encryption policy to ensure specific data can be selected for encryption based on users and groups instead of just encrypting everything. Many other options are available from vendors like CipherCloud, Cloudfogger, SafeMonk and Viivo, as well as traditional host-based security software from companies, like Intel Security (formerly McAfee) and Sophos, that offer some local encryption options for cloud storage.


It's apparent that enterprises want to make use of fast, simple and inexpensive cloud storage that works on multiple endpoint devices and allows for flexible collaboration and sharing between teams. Fortunately, there are more options than ever before for allowing security teams to enable this safely.

Next Steps

Rich Mogull discusses the encrypted cloud storage options for enterprises in this video.

Learn why more and more channel partners are turning to DCaaS or colocation for processing, storage, networking and more.

Dig Deeper on Public Cloud Computing Security