More to Security than Encryption

We were having some debates internally here a few months back over when you could call something secure. Is it ok to call something secure, for instance, if it lacks encryption?

My answer to this is actually a (qualified) yes.

Having server side encryption is great – and ultimately is a very important check-box” feature but I would argue it is ultimately the control you have over your data that is more important to its security.

What we do at ownCloud is give customers as much openness and control as possible over their data – through integration with their monitoring, firewall policies as well as their own storage (or even third-party storage they choose).

Availability as security — If you own your data it can’t be lost because someone is shutting the cloud service down, or if AWS/Dropbox goes down.
•
Integration as security — ownCloud can be integrated in existing firewalls and auditing tools.
•
Openness as security — ownCloud can run on top of encrypted file systems to have full encryption. It is open source so you or someone else
can review the code and make sure that no backdoors exist.

•Control as security — ownCloud runs in an environment you control. So you can be sure that the most secure server environment is used. You can use a hardened and certified infrastructure.
•
Firewall as security — It can be used completely internally in an organization behind a strong firewall or in an intranet.

As I said, encryption is (ultimately) a very important “checkbox” feature, but all the encryption in the world won’t make you secure without control.

Comments

  • Any idea when this software will offer client-side encryption? I don’t care if it means I have to sacrifice the website access and can only access via desktop, phone, etc. Thanks!!! I would be more than happy to pay money for this feature and software that has very robust end-to-end security features.

    • It depends on demand from our Enterprise Edition subscription customers. For end users there are tools available who encrypt user specific content, or they run their ownCloud at home and therefor don’t need encryption on the client side.

  • It’s nearly June and I see the most recent update (5.x) fixed a LOT of security issues, but how’s the encryption coming? Still on track for a Q2 release?

    • Yes, still on track for Q2 … as you can see from the 5.x releases there is work going and we continue to work on ownCloud Enterprise Edition 5.

  • Will every file be encrypted? What about the mp3 player? WIll it have to decrypt every file before playing? If yes, where will it store the file temporarily?

  • Hi Frank,

    Any idea on how to switch on server side encryption when installed on third party hosting?

    I can still see my data files through ftp :(

    Or is client side + server side out now?

    Sincerely,

    0ctatron

    • We are currently working on the new server side encryption feature which will ship in Q2 2013. End to End encryption is on the roadmap for later and depends on the requests by our subscription customers.

  • Hi there, I was wondering how soon soon is :-) Given this post is now 3 months old… Server-side encryption would be make me sleep better at night, I do have to admit. Nevertheless good post up above and very true..

  • Client side encryption please! With the key being stored on the server you run the risk of having the same controversy Dropbox went through a year or so ago. Your application ends up being very similar to Dropbox when it is hosted on a third party hosting service. I would prefer a something more like Wuala’s encryption solution.

  • That’s an incredibly simple question with an automatic answer for anyone even slightly interested in security: nobody in the world but myself, and for certain things I don’t even trust myself (like never leaving “keep me logged in” stuff checked etc.). Of course, as long as the server machine is under my direct control (and going with the assumption that it is physically secure) encryption can be a lesser issue.

  • Secure to me means that the person how uses owncloud can be sure

    - data is not lost (on the harddrive)
    - data is not intercepted or copied (on the way trough the internet to the device)
    - data is not accessed by other than access granted (on the server)

    and of course you are controlling your own data.

    I feel encryption can help building trust, in addition to a really “Easy” setup
    procedure.

  • Actually, it is the way around:
    “All the control won’t make you secure without encryption”.
    Because at the end of the day: Whoever admin got access to the server also has access to the data and the user is left with no control over his data at all.

    • I think it all depends on the scenario that you have. At the end of the day it’s always a question who you trust.
      And just to make this clear. We are working on a new and hugely improved encryption system.

    • True. For this scenario encryption is an important feature and we are working on it. You can expect something cool really soon.

Leave a comment