{"id":18676,"date":"2016-02-19T14:00:40","date_gmt":"2016-02-19T13:00:40","guid":{"rendered":"https:\/\/owncloud.com\/?p=18676"},"modified":"2020-09-30T09:11:12","modified_gmt":"2020-09-30T09:11:12","slug":"blog-box-keysafe-not-so-safe","status":"publish","type":"post","link":"https:\/\/owncloud.com\/de\/blogs\/blog-box-keysafe-not-so-safe\/","title":{"rendered":"Box Keysafe Not So Safe"},"content":{"rendered":"

This month\u00a0Box announced its KeySafe service<\/a>, a service that should give organizations control over their encryption keys. The ultimate goal of the service is that an organization\u2019s content may reside in the cloud, while allowing them to keep control over their encryption keys.<\/p>\n

But let\u2019s stop here. First of all,\u00a0as the FSFE (Free Software Foundation Europe) stated so nicely<\/a>: \u201cThere is no cloud, just other people\u2019s computers.\u201d<\/p>\n

This is particularly critical when you store your sensitive data on another company\u2019s infrastructure. You are effectively moving the control over your data to them. And what happens if one of them has a significant security hole? For example,\u00a0previously a programming error in Dropbox allowed any user to access any other account without a valid password<\/a>.<\/p>\n

With all of the focus today on privacy and compliance, cloud storage providers are realizing that they need to offer their customers more security. But how can they provide that? It\u2019s Software-as-a-Service, where a customer\u2019s data is stored on the cloud providers\u2019 servers. While strong encryption methods would help, the problem is that most truly effective encryption methods would make their web interface unusable.<\/p>\n

One way to try to tackle this problem is claiming that customers have control over their encryption keys.\u00a0Let me quote this one sentence from the Box website<\/a>:<\/p>\n

Exclusive Key Control.\u00a0<\/strong>Box can never see or access your encryption keys<\/p><\/blockquote>\n

And this is probably right! Box can\u2019t access your encryption keys. But let\u2019s think about that phrase. What it effectively says it that they can\u2019t access your encryption keys but they can still access the thing that you want to protect: Your files.<\/p>\n

We\u2019re not saying here that the Box encryption is inherently insecure. In fact, we are not in the position at all to say that. Due to the closed-source nature of Box, it is not possible to really verify the security of the platform.\u00a0 But we are saying you shouldn\u2019t take cloud provider \u201cpromises\u201d like this at face value.\u00a0 You need to know not only who has control over your keys, but also where your data is stored, and who has access to it.\u00a0 In case of a security or compliance audit, you will be the one responsible for your data\u2019s privacy and security.<\/p>\n

What other choice do you have?\u00a0 How about control over both your keys AND your data!\u00a0 With ownCloud\u2019s new\u00a0Encryption 2.0\u00a0<\/a>\u00a0it is possible for enterprises to achieve complete control over their encryption keys\u00a0AND<\/u>\u00a0files as ownCloud is an on-premises solution.\u00a0 So you have complete control over your encryption key logic as well as where your data is stored, and who has access to it.<\/p>\n

With our strong commitment to open-source and our source code being open-source everybody can verify the security of ownCloud.\u00a0 Additionally, we also offer a bug bounty program at\u00a0https:\/\/yeswehack.com\/programs\/owncloud-bug-bounty-program<\/a>\u00a0where we\u2019re paying hackers for security vulnerabilities found in our product.\u00a0 Putting our money where our claims are, to keep your data, and your keys, safe.<\/p>\n","protected":false},"excerpt":{"rendered":"

This month\u00a0Box announced its KeySafe service, a service that should give organizations control over their encryption keys. The ultimate goal of the service is that an organization\u2019s content may reside in the cloud, while allowing them to keep control over their encryption keys. But let\u2019s stop here. First of all,\u00a0as the FSFE (Free Software Foundation […]<\/p>\n","protected":false},"author":7,"featured_media":78665,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[48],"tags":[],"class_list":["post-18676","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"acf":[],"_links":{"self":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/18676","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/comments?post=18676"}],"version-history":[{"count":0,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/18676\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media\/78665"}],"wp:attachment":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media?parent=18676"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/categories?post=18676"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/tags?post=18676"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}