It’s Time Businesses Shift from Cloud Service Providers, aka Data-lords, to Zero-Knowledge Encryption to Regain Data Autonomy & Sovereignty
by Theresa Mattox, MBA, Strategic Thought Leader
Businesses know how valuable their data is and how cost-prohibitive it can be to maintain their data on-site. This is the main reason many businesses rely on mainstream cloud computing and storage providers as a cost-effective option.
But at what cost should businesses continue to rely on cloud service providers when an increase of external threats are continually on the rise such as cloud security breaches, mounting cloud security threats, security configuration errors, misconfigurations, phishing, data scraping breaches, cyber-attacks, third-party snoops, third-party developers, hackers, stolen credentials, intelligence agencies, governments, ransomware, backdoor malware, and backdoors intentionally designed in the operating system software to gain access and control your data for various reasons; from ransomware attacks and data mining to data profiteering, surveillance and more. As the saying goes, “if you’re not paying for the product, you are the product.”
How really safe is a business and consumer data in the cloud? And what if data privacy is just an illusion? After all, proprietary intelligence data, confidential files, photos, and videos are being stored on servers that are not under your control.
Several Examples of Data Stored with Cloud Providers at Risk.
1. “Capital One is the 10th largest bank in the USA, which was using Amazon Web Services (AWS) at the time. The following events lead to the breach:
- The web application firewall (WAF) was misconfigured
- The attacker exploited the misconfigured WAF and generated a fraudulent access token.
- The attacker used the access token to fetch data from AWS storage.
- The attacker was able to exfiltrate 700 folders and datasets containing customer information.
In this breach, attackers were familiar with AWS commands, so they were able to act quickly once they got access to the network. The attack did not trigger alerts, because the volume of data transferred outside the Capital One network was in line with the regular daily load of network traffic.”
2. “In 2021, LinkedIn also fell victim to a data scraping breach. Affecting 700 million LinkedIn profiles, the information was primarily public. But the data from the hack was posted on a dark web forum in June of 2021. LinkedIn explained that no sensitive, private data was exposed. The company also made the argument that the incident only violated the company’s terms of service. But a scraped data sample in the dark web post included email addresses, phone numbers, geolocation records, genders, and other social media details. That’s plenty of data for a clever hacker to use for social engineering attacks. And, while LinkedIn refuses blame for the breach, it has undoubtedly opened many eyes to the data risks that come with using social media.”
3. Apple Scanning Photos on iOS Mobile Devices
Case in Point: Apple is now scanning photos on iOS mobile devices to identify potential pedophiles who target children for child exploitation. How this works is Apple takes photos and uploads them to the iCloud, then matches them to a database of known CSAM images. If there is a match of images, the case is automatically flagged for human review and if they find something, they report it to the authorities. This type of scanning is already being done on platforms like Google and Facebook as well. What is alarming is that the scanning is starting on users’ devices, not just when you upload it somewhere and this is a “crisis of business ethics” as it comes down to invasion of privacy on users’ devices. On the surface, this unilateral decision by Apple may appear to be a noble cause, but this is a matter for law enforcement, not a corporation. Essentially this is a corporate invasion of privacy and trespassing on digital rights which is alarming. Apple rightfully owns its operating system, but the critical issue at stake is whether Apple has the right to suddenly update the operating system to begin searching the contents of your iPhone without your permission. The other issue is that this is a personal search on personal property without a warrant or probable cause.
Furthermore, this is a backdoor and possibly a pretext for who knows what else is to come in the future. This may not appear to be a backdoor as Apple claims, but a backdoor is a backdoor and a potential pretext of further infringement on users’ privacy targeting mobile devices. An article by India McKinney and Erica Portnoy with the Electronic Frontier Foundation, aka EFF, reported it explicitly in the following statement:
“Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and the narrowly-scoped backdoor is still a backdoor.”
Consequently, this can lead Apple down a slippery slope to potential problems around business ethics far too complex to reverse. It would make it hard for Apple to say no to other less honorable requests. For example, now that Apple has this backdoor, what if China aka the CCP proposed to Apple and stipulated if you want to continue doing business in China, you must start scanning all devices collecting certain information on Chinese citizens from their iPhone devices and route this data to a designated database of the CCP’s choosing. This proposition would make it very difficult for Apple to say no, when Apple has the highest market share of mobile devices in China, and the technology is already developed and deployed. Now Apple has little leverage to say no and all it takes to widen this backdoor is expanding algorithms and machine learning parameters to look for specific and additional types of information and content, and essentially, Apple has opened Pandora’s Box.
Stop & Proceed with Caution
This makes one question how far Apple would bend to China’s demands and consequently set in motion an ethical and moral dilemma leading to a perfect storm that Apple could not reverse after being on the forefront, touting data privacy rights and protections and publicly endorsed by CEO, Tim Cook. If the company deviated from its position on data privacy and protection, the company could suffer negatively and incur irreparable damage, breaching the trust of its user base and company reputation on the world stage if this were to happen. You cannot tout noble principles in the home country and your actions don’t follow your words in another country. Espousing a principle and doing the exact opposite are mutually exclusive.
Furthermore, the company already faced legal challenges for deliberately slowing down batteries on iPhone devices unknowingly to Apple users, until this deceptive business practice was brought into the open. This makes one question what other deceptive business practices Apple is withholding from its users behind the scenes in its strategic product obsolescence planning. This breached the trust of some customers and countries, and unfortunately, only a handful of countries outside the US held Apple legally accountable in court for this deceptive business practice.
Why is Business & Consumer Data Less Safe with Cloud Service Providers?
Why aren’t mainstream cloud providers such as Google Drive, Apple iCloud, Amazon Cloud Services, and other main cloud providers safe, if they use military-grade encryption stored on servers?
The reason in a nutshell: cloud providers still OWN the encryption key.
While the data is safe from the outside world, cloud service providers still have the encryption key to access your data and this means third-party snoops, governments, and intelligence agencies are able to tap on them and borrow the key which happens more frequently than you might think.
If you don’t OWN the encryption key, you don’t OWN the data, plain and simple. This is why using cloud service providers can be potentially unsafe when business users’ files stored on cloud service providers aren’t really theirs. This requires a mental shift in thinking to grasp and accept because users have been subtly deluded in thinking business users’ data stored with cloud providers are owned by business users themselves, and this is not the case. Apple owns its operating system and iCloud storage. Google owns its operating system and storage, and business and consumer users are just that, users not owners. Business and consumer users pay cloud service providers to store their business and consumer data on cloud service providers’ platforms.
Here is a clear example of encryption key ownership by Apple:
“iMessage is secured by end-to-end encryption, the idea being that the keys to decrypt messages between you and those you message are only shared between you. That stops anyone from intercepting your content. But in a bizarre twist, Apple stores a copy of those encryption keys in that iCloud backup, which it can access. That means the end-to-end encryption is fairly pointless” and users’ private messages are at risk of exposure.”
Cloud Providers have Evolved to Become Data-lords
Why Businesses Might Consider Migrating to Private Cloud Solutions with Zero-Knowledge Encryption
When a business uses “zero-knowledge encryption”, aka ZKE, only the business owns the encryption keys and only the business sees and controls the data, therefore the business OWNS the data. No one can access or control the business data except the business, not even the service that has the business data and this is the key benefit of having a private cloud solution. Additionally, the business is less inclined to fall victim to the “tragedy of the commons”, a principle that suggests, that if one invests in ownership and autonomy of valuable assets, one will be far more inclined to invest in maintaining these assets to sustain the assets’ market value. The main takeaway in migrating to a private cloud solution and “zero-knowledge encryption” is the business becomes the OWNER of their business data, not the cloud service provider.
Is Your Business Ready for a Private Cloud Solution?
If your business is ready to shift to a private cloud computing and storage alternative, here are a few options to consider to determine which best suits the business’s budget and operational needs based on a cost-benefit analysis. The business must conduct a full assessment weighing the pros and cons, assessing key factors such as internal strengths, weaknesses, opportunities, and threats, and external strengths, weaknesses, opportunities, and threats.
Top Private Cloud Services to Consider
Here is a list of the top private cloud service options to determine and choose from that best suit the business’s budget, needs, and requirements. Each of these providers provides Zero-Knowledge Encryption, however, each service has pros and cons, so the business owner has to decide the best service option to fit the business’s needs.
3. ProtonDrive, makers of Protonmail and Proton VPN
#EFF #privatecloud #zeroknowledgeencryption #zeroknowledgeencryptionarchitecture
#dataautonomy #datasovereignty #data-lords #privatecloudsolutions #data-ownership #privacyillusion #applesurveillance