Not all clouds are created equal, at least when it comes to encryption. Most cloud providers say they encrypt data, which engenders a sense of security—but there is a weakness in the process. Data —say, a medical record— is indeed encrypted when you send it to the cloud. But, when it arrives at the server to be stored, it’s decrypted.
Fred Eberlein of Tresorit, a Hungary-based cloud storage service, likes to talk about the roles that encryption plays, and how the word alone can create a false sense of security. For instance, he notes that almost everyone says they encrypt data. And that’s true. But how?
“When you push a medical file to the cloud, it’s encrypted on the path to the cloud,” Eberlein says. “But when it gets to the server they decrypt it and encrypt it in storage. That’s the Achilles heel for most established cloud data solutions.”
The question then becomes not if your data is encrypted, but how well it is encrypted. Consider a picture sent from one place to another using an industry-standard 256-bit AES algorithm. Anyone with some expertise and a good computer can probably see enough of that picture to make out what it is. So, ideally, you want a cloud provider to offer multi-level encryption, better than a 256-bit AES algorithm.
The solution to this lies in client-side encryption, where data is encrypted on the device it’s created on and stays that way until it reaches its final destination. Once that data is encrypted and uploaded to the cloud it’s safe, right? Well, maybe. It depends on how it was encrypted.
Take, for instance, a picture of a penguin. Encrypt that image using an industry standard 256-bit AES algorithm. Chances are very good that someone with a high level of understanding about encryption and a reasonably powered computer can coax enough sense out of the chaos of that encrypted file to get most of the picture visible.
This actually happened. Eberlein says that while the image was still garbled, it was recognizable as a penguin. That should worry anyone who thinks that just because his or her data is encrypted, it’s safe.
“Even if your data is encrypted, how well is it encrypted?” Eberlein asks.
Here, the prospective buyer wants to see their cloud provider offering multi-level encryption, something well beyond the 256-bit standard.
Cloud encryption is a service offered by cloud storage providers whereby data, or text, is transformed using encryption algorithms and is then placed on a storage cloud. Cloud encryption is the transformation of a cloud service customer’s data into ciphertext. The cloud encryption capabilities of the service provider need to match the level of sensitivity of the data being hosted.
Because encryption consumes more processor overhead, many cloud providers will only offer basic encryption on a few database fields, such as passwords and account numbers. At this point in time, having the provider encrypt a customer’s entire database can become so expensive that it may make more sense to store the data in-house or encrypt the data before sending it to the cloud. To keep costs low, some cloud providers have been offering alternatives to encryption that don’t require as much processing power. These techniques include redacting or obfuscating data that needs to remain confidential or the use of proprietary encryption algorithms created by the vendor.
Additionally, there should be administrative features in place that allow you or other IT staff to see when files have been viewed and edited, how, and by whom.
If you add client-side encryption to these features, you have a winning combination: the ability to store a safely encrypted document directly with a patient, leading to better engagement and thus, a potentially more profitable business.
Contact us today to learn more about our secure options and how they can help ensure your data is secure.