You might think that the NSA and other shadowy three-letter agencies are the world’s biggest cloud cheerleaders: all your data, all the time, in the cloud, where Prism and XKeyscore can, apparently, access it.
Perhaps that’s why Google announced yesterday it was triple-encrypting all data in Google Cloud Storage.
“We know that security is important to you and your customers,” Google product manager Dave Barth posted. “Our goal is to make securing your data as painless as possible.”
First of all, the data itself is encrypted with industry-standard 128-bit AES technology. It’s not 256-bit, but it is enough to take a supercomputer one billion, billion years to crack via brute force computation. By that time, I don’t think you’ll care if someone decrypts your cute-cats-with-bowties collection.
Secondly, each per-object key is itself encrypted with a unique key. Finally, just because Google is Google, those keys themselves are encrypted with one of a “regularly rotated set of master keys.”
The new encryption is already standard for all new data being added to Google Cloud Storage, and older data will be upgraded in the coming months, Google said.
This should provide a level of comfort to those who are storing their data in the cloud — Google’s cloud, at least. International customers in particular have been worried about the NSA’s alleged access to data at Google. Google, of course, has denied that the NSA has any access to Google data.
“There is no free-for-all, no direct access, no indirect access, no back door, no drop box,” Google’s chief legal office and senior vice president David Drummond has said.
But encrypting the data on the servers that make up the cloud, of course, is only one part of the solution. The other part is interception during transmission. Britain’s equivalent to Prism, Tempora, has apparently tapped 200 of the world’s largest fiber optic cables and allegedly can follow users’ access to websites, their Facebook postings, and read their emails.
Which means that until all pieces of the cloud — and the internet — are known secure, it’s hard to trust that any level of server-side encryption will completely do the job.