File Encryption Compromises in the Cloud

There is of course much interest these days in both the cloud and more general usage of hosted/off-premise environments for managing electronic documents. Indeed it's an area that we have been receiving many more inquiries from our advisory service customers over this past year.

Yet despite the interest, one area I find few buyers investigate thoroughly enough is that of file encryption.  Presumably you make the assumption that if you are going to pay a third party service to manage your electronic files that they will do so in a safe and secure manner, and most times they will.

Managing data securely involves many things, but one element that suppliers make quite a song and dance about is the fact that they encrypt your documents/data, making it "100% secure." But things are not quite that simple, and you need to ask some more probing questions before taking that sort of claim at face value.

For example:

  • Are my documents encrypted whilst "at rest" in your system?
  • Are my documents encrypted whilst "in transit" to your system?

In most cases you'll find that documents are not encrypted whilst "at rest," and even where this gets presented an option, there are often sound technical reasons why any hosted or cloud service would rather not encrypt everything all the time, not least of which would be the impact on processing and delivery times of your data. In most cases documents only get encrypted whilst "in transit" -- in other words whilst they are passing through the internet to and from your premises.

You may also want to ask who has access to the keys to encrypt your documents. Is it just you or does the service provider also have access to the keys? That will likely start up a whole new conversation with some surprises, not all of which may be pleasant.

It doesn't matter whether you are considering contracting with an industry Goliath like EMC, Amazon, or IBM, or new upstart like Box, Huddle, or Oxygen. The fact is there are plenty of questions you will want to ask of any service provider before committing to any kind of contract; yet in our experience even simple questions like those above are often overlooked. 

Over the past few of years we have advised many organizations who are considering handing their corporate assets to a cloud-based service, and it's a trend that will surely grow in 2012. It is also one that as buyer advocates we worry about, for buyers themselves need to make the effort to dig deeper.  Suppliers are unlikely to be falling over themselves anytime soon to lift any fog of confusion that currently exists.

Other ECM & Cloud File Sharing posts

ECM Standards in Perspective

In real life I don't see ECM standards proving particularly meaningful, and you should see them as a relative benefit rather than absolute must-have.