Cloud provider: The best security for your passwords is to never give them to us

Ethan Oberman, CEO of cloud backup and sharing service SpiderOak, has a proposition for enterprises that may be leery about using the cloud because of a perceived lack of security. The best security for cloud storage, he says, is to encrypt the data and not give your service provider the keys to unencrypt it.

That's what SpiderOak does: "We can't even look at the data if we wanted to," he says.

MORE CLOUD: Amazon Web Services launches low-cost storage service

IS THERE TAX ON THAT? Massachusetts: Cloud is taxed when there's a software license

Started in 2006 with a focus on consumer-grade data storage, the company had two basic goals: Be a central repository for file sharing and data collection, and focus on privacy and security. "We wanted to dispel the myth that just because it's online doesn't mean it can't be private," he says. SpiderOak brands itself as a "zero-knowledge" cloud storage provider, meaning the company has no knowledge of the data being stored in its cloud. That means if government officials demanded the information, SpiderOak wouldn't be able to supply unencrypted access to it. If hackers were to penetrate SpiderOak's cloud, they wouldn't have access to unencrypted data either.

SpiderOak works by users installing an access client, which is a software running on laptops, PCs or a range of mobile devices, including Android and iOS. The client automatically encrypts any data that is stored in the SpiderOak cloud, which is housed in a series of colocation facilities. The data is encrypted using standard AES 256 technology; it is uploaded to the cloud encrypted and is not unencrypted until the user requests access to the data. Other file backup and synchronization services, such as competitor DropBox, Oberman says, store data by default in plain text, meaning the company could theoretically have access to that data.

In recent years, Oberman says SpiderOak has broadened its appeal into the consumer market with its SpiderOak Blue product, aimed at enterprises. Today, SpiderOak announced a version of its software that can be installed behind a company's firewall, so that it has no interaction with SpiderOak's public cloud and all of the cloud storage is done locally. This gives users the same access to the automated encryption technology, along with the access clients, but the data is stored on the customer's site, in what SpiderOak calls a private storage cloud. A division of the Department of Defense, he says, has been one of SpiderOak's beta customers on the product, which is generally available today. Pricing for SpiderOak's service begins at up to 2GB for free, and sells for $10 per month for 100GB and $100 per year for additional 100GB increments.

The service is competitive with DropBox, Box, SugarSync and other cloud storage and synchronization services, says security analyst Richard Stiennon of research firm IT-Harvest. But, while SpiderOak competitors may use an SSL connection, or even an AES 256 encryption, if they are storing the user credentials with the keys to the encryption, then Stiennon says there are vulnerabilities that could be exploited by hackers.

HOW BIG IS APPLE? Apple not most valuable firm ever, says press watchdog

Zero knowledge has some risks too, though, he notes. If SpiderOak guarantees that it is not able to hand over information to authorities, hackers and criminals themselves may look to such solutions as a safe haven. Using a zero-knowledge policy is not a new concept; there are zero-knowledge Web hosting services, proxy servers and encrypted email solutions, such as Hush Mail. Stiennon says those have in the past been used by hackers to launch attacks. Still, he says the benefits largely outweigh many of those concerns for enterprises looking for a secure file sharing system.

There are other ways to achieve the same result without using a service such as SpiderOak, Stiennon says. For example, a user could encrypt the files themselves, store the keys on site and then ship the data up into the public cloud. Firms such as Trend Micro can aid in that process, he says, but SpiderOak has automated the encryption process and made access to the files easy with its Web clients.

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at and found on Twitter at @BButlerNWW.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts