Not logged in » Login
Dec 29 2014

nCrypted Cloud Promises New Approach to Cloud Storage and Email Security

Admins responsible for cloud storage and email security usually spend hundreds, if not thousands of sleepless nights worrying about the question whether their company's files and confidential information are truly safe or accessible to any ordinary hacker. Boston-based startup nCrypted Cloud claims it can help them avoid the worst symptoms of sleep deprivation by introducing easy-to-use, foolproof end-to-end encryption for as little as $10 per user and month – provided they work for companies based in the US.

Contrary to what one might expect, nCrypted Cloud does not directly compete with the likes of Dropbox, Google, Microsoft, Egnyte or Box, all of which run their own expensive storage infrastructures in the cloud. Instead, the firm offers an encryption, key management and sharing system that runs on top of these platforms. At least in theory, it should also be compatible with storage solutions offered by other CSPs, but so far we couldn't confirm that from the official materials available through their website.

Security Layers
As far as encryption and key management are concerned, nCrypted Cloud takes a layered approach. All sensitive information must be kept in ZIP files, which are then encrypted using a unique password (derived from a key value using PKBDF2 with added entropy) and the AES-256 algorithm. The idea here was to combine security with platform independency and ease of use, as ZIP files are accessible on any major desktop OS with built-in or third party standard tools.

Once the ZIP file has been encrypted using the above-mentioned key value or User Personal Key (UPK), the next step is to protect the unique password from prying eyes. To achieve this, nCrypted Cloud generates a so-called User Recovery Key (URK) – which is actually a public/private key pair as in common PKI solutions – to encrypt the unique file password. In the basic implementation, the URK is stored both locally on a user's device in a file called KeyStore and, in encrypted format, on nCrypted Cloud's servers; however, it's possible to pass up on this latter option by switching to a paid version. The encrypted password is then added to the comment area of the ZIP file, from where it can be retrieved using the URK.

To further improve security, nCrypted Cloud supports multiple user identities that can be linked to a single user account. That way, customers can set up distinct IDs to strictly separate personal from corporate information, an approach that is similar to the one taken in BlackBerry 10 or Samsung KNOX. What's more, companies may also obtain an Organizational Recovery Key (ORK) that will be linked to users' corporate IDs and pretty much works like the URK described above, with the main difference being that it's controlled by IT management. The double advantage here is that companies may always access files their employees have encrypted using their corporate IDs and that it's easy to "block out" former employees by removing their corporate IDs.

To round out its solution, nCrypted Cloud offers two additional services that heavily rely on the basic package. One is called Share Securely and was designed to "take the hassle" out of sharing encrypted documents: all a user has to do is to pick a folder that he or she wants to share with colleagues and/or collaborators. nCrypted Cloud then generates a unique symmetric key for this folder, which is stored on both nCrypted Cloud's servers and in the user's local key store. If a file is placed in this folder, nCrypted Cloud generates a unique password that serves as the basis for file encryption; the file password is then encrypted with both a user's URK and the ORK. The encrypted passwords and symmetric folder key ID are stored in the comment area of the resulting ZIP file. To share the information, all a user has to do is invite potential partners. Once the invitation is accepted, nCrypted Cloud automatically checks whether the invitee has the right to access the folder key and distributes it to this user. – The second service is called Infinite Mail and works as an add-on in Microsoft Outlook and Mac Mail that helps admins enforce corporate email policies. Infinite Mail replaces file attachments of any size with secure links that may only be opened by the intended recipients. Sharing features include access controls, password protection, watermarking, and share expiration by automatic timeout. A real-time audit trail of all data activity is available, plus read-receipt notifications every time data is accessed or modified. Revoking access is possible within seconds after hitting the Send button. What's more, Infinite Mail also supports any kind of CI guidelines in contexts where "branding" email with company logos or specific layouts is a mandatory policy.

nCrypted Cloud offers an interesting solution for professionals and companies aiming to add the proverbial extra bit of security to their cloud storage and file sharing/collaboration platforms. This is especially true if you or your IT department lack the skills and resources to implement a similar multi-layered system. Speaking of layers, nCrypted Cloud starts at the most basic level, by separating business- and mission-critical data from the encryption keys – that way, an attacker who grabs files from your Dropbox or Google Drive account won't be able to read them unless he can get his hands on the keys as well and decrypt the passwords and files. But even so, the decryption process may well turn into an ordeal, as each file is protected with a single, unique password – which means the process has to be repeated over again and again to find specific information. Moreover, the AES 256 algorithm used for file encryption is currently considered unbreakable for attackers who work with today's standard hardware and techniques. It also looks like nCrypted Cloud has solved other crucial problems, namely privacy and file sharing issues that used to look tricky to overcome. That's more than you would usually expect from a solution that costs only $10 per user and month. However, there are two small caveats. Number one is that nCrypted Cloud only supports US-based cloud storage services, which basically precludes usage if you want to or must comply with European, particularly German data protection standards. The other is that it's hard to assess just how secure the URKs and ORKs generated by nCrypted Cloud are and how safely they are stored if you keep a copy on the company's servers. Besides, law enforcement and intelligence agencies may always simply use a warrant to get access to these keys – which would render the entire encryption mechanism compromised.

For more details, please see the background articles at GigaOM and TechCrunch.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now