I am starting to get security paranoia. I want to take steps to ensure my privacy even when I'm enjoying the convenience of using Google Docs to store documents and collaborate with others via the cloud. What can I do to protect them?
What if an attorney, who has a duty to preserve customer confidentiality, wants to be guaranteed a cloud-based document cannot be read? What if an accountant must protect company accounts from the cloud company storing it? What if a clinician wants to store patient data in the cloud, but doesn't want to fall foul of HIPAA?
None of these people want their document scanned by a targeted advertising robot, forwarded by a disgruntled employee, or analyzed by a governing authority. They can protect the document by encrypting its contents.
Impartio, a Dublin-based startup security company, is a supplier of a Google Docs extra. Impartio want to give TAiLS to everyone. TAiLS is an Impartio acronym standing for Transparent Application Layer Security.
- The Transparent bit of TAiLS means the end-user doesn't notice it. The effort to use it is zero (or at least minimal).
- The Application Layer is the end-user part of the Internet protocol suite (it has four layers in total). Impartio products work with applications, rather than the lower data networking layers
- Security is IT realm security -- protecting a user's data.
Impartio's first product is a security add-on for encrypting documents, called CipherDocs. It's a document encryption technology for securing documents that are stored in the cloud. At the moment, there is only one available version: a Firefox plug-in that encrypts everything being sent to Google Docs, and decrypts everything coming back.
How it works
The security add-on works like this. The Google Docs user opens Google Docs in the Firefox web browser and works on his documents as normal. Behind the scenes, the text is passed through the security add-on before heading off to Google. A symmetric key cipher (we're back in the world of security jargon now) reads in the plain text and a secret key and writes out encrypted text. This is what gets stored on Google's servers.
The symmetric key cipher is AES-256, good enough for the U.S. government to use on their classified documents.
- The symmetric part of "symmetric key cipher" means it can both encrypt and decrypt text, unlike a "public key" cipher and a "cryptographic hash" function.
- The key part means this cipher can use a secret key to make the encrypted text hard to crack (Usenet's "ROT13" cipher didn't use a key, but then it wasn't very good at protecting anything). Everyone who wants to work on the text must share this secret key.
How the encryption works. Click to enlarge. (Image courtesy of Feltipen.)
When a document owner opens a protected file stored in Google Docs, this process happens in reverse. The encrypted text and the secret key are automatically fed into the cipher, plain text comes out and the document appears in the web browser. All without the user having to do anything special.
There is one small action required when collaborating on a document with others. Everyone who works on the document needs a copy of the secret key. Keys are exchanged using Impartio's KeyHub service.
What's next for Impartio?
Impartio will create an Office 365 version of their plugin. Apparently Google Docs and Office 365 are similar when you get under the hood.
After that, maybe they will start offering encryption for Facebook wall or Twitter streams. Nothing says "in-crowd" like a garbled status that only your friends can read.
Nick Hardiman builds and maintains the infrastructure required to run Internet services. Nick deals with the lower layers of the Internet - the machines, networks, operating systems, and applications. Nick's job stops there, and he hands over to the designers and developers who build the top layer that customers use.