Cloud file storage is one of the wonders of the modern world.

By storing your files in a cloud-based datacenter, you have access to them anytime and anywhere–as long as you have an internet connection. And letting someone else run that datacenter means you don’t have to worry about the cost or complexity of running your own file servers with remote access.

But putting your files in the cloud also means putting your trust in a cloud provider.

The downside of cloud storage is that it represents yet another way for outsiders to attack your organization’s intellectual assets. If you manage those assets for a law firm, a government contractor, or a company in an industry that’s highly regulated (such as healthcare or financial services), you have every right to be worried about cloud file storage.

End-to-end encryption protects you from bad guys who might try to intercept files in transit. But those files can be at significant risk when they’re sitting in the cloud. Those “at rest” files are vulnerable to theft by a rogue employee, someone working on behalf of foreign governments, or unscrupulous competitors. They’re also at risk if someone shows up at the cloud provider’s office with a subpoena.

The solution is “zero-knowledge” encryption, where you (and only you) hold the encryption keys. In that configuration, the cloud provider (or someone who succeeds in breaking into its servers) sees only encrypted files, with no way to decrypt them.

I’ve found two services that keep your cloud-based files safe by giving you complete control over the encryption keys. And if you’re not willing to change cloud providers, there’s a third option: encryption software that runs locally and works with any cloud provider.


Tresorit is based in Switzerland, where data protection laws are among the strictest in the world, mirroring the country’s legendary private banking infrastructure. In addition to client-side encryption, using apps for every desktop and mobile platform, Tresorit uses Microsoft’s Rights Management Service to add an extra layer of control over files that are shared. This prevents an unauthorized person from gaining access to a shared file even if they obtain the link to that file, accidentally or maliciously.

Tresorit has three paid tiers, starting at $12.50 per user per month. (A free tier, restricted to 3 GB of storage and lacking some features, is available if you sign up for a trial subscription and then cancel it.) The business option has a five-user minimum that includes 1,000 GB of file storage for $20 per user per month.

Also see: Power checklist: Managing and troubleshooting cloud storage


SpiderOak, a US-based company with datacenters worldwide, has been a pioneer in zero-knowledge privacy for a decade. In addition to having apps for all major desktop platforms, it recently introduced a new collaboration tool called Semaphor that allows team members to securely share files and private messages. The company also offers encrypted cloud backup services and a secure password management tool, and it has Enterprise offerings (hosted or on-premises) that can be integrated with Active Directory.

Pricing for SpiderOak services starts at $7 a month, with a terabyte of storage costing $12 per user per month. The Enterprise Hosted version has a 100-user minimum and costs $5 per user per month.

Also see: Cloud Data Storage Policy

SecureDoc CloudSync

What if you don’t want to switch cloud storage providers? Or what if your organization uses a mix of commercial services and you don’t want to disrupt their workflow? One excellent solution is WinMagic’s SecureDoc CloudSync, an application that runs on your network and enforces file encryption locally, through policy. Only encrypted files ever make it to the cloud. As an administrator, you can encrypt entire cloud folders or select only those containing important data.

SecureDoc CloudSync runs as a server on your local network and is licensed on a per-user basis, so you’ll need to get a custom quote to determine pricing for your organization.

Just don’t lose those keys…

Whichever solution you choose, remember that retaining control over encryption keys shifts the burden of maintaining those keys to you. With most cloud storage services, the provider can help you recover data if you lose the encryption keys. In the scenarios described here, a lost key means your data is gone forever.