0

I want to know if someone working at these companies has access to the files people upload to the cloud. In other words, do these companies encrypt the files in the cloud?

techraf
  • 9,141
  • 11
  • 44
  • 62
MOON
  • 117
  • 1
  • 3
  • 6
    Unless you encrypt before uploading and keep your keys private, you have to **assume** someone has access. Whether someone actually has access is a question that cannot be answered. – techraf Jun 25 '16 at 15:01

3 Answers3

4

Yes, they can read the information that you upload. There's at least one case which was publicised of this happening. https://techcrunch.com/2010/09/14/google-engineer-spying-fired/

As Woj says, if you're worried about this, you should encrypt the files yourself.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
1

I read the question as "Is there a technical way for at least one person at [provider] to read my data in Microsoft Azure or Google Cloud Platform?". In other words: is it technically possible.

No matter the answer any serious cloud provider will have a need-to-know approach and the amount of people allowed to access such data would be limited.

Microsoft Azure

The answer is YES. Currently all encryption keys are managed by Microsoft

Q: Who manages the encryption keys?

A: The keys are managed by Microsoft.

Q: Can I use my own encryption keys?

A: We are working on providing capabilities for customers to bring their own encryption keys.

Google Cloud Platform

The answer is NO - if you provide your own keys:

You can also choose to provide your own AES-256 key for server-side encryption. This key is known as a customer-supplied encryption key.

NOTE: this answer assumes that the service provider actually follow these statements, something you will never know until the information is somehow made public (if there is such information). In doubt encrypt your files yourself before sending them out to the cloud.

EDIT following @tlng05 comment: the answer is for enterprise cloud platforms. The consumer one, whether it is encrypted or not, does not allow for personal keys usage so the clear-text version of the files is technically available for someone at the providers'.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • 2
    Supplying your own key to google which is then sent to their server for server side encryption means google still has access to the encryption key and can therefore decrypt it. – ewanm89 Jun 25 '16 at 15:28
  • @ewanm89: this is the reason for my note. Google says that it encrypts then gets rid of the keys. Whether one believes it or not is another subject (and again, the reason for my note) – WoJ Jun 25 '16 at 15:30
  • 2
    @WoJ, even if that is true, it still does not mean some one can't get a hold of that key. The safest bet is still to encrypt the files yourself before uploading. – user2600798 Jun 25 '16 at 15:59
  • @user2600798: encrypting them yourself is the ultimate solution. It may be realistic or not. In my answer I assume that the provider has correctly implemented what they claim (so no "someone got hold of the key"). If they did not it is either because they are lying or because they are not competent. – WoJ Jun 25 '16 at 16:03
  • It seems like your answer refers to storage provided for cloud server infrastructure services (Google Compute Engine, Microsoft Azure, etc.) These are completely separate from the consumer-geared cloud storage services like Google Drive and OneDrive, which I interpreted the question as asking about. – tlng05 Jun 25 '16 at 16:17
  • @tlng05: that's a good point, I will update my answer. I was indeed looking at the enterprise aspect. I cannot tell for Google Drive vs. Google Cloud Platform but Microsoft was [moving](https://technet.microsoft.com/en-us/library/dn905447(v=office.15).aspx) its OneDrive for Business to Azure. The fact that they specifically point our the "for Business" part makes me think that the consumer one is still on the old stack. – WoJ Jun 25 '16 at 16:22
-1

According to this Wikipedia page, neither Google nor Microsoft perform zero-knowledge encryption by default. This means that at least some employees can conceivably access user-uploaded files. Whatever restrictions in place to protect privacy depend on the company's internal policies as well as their public privacy policy.

tlng05
  • 10,244
  • 1
  • 33
  • 36