Sync.com: Secure Cloud Storage Contender

image

*Updated 5/16/14 – Sync just announced a new Vault feature that allows you to keep some files in the cloud that you don’t want to sync down to devices.

Previously, I took a look at another promising secure cloud storage provider called Tresorit, currently my default, which you can read about here. Toronto based Sync.com (currently in beta) looks to be going after the same market during a poignant time of concern over privacy and data security. Ever more more relevant as Dropbox just updated their TOS so more users will be looking for a more secure offering. Due to the NSA’s ability to snoop data “on the wire” as well as within US datacenters, sadly, this is also a time where considering cloud storage providers outside of US soil is a good thing.

 

“Zero Knowledge” Architecture

Sync.com uses what they call a zero knowledge storage environment, meaning that they have no knowledge of nor ability to access the files you upload.  Just like Tresorit, Sync.com provides a cloud encryption solution, meaning neither solution encrypts your files on local disk, only files sent up to and stored in the cloud as they leave your PC.  

There is a degree of trust one has to be willing to accept with these solutions as we really have no way to definitely prove that what is stored in the cloud is actually encrypted. Nor are we privy to the security standards or mechanisms in place in these datacenters to keep our data secure. That said, Sync.com expresses interest on their website to make their client software open source so greater transparency will come when that happens.

Sync.com does not provide a detailed white paper like Tresorit does but they do describe their methods.  Pretty straight-forward stuff. Your Sync.com account password protects your private key (AES-256), this key is used to encrypt a “file unlock key” for every file you upload to the cloud. File transfer and authentication happens via SSL. Authentication strings are SHA256 (never clear) and stored in their database as a salted BCRYPT-hashed string immune to rainbow table lookups. This is their claim, I can’t speak to the validity of this. 

Looks like the packaging of private key-encrypted file unlock keys with each encrypted file is what enables Sync.com to provide access to your files via a web portal (unlike Tresorit). This is closer to the LastPass method which also provides a web portal for that offering. I created a quickie diagram that illustrates their method below.

Just like Dropbox, Sync.com ultimately rides on the Amazon infrastructure but uses the Elastic Computing service (EC2), instead of S3, and keeps many local processes running at all times. Three most notably are the taskbar process, several dispatch instances and a watch master process. Interestingly, one of the dispatch processes keeps a persistent connection to a Network Solutions domain which also receives the majority of all bytes sent into the Sync.com cloud. All files added to any Sync.com folder locally get pushed up to this netfirms.com address first. It’s unclear to me what happens from there. Dropbox file uploads establish connections directly to AWS as well as Dropbox servers. Sync.com appears to be proxying all file uploads to an unknown location.

Keeping processes alive with persistent connections to the cloud definitely enables speedy syncs, up and down. Tresorit still uses the timed sync approach where at specified times its processes are spun up, connections to the cloud made, files synced, then connections and processes torn down. Not as speedy to sync, but there are no persistent connections.

 

Sync.com Client

User accounts are created via the download and install of the sync.com client. There is no way to log into the web portal until the client has been installed and account created first. Just like Tresorit, Sync.com provides a 5GB free account which is much larger than Dropbox’s 2GB. They don’t specifically mention a file size limit so to test I uploaded a 600MB file then a 3.7GB file, they both went. This could be a byproduct of the beta so uncertain if this will stick around but if so, this could be very promising.

 

The basic functionality of Sync.com is exactly like that of Dropbox: one folder whose contents gets synced up and down. Drop in files or folders and they get uploaded to the cloud and other Sync.com clients. The software client itself is very reminiscent of earlier versions of the Dropbox client.

They do provide a more mobile-friendly up/down limiter for those who presumably would run up against mobile data limits, although there is currently no mobile client. Curious that they would include this here in the desktop client.

The one key point of differentiation here is that in the client preferences they provide a progress tab showing any activity and estimated time remaining. Neither Dropbox nor Tresorit do this.

The right-click system tray menu is almost identical to Tresorit’s.

Web Portal

From a local PC capabilities perspective, that’s about it. All other functions, including sharing, happen from the web portal. Considering that Tresorit does not currently have a web portal, this is a pretty big deal.

The aesthetic and design of the web portal clearly took many queues from box.net although the Sync.com team managed to make it much cleaner and more intuitive.

 

Navigation and file operation are fairly predictable along with the expected ability to upload files to the web portal directly. You don’t have to use the desktop client to create new files. At this time folders cannot be uploaded to the portal, but more than one file can be selected and added to the upload queue. Cool!

 

Box.net and Dropbox offer a nice online photo viewer with Box’s offering heads and shoulders ahead of the other two. Sync.com’s implementation follows pretty close to what Dropbox has in play.

 

Sharing

Something else that occurs via the web portal is sharing which can be done in a few different ways. The simplest method happens via Secure Links which enables the secure public sharing of single files or folders. This sharing method is probably best suited to blind read-only sharing amongst larger groups. First select the file or folder to create a public link for by clicking the chain icon next to a given item.

You’ll then receive a pop-up with the link URL that you can opt whether or not to include the link password in the URL itself or leave it separated.

Other more precise ways to share content involve explicit sharing to people you specify.  Clicking the “Create a share” button will create a new folder and allow you to invite specific people via email addresses. The people invitation part is mandatory, no invited people = no share, but you can invite only yourself to test.

The third way to share is by clicking the plus sign next to any existing file or folder and enable sharing directly.

The same sharing dialog will appear which, again, requires the entering of someone else's email address to create the share.

Once shares are created, they can be managed either from the top level sharing link or via the “Manage Share” dialog next to any shared item.

Sharing management is simple and provides almost everything you need. Member status, permissions, ability to re-invite or invite new as well as stop sharing. Permissions need to be a bit more robust here to include ideally read-only and editing levels.

 

Mobile Client

As of this writing there is no Sync.com mobile client which will be a deal breaker to some but this is obviously coming. Sync.com states in their blog that they will simul-release clients for both Android and IOS but that was printed July of last year. The web portal does work on the mobile device, however, and even has a nice photo viewer functionality. 

 

What Sync.com does well

  • Files synced to the cloud are encrypted in transit (SSL) and at rest in the Sync.com datacenter (AES-256).
  • Very large file limits or none at all (>550MB and 3.7GB verified on my free account, but this could and likely will change)
  • The ability to store, access and share encrypted files via a web portal is a big deal, no one else in the business can do this today!
  • Split-brain: Ability to host some files in the cloud only that don’t have to be sync’d down to clients.
  • Multi-client subfolder sync (Have to check since Box has struggled with this)
  • 5GB free accounts with 500MB referrals, no indication of limits
  • Robust and granular sharing options
  • Robust and well-known compute backend (Amazon EC2)
  • Persistent cloud connections and watcher processes = near instant file syncs
  • 30-day file history to restore deleted or previous file versions

Where Sync.com falls short

  • Amazon EC2 is a flexible compute service for web services, not a storage service like Amazon S3. Where is Sync.com actually storing our data? 
  • No mobile Android or IOS client yet, but they say this is coming soon in their blog.
  • No mobile client = no camera uploads
  • Web portal provides upload ability for multi-select individual files only, not entire folders like Box does.
  • Single bucket root folder like Dropbox. I like Tresorit’s approach of multiple root folders residing anywhere you like better. Sync the folders you like on the clients you like, save local space if you need to.   
  • No LAN sync like Dropbox but seems they have the framework to make this a reality at some point.
  • No MS Office mobile previews like Box.net but this too could be accomplished.

Watch this space!

The Sync.com team has clearly tried to preserve the best of what makes Dropbox great while incorporating some other useful features, the likes used by Box.net, while also providing data security in the cloud. The current climate of public technology will make this a requirement soon, no longer merely a luxury. This will leave the cloud storage pioneers (Dropbox) left to retool and scramble as they figure out how to make their now very mature offerings more secure, if they hope to survive. There’s too much good competition appearing in this space with nothing really compelling that will keep people using a less secure service. Building this type of offering with security as a focus first is absolutely the right approach and one that will pay dividends for companies like Tresorit and Sync.com.  After a few days using Sync.com there’s really not much to dislike. There are a few key features I’d like to see before I consider (another) switch. Tresorit better hurry up with their web portal or they will be outdone here. Hopefully Sync.com will offer some of us beta testers a 50GB+ opportunity soon. :-)

Feel free to use my referral link if you want to check out Sync.com with some free bonus space: here.

References:

Sync.com Privacy

Sync.com Blog

2 comments:

  1. I liked your post very much because it gives me most of the information I was searching on the internet from many days of online cloud storage services.

    ReplyDelete
  2. Still no mobile apps, but I love the web portal! Their website says that they intend to make it open source. SpiderOak promised this and have now done it. Wiki says data stored in USA. I like that they are Canadian. It was easy to change the location of shared folder on my PC. Just started testing but looks great! Great Post! Thanks!

    ReplyDelete

Powered by Blogger.