Dropbox, Box.net, Skydrive, Amazon Cloud Drive, SugarSync, Google Docs – there’s a seemingly never ending list of cloud storage providers these days. How secure is your data when stored using one of these services though? Do you know your AES from your SSL? There are a number of potential security weaknesses – physical data security from viruses or hardware failure, hackers, government agencies and even dishonest service provider staff. So what can you do to protect yourself and your data?
Protecting Against Prying Eyes
Firstly, your password should be to a very high standard – at least 8 characters long, with a mixture of upper and lower case letters, numbers and symbols. Secondly, your environment – your PC, network and internet connection. Make sure to use a firewall and up-to-date anti-virus software. You should also consider not storing your password – manually log into your cloud storage account each time you want to use it.
The next thing to consider is what security standards and procedures does your chosen provider use. There are three standards and almost all providers will use one or multiple of these to protect your data from prying eyes:
- Transport Layer Security (TSL): this is the industry standard for web communications and most high profile providers will use TSL encryption. It works by engaging a ‘handshake’ to verify and then encrypting data before it is sent from your PC to the server to prevent eavesdropping/tampering.
- Secure Socket Layer (SSL): this is the predecessor to TSL and is also an encryption method used to safely transmit data online. SSL is considered a safe and secure method, but from a security standpoint, TSL is preferred.
- Advanced Encryption Standard (AES): this is the standard encryption method used by the U.S. government. While TSL and SSL are used to encrypt data while it’s being transferred, AES is used for data in rest, or while it’s being stored on a data server. With this method, a single electronic key is used to both encrypt data as it enters a server and decrypt it as it leaves. An AES key can contain 128, 192 or 256 bits; 256 bits is preferred, as it provides increased security.
What this means to you is that a provider that ensures your data is protected during transport using something like TSL and is protected in storage using something like AES is giving you the optimum commercially available storage security.
So assuming your data is protected from “hackers”, how safe is your data from the service providers’ employees? They have access to the data by virtue of the fact that they created the environment and they have access to everything. The answer to this boils down to asking “who holds the key?”…
As mentioned above, when the files are stored they are encrypted. Encrypted files can only be unencrypted using a key. Very often the provider has this key and they use the same key for all their data. They will make some promises that ensure that their employees don’t have access to this key and cannot see customers’ data, but there can be some contention around this. There was an incident last year where Dropbox was accused of allowing employees to access customer data (http://www.wired.com/threatlevel/2011/05/dropbox-ftc/). This boils down to reading the small print and finding out for yourself which provider you trust most.
There is, however, another option for how your encrypted data is accessed. Policy-based key management is where you can hold the key yourself or the key is managed by a separate provider. This ensures that you and only you can unencrypt your data. Cloud storage provider’s employees don’t have your key and cannot see your data. Providers such as LockCube allow this.
The same applies to how secure your data is from governments. If a government wants access to your data they will ask the provider for it. If the provider doesn’t have your key they can’t unencrypt it. They can of course get the encrypted data and try to access it by hacking AES but this is no small task and it would take some time and money to do.
There is a lot of talk about the “Patriot Act” and how it allows the US government access any data stored on US data centres. The truth is most governments have the same laws and if you have your own key the data the government gets from the provider is encrypted. The question is, how important is that data to the government and how much time and effort will they spend to unencrypt it?
Protecting Against Data Loss
Most cloud storage providers don’t have a default backup of your data; they don’t store two copies of your data in separate locations. The data you store online is your backup. The two copies are one on your PC and one in the cloud. The security is in trusting that the likelihood of both your PC and the provider’s servers suffering catastrophic failure at the same time are minimal.
Some services such as SkyDrive allow you to synchronise your data across multiple devices, one of which is cloud storage. With you data spread across multiple devices and in the cloud the chances of all the devices and the cloud dying at the same time can effectively be discounted.
To be sure, you should have an offsite local backup (for example an external hard drive that is used to regularly backup your data and is then securely stored in another location – your home, etc.), and at least one cloud and/or cloud synchronised backup service. Remember to test your backups every once in a while to ensure they can be successfully unencrypted and restored!
In conclusion, there are many considerations when choosing cloud storage providers. For example, how fast can you restore your data in the event you have a data loss on your PC? Security is just one aspect of this topic. In reality most data is not worth the trouble to go into this level of detail on security considerations. A trusted provider and synchronising across multiple devices will be all that the majority of users will need.