Blog

Does your cloud storage provider hold the keys to your data?

Uncategorized

Does your cloud storage provider hold the keys to your data?

April 10, 2012, 6:20 AM PDT
Takeaway: Patrick Lambert looks at some recent cloud data breaches and our approach to safeguarding data that is trusted to cloud providers. Take the poll about what data, if any, you trust to the cloud.
It’s interesting how sometimes, when a new technology is introduced, some of the most basic mistakes, things that we’ve solved years ago, seem to resurface from simple omissions. Best practices put in place for the old ways of doing things suddenly go out the window as soon as a new solution comes in. What would you say if your boss came to you and he or she told you that using disk encryption, or account logins, was eating too much of the company budget, and because the building your company resides in has doors and locks, clearly there was no need to add any kind of additional data protection? I think it’s clear any IT pro would laugh at such a ridiculous practice. Yet now that data is moving to the cloud, a lot of people and companies are doing exactly that, trusting their landlord with the key to their data, because after all, they are respected companies, and they said they locked the door before leaving the office!
This issue first came out in the wider news media last summer, when DropBox apparently made a mistake and left every single account fully open for all to access. This ended up being a wake-up call for many people, both individuals and businesses, who used DropBox and other similar services. That event spurred more research and more problems started surfacing. For example, people found out that the DrobBox authentication system itself was insecure by design, since it was based on a single, portable file, that once stolen, would give anyone backdoor access to your account. So people learned, or at least we hope they did. Either they stopped using the service, moved to an alternative, started encrypting their own files, or dropped cloud storage all together. But this wasn’t a problem with this single service; it was an issue with cloud storage, and indeed any data stored on remote servers.
Fast forward to 2012, and again, an article from last month made the rounds when Ars Technica investigated how Apple secures the data that users upload to its iCloud service. For anyone with a security background, the results were not surprising. The company disclosed very little of what it actually did to secure our data, other than the fact that they are probably encrypting it, and they have the key to decrypt it if needed. The subject surfaced again recently when this “revelation” was coupled with an investigation of the iCloud Terms of Service, which says Apple can decrypt your data and give it to someone else in the case of a law enforcement action, but it also claims to have the right to do so for simple copyright infringement.
But the problem isn’t DropBox or iCloud. It’s what people expect from these companies and these services. It doesn’t matter if your data is held by Amazon’s EC2, Microsoft’s SkyDrive, Apple’s iCloud, or any other third party. Sending unencrypted data their way and relying on them to keep it safe is the same as allowing all your local files to be fully open, with no security, hoping that the locked doors to your office are sufficient. The problem is that people aren’t following best practices, and should really know better. In no uncertain terms, if you have confidential business files on a third-party server, and you did not encrypt them yourself before they went off to the cloud, you’re doing it wrong. Anyone who relies on a third party cloud provider to secure their data risks getting in trouble at some point.
It’s not even so much the fault of the cloud provider. Let’s remember that those services are often provided for free or very low cost, and you are just one out of many people using the same shared service, making it a juicy target for hackers. Plus, there’s the whole issue of secret spying by the NSA and other law enforcement agencies, and soon Hollywood wanting full access to everyone’s data, if they ever get their way. The point is that cloud encryption is meaningless. Ask yourself this: Are you confident enough in your own procedures that you would be willing to take all your data currently in the cloud, regardless of whether it’s on Google’s servers, Microsoft’s servers, or anywhere else, and place it in a public location for all to see? If not, then you need to change those policies.
There are things that are truly out of our control. If your bank loses your personal information, or if an unscrupulous merchant decides to steal the company credit card, there’s not much you can do. But cloud data is one area we have control over. Maybe you don’t care about saving your latest photos to iCloud, or sending off an email through Gmail, but if that photo has a confidential prototype on it, or that email has confidential work data, then please, use strong encryption before deciding to store it in the cloud.
Answer the poll questions below and feel free to explain your personal or organizational best practices for deciding what, if anything, is stored in the cloud — and whether you use additional data encryption.