How secure is your data when you put them on the cloud?
You got to hand it to cloud computing because it gives you everything you need. From networking, storage, to compute resources, you name it – there is probably a cloud service provider that offers it.
One of the most popular cloud computing services right now is cloud storage. More and more companies are using cloud storage services for their files and data. Even regular people are using services such as Google Drive, iCloud, and Dropbox to host their personal files.
But is it safe?
The concern about cloud storage security is not a unique one. In fact, according to Bitglass, nine out of 10 IT security practitioners and IT professionals are concerned about both the compliance impact and security of the public cloud. Also, around 41 per cent of the survey respondents were particularly concerned about data loss and leakage.
Encryption keys in cloud computing
Cloud storage services usually use encryption to protect your files. This is where they are similar.
Where they differ is where the keys that would decrypt your files are kept. And this makes a world of difference.
Encryption keys may be stored by the individual user or on the service itself. A lot of cloud computing storage services keep the keys on their end. This means that much of the encryption and decryption happens on their end. Their systems are able to access your data so that it could process it. The key is also accessed when you log in with your password, allowing you to see your files.
This is much more convenient and processing is faster. But this might be less secure. Think of it this way: Would you entrust the keys to your house to another person? If your car keys are with another person, there is a good chance that the other person might be taking joyrides without your knowledge. Or worse, they might misplace your keys.
But you are putting your files in a trusted service that knows how to authenticate, encrypt, and secure your files, right? Well, you still cannot be too sure.
Case in point, Dropbox.
Dropbox has had a lot of security lapses that put their commitment to data security in doubt. In 2011, the cloud storage service was accused of having weak security by design. TechCrunch also reported that for four hours in June 2011, people were able to get into all Dropbox accounts without needing a password.
From then on, the service has been plagued with various problems, including e-mail spam, disabled links, even a password leak in 2016 and accidental data restoration in 2017.
What this illustrates is that you simply cannot trust third party services with encryption keys that decrypt your sensitive data.
When users control the keys in cloud computing
While letting the service keep the encryption keys make sense because of convenience, it may not be so sound from a security standpoint.
If you really want to make sure that your data is safe, then you simply must keep the keys. Thankfully, there are cloud computing storage services that allow you to do just that.
SpiderOak, Mega, and similar cloud services require you to download their applications. You use their applications to download and upload files. These apps would handle the encryption.
As you load your files onto the application, it will encrypt these before sending it to the cloud. When you need to access your files, you would need to download it. When you do download it, the file is still encrypted and will only be decrypted on your machine.
There are quite a few tradeoffs, though. Services like these might be more secure, but you would need to sacrifice on functionality and features. For instance, you cannot search for your files while it is still on the cloud. Plus, if you ever forget your password, then there is no way for you to retrieve your data.
Another caveat is that these services are not perfect. There might be instances when “man in the middle” attacks happen when the application itself is compromised. This means that a hacker might be able to access your data before it gets encrypted for uploading.
What you could do
As it is, there are pros and cons to every type of cloud computing storage service that is available today. One type of service, the one which keep encryption keys with them, are very convenient to use and can offer you a full range of features. But these services might not be secure because of a variety of reasons. If they have lapses in their own security or if they get hacked into, then your data would also be compromised.
What’s more, insiders at these storage providers might be able to access and modify your data. You are not even sure if the data and files that you put on the cloud have been deleted when you asked for it to be deleted.
A more secure way is to use cloud computing storage services that allow you to keep the keys. This would have additional steps, such as downloading an application for the file transfer. The application will be responsible for encrypting and decrypting your files. While this is much more secure, there are several limitations to this as well.
So what is the best solution?
Combine these two together! If you do not want to forego on the convenience and search capability that is offered by cloud storage services that keep the encryption key with them, then you might want to encrypt the files first before you send it to the cloud. This way, even if there are problems and your data gets stolen, it would be worthless. These are pretty much affordable and easy to do. There are encryption programs available that can encrypt your files for free.
However, this might mean that you may not be able to use a cloud computing storage service’s features, such as being able to edit your files online while collaborating with another person. But if it is really something very important, sensitive, and confidential, it would be better to just give the other person your encryption key so that they could edit the file.
Photo courtesy of FutUndBeidl (Flickr).