Does your cloud storage provider hold the keys to your data?

Patrick Lambert looks at some recent cloud data breaches and our approach to safeguarding data that is trusted to cloud providers. Take the poll about what data, if any, you trust to the cloud.

It's interesting how sometimes, when a new technology is introduced, some of the most basic mistakes, things that we've solved years ago, seem to resurface from simple omissions. Best practices put in place for the old ways of doing things suddenly go out the window as soon as a new solution comes in. What would you say if your boss came to you and he or she told you that using disk encryption, or account logins, was eating too much of the company budget, and because the building your company resides in has doors and locks, clearly there was no need to add any kind of additional data protection? I think it's clear any IT pro would laugh at such a ridiculous practice. Yet now that data is moving to the cloud, a lot of people and companies are doing exactly that, trusting their landlord with the key to their data, because after all, they are respected companies, and they said they locked the door before leaving the office!

This issue first came out in the wider news media last summer, when DropBox apparently made a mistake and left every single account fully open for all to access. This ended up being a wake-up call for many people, both individuals and businesses, who used DropBox and other similar services. That event spurred more research and more problems started surfacing. For example, people found out that the DrobBox authentication system itself was insecure by design, since it was based on a single, portable file, that once stolen, would give anyone backdoor access to your account. So people learned, or at least we hope they did. Either they stopped using the service, moved to an alternative, started encrypting their own files, or dropped cloud storage all together. But this wasn't a problem with this single service; it was an issue with cloud storage, and indeed any data stored on remote servers.

Fast forward to 2012, and again, an article from last month made the rounds when Ars Technica investigated how Apple secures the data that users upload to its iCloud service. For anyone with a security background, the results were not surprising. The company disclosed very little of what it actually did to secure our data, other than the fact that they are probably encrypting it, and they have the key to decrypt it if needed. The subject surfaced again recently when this "revelation" was coupled with an investigation of the iCloud Terms of Service, which says Apple can decrypt your data and give it to someone else in the case of a law enforcement action, but it also claims to have the right to do so for simple copyright infringement.

But the problem isn't DropBox or iCloud. It's what people expect from these companies and these services. It doesn't matter if your data is held by Amazon's EC2, Microsoft's SkyDrive, Apple's iCloud, or any other third party. Sending unencrypted data their way and relying on them to keep it safe is the same as allowing all your local files to be fully open, with no security, hoping that the locked doors to your office are sufficient. The problem is that people aren't following best practices, and should really know better. In no uncertain terms, if you have confidential business files on a third-party server, and you did not encrypt them yourself before they went off to the cloud, you're doing it wrong. Anyone who relies on a third party cloud provider to secure their data risks getting in trouble at some point.

It's not even so much the fault of the cloud provider. Let's remember that those services are often provided for free or very low cost, and you are just one out of many people using the same shared service, making it a juicy target for hackers. Plus, there's the whole issue of secret spying by the NSA and other law enforcement agencies, and soon Hollywood wanting full access to everyone's data, if they ever get their way. The point is that cloud encryption is meaningless. Ask yourself this: Are you confident enough in your own procedures that you would be willing to take all your data currently in the cloud, regardless of whether it's on Google's servers, Microsoft's servers, or anywhere else, and place it in a public location for all to see? If not, then you need to change those policies.

There are things that are truly out of our control. If your bank loses your personal information, or if an unscrupulous merchant decides to steal the company credit card, there's not much you can do. But cloud data is one area we have control over. Maybe you don't care about saving your latest photos to iCloud, or sending off an email through Gmail, but if that photo has a confidential prototype on it, or that email has confidential work data, then please, use strong encryption before deciding to store it in the cloud.

Answer the poll questions below and feel free to explain your personal or organizational best practices for deciding what, if anything, is stored in the cloud -- and whether you use additional data encryption.


Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

HAL 9000
HAL 9000

That this one if it's your only issue with Cloud Providers makes your life so simple that you have very little to worry about. With all cloud providers you have to first find out where their servers are located and what Local Country Laws apply. There is still very much the real possibility that something you store in the Cloud may breach the Countries Laws that leaves you likely to be extradited to that country for breaching their laws even though you have done nothing wrong in the country where you live. I recently saw a case of this with a Specialist holding Medical Photos for a Paper he was writing was accused of Child Abuse because he had naked photos of children. Didn't matter that these where Premature Babies in Humicribs where they do not have cloths on these where naked photos of babies so he had to be abusing them. Actually as the Medical Profession are the [b]"Caring Profession"[/b] it was probably justified but for different reasons, however much it was a joke to begin with as the paper was on [b]"Extremely"[/b] Premature Babies and how to keep them alive. That is just one instance and I'm willing to bet that the servers that the Medical Journal that this was to be published by would be just as guilty as they have a Cloud Service hosting their Electronic Publication for the Medical Profession and others to view at their convenience. The above doesn't even get to the stage of Data Ownership and openly shows how someone who doesn't know what they are looking at can jump to the wrong conclusions and cause no end of problems that simply are not warranted. There where not even any [b]"Personal"[/b] photos involved in that case just the Medical Photos and text of the Draft unfinished article. A professional can just about be safe with things like this but even that caused a ruccus that was difficult to deal with, if it was a Domestic user they wouldn't stand a chance and would end up attempting to defend themselves in a foreign country not know the laws or having the support network to properly defend themselves. Even if they where found [b]"Not Guilty"[/b] they would still have a horrendous Legal Bill and need to find a way home afterwards. Col


This was a Nice eyeopener for me. Being from IT, the value for Data is much high for me, and if its personal data, like life long collection of pics and others digital things, that can be sensitive too.I had long back planned to upload my data for safe keeping, not relying too much on External Backup Drive. But reading all this shiver me and I feel , keeping personal data safe is your own locked door is more safer than keep them safe in any other person's locked door!

Editor's Picks