idcloak on Google+


More options
Proxy server settings:


The Cloud Online Storage Problem: Data Privacy and Security when Sharing

Descriptive Image

Over the years, Virtual Private Networks have moved from a primarily corporate function to widespread personal use. It is interesting to see the cloud online storage phenomenon evolving and diversifying in the same way. Now, cloud storage caters for a massively broad user base, with global corporations on one side, right down to individual smartphone users on the other. It's so versatile and cost-effective to have data stored remotely, accessible from any device anywhere, that there is barely any reason at all to use clumsy, breakable external hard drives anymore.

It's not just data storage that cloud is useful for, but data sharing too. Many users – be they corporate, small business or personal – use cloud file storage to make vast pools of data available to other users situated around the globe. With this incredible ease of distribution, however, comes data privacy and security risks. It is vital that you can trust the security of your cloud service where both data transfer and storage security are concerned. Obviously, when multiple users have access to the same private data from different locations and devices, the attack surface area increases massively, and there is much greater vulnerability for theft or loss of some kind. This makes security one of the main challenges that cloud storage companies are still grappling with.

Each of the cloud online storage providers has its own policies and technologies where data privacy and security is concerned. All offer 128 or 256 bit encryption, generally accessible by a user-generated password. The more security conscious of these providers (e.g. SpiderOak) also create encryption keys based on your password (by using a strong key derivation function) and then store them on your computer, rather than on the cloud online storage servers. They call this a zero knowledge policy – meaning none of their staff have any access to your data whatever. That's as good as cloud file storage security gets. The less-secure providers (e.g. Dropbox) keep the keys and password on their own servers, and offer varying degrees of promises that staff will not access them. For many, this is not secure enough. But even if you use SpiderOak – the best cloud provider for security – your entire data protection model still hinges entirely upon the safety of your password and nothing more.

The password systems used by Spider Oak et al. are non-changeable. SpiderOak cannot reset your password – if you forget it, they will only provide a hint of what it is, which won't help for any high-security password that consists mostly of symbols. This means if your password is lost, so is your data.

There is no great issue with relying on a single password if you intend to access the cloud online storage account from just one device: backing up your home PC or smartphone, for example. But if you are using the cloud file storage for sharing data across multiple devices and between multiple users, you are going to need to communicate the password and the shared folder URLs to other parties. On top of that, you will likely engage in continuing communication with those parties about the stored data (especially if it's a project in hand), and this could attract attention from hackers, cyber thieves or competitors. Where high-value data is at stake, attackers may even lie in wait over connections through which they know the data and encryption keys are likely to be transmitted – especially where wireless connections are involved. It is at this point where one begins to wish the project itself was held on a local hard drive like the old days, and that you were all connected to by physical wires that you could just unplug at the end of the day.

Part II: Data Privacy and Security When Sharing Cloud-Stored Data

Written by: 
Robin Welles; expats team, internet security team