Cloud security has been on everyone’s minds since businesses started using remote providers for storage and backup. The tragic events of 9/11 resulted in a consolidation of various laws intended to make data access easier for US authorities, primarily so that they could thwart future threats.
The resulting piece of law, the US Patriot Act, has been cited as a barrier to adoption of cloud computing since it opens up the cloud to inspection from US authorities, even if you’re not in the US. And in recent months, the controversial PRISM programme has thrust cloud security into the spotlight yet again. Leaked documents suggest that the US National Security Agency was monitoring, or intending to monitor, data held by several cloud storage providers. This could be quite damaging to the industry in the long term.
Different users have different priorities when it comes to cloud storage. If privacy is important to you, you need to understand the basics of encryption before entrusting data to a cloud storage provider.
What Do We Mean By Encryption?
Most cloud storage providers encrypt data using a 256-bit key (hence the name ‘AES-256’). It would take a super computer tens of billions of years to crack the key, so this encryption method is more than sufficient to protect personal and business data. AES-128 is also perfectly adequate for the vast majority of customers.
But cloud storage services vary massively in the way they handle encrypted data. As well as knowing how the encryption is done, we also need to understand when it’s done.
This is crucial, because it ultimately determines who holds the encryption keys and who could access that data on demand.
Ask yourself this: is the data encrypted on your computer, in transit, or on the server? And who has the key to decrypt it?
Understanding When Data is Encrypted
Some cloud storage services provide software to encrypt data on your local machine, before it’s sent to the cloud service.Mega is arguably the best example of this technique. Mega’s unique selling point is its refusal to handle encryption keys, putting security into the hands of the user. (Naturally, it still makes some compromises, and it has been criticised for being less robust than it claims to be.)
Most other cloud services encrypt data for upload as well, but the cloud storage provider can then unencrypt it when it’s stored on the server. That’s because the service provider holds the decryption key – not the user.
Dropbox is a high-profile example of this encryption policy. It can decrypt and read your files any time it wants to. It says this is necessary in order to make sharing and storage easy for its users, and that its staff doesn’t go poking around in people’s files. However, there is a chance that your files could be read by other people.
Other providers, like SkyDrive, do more or less the same thing.
Alternative Encryption Solutions
You can harden Dropbox encryption by using a third party tool such as TrueCrypt alongside it. The problem is that TrueCrypt puts all of your data into a container before it’s sent to Dropbox, so you can’t actually access the files in the normal way once they’re uploaded to Dropbox’s server. You have to download and decrypt them first.
There are alternatives, such as BoxCryptor, GnuPG and Cloudfogger, that work in slightly different ways to TrueCrypt. They require varying levels of technical know-how to use. If you’re not happy with using another tool, try another provider:
- Box is looking at handing over the keys to customers.
- Google now encrypts everything by default, and developers can manage their own keys. (Normal users can’t, but they can use Syncdocs to add another layer.)
- SpiderOak customers benefit from local encryption and control over their own keys.
- And, of course, there’s always Mega.
Can Authorities Access Cloud Data
Regardless of the encryption methods and processes used in the cloud, customers have one simple question: is my data private? The answer varies.
The issue of encryption played out in the press thanks to Lavabit, a cloud email service whose customers relied on its promise of full encryption. When the NSA asked for the SSL key that would have decrypted user emails, the company shut down. (Mega is apparently looking to launch its own email service soon).
With a service like Dropbox, some data is always visible – such as the file names you store in the cloud. And all companies must comply with law enforcement agencies, regardless of their own feelings on cloud storage privacy. Lavabit was prepared to shut down rather than compromise user data.Google, in contrast, almost certainly will not self-sacrifice to protect you from prying eyes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net