Three Options To Secure Data In The Cloud

Thursday, April 21 2011 22:44 Written by Scott Polly

In a post yesterday, I wrote about Dropbox and the lack of privacy their cloud storage service extends to its users. Rather than simply point out a problem and let it stand, I thought it would be helpful to discuss some ways that you can safely use cloud storage services without compromising your data.

The use of any third party service carries some risk. For the purposes of this post, we’ll take vendors at their word and assume that you don’t work for the CIA, and can therefore accept a practical level of security.

Add a Second Layer of Encryption

For the vast majority of Dropbox’s 25 million users, the security and privacy options provided are perfectly acceptable. The fact is that most people just don’t care about privacy. For those of us that do, however, there is a relatively easy solution that can allow you to continue using Dropbox and keep your data secure.

Using TrueCrypt, you can create a small encrypted folder within your Dropbox folder, which gets synched like any other file. From the TrueCrypt UI, mount the folder to a Windows drive letter, then add or change files from this drive rather than your standard Dropbox client. Dismounting the drive will cause Dropbox to begin its synchronization. Using this approach, your files are encrypted independently of Dropbox’s methods, which means their employees really can’t access your data.

TrueCrypt also allows you to configure your encrypted directory as a dynamic volume, which expands as data is added. This provides a much faster initial synch than if the full space was allocated at once. It’s important to note that Dropbox appears to synchronize changed blocks only, so even though the file is encrypted, the entire volume does not have to be re-synchronized each time.

Note that in order to open encrypted files, you will need access to TrueCrypt files. This limits the “access anywhere” value of Dropbox, unless you carry the files on a thumbdrive.

While this method is not terribly difficult, it does add a couple of steps for each file change. If you are not a Dropbox user, or don’t have any shared folders in use by other people, it might not be worth it. If you do have shared folders in use, it might make more sense to configure a private directory with TrueCrypt and adopt a hybrid approach that it would to retrain those accessing your shared folders.

SpiderOak

The folks at SpiderOak have created an online backup/synch/share solution similar in concept to Dropbox ( 2GB free, pay for more space). Where SpiderOak distinguishes themselves, however, is that they offer a “zero-knowledge service” that, according to their website, makes it impossible for them to ever access your data. In their words:

And

While I’m not a security architect, SpiderOak provides engineering details that pass the logic test. Read more about the details here.

As far as usability, SpiderOak operates more like a backup application than a drag-n-drop portal. Using the SpiderOak client, you can configure folder(s) to backup, or use their Basic methods to backup by category (Documents, Pictures, etc).

There are a variety of configuration options, and you can configure the client on other systems (Windows, Linux, or Mac) to synchronize between the two. You can also configure public folders for sharing, similar to Dropbox, and access files through the SpiderOak website. Setup is a bit more complicated than Dropbox, but I think it’s a fair trade for real security and more flexibility.

Mozy Home

With the recent attention garnered by their acquisition by/reassignment to VMware, Mozy was one of the first providers that came to mind for cloud backup and storage.

Mozy is offered in three versions - a free version that allows for the standard 2 GB of storage, and two pay versions (50 GB for $6/month, 125 GB for $10/month). The features for all are the same, except that the free version doesn’t come with support.

The basic functionality is very similar to SpiderOak, with a small UI that allows you to accept the automatic settings based on data type, or configure specific folders for inclusion or exclusion.

The cool part about Mozy Home is that you have two choices for encryption. The standard option uses Mozy’s 448 bit encryption, or a 256 bit key that you provide.

To their credit, Mozy has reduced their Privacy notice to the basics, eliminating the onerous terminology regarding third party disclosures in section C.

The important thing to remember is that by enabling you to use personal encryption keys, they basically remove the option to compromise your data. Sure, they can give it away, but the data is practically useless without the key. Like SpiderOak’s zero-information approach, the private keys allows them to gracefully bow out of any legal entanglements surrounding data requests.

What Does It All Mean?

With a little bit of effort, you can achieve a practical level of data security and still take advantage of the convenience and flexibility of cloud storage and backups. Hopefully, as more people become aware of the risks, providers will be forced to adopt a hardline stance on privacy. Until then, make the right choices when protecting your data, and the Feds should leave you alone.

Set as favorite

Bookmark

Trackback(0)

TrackBack URI for this entry