Personal and Business Cloud Security

Personal and Business Cloud Security

These days, it seems that businesses are finally starting to be more comfortable with the Bring Your Own Device (BYOD) policy which allows employees to use their personal devices to access privileged corporate information.

Device manufacturers have also started to push their own flavor of cloud storage service such as Apple with iCloud, Google with Google Drive and Microsoft with SkyDrive. Although to be fair, Google and Microsoft aren’t really hardware manufacturers, but they do have their hands in the hardware products.

Stand-alone cloud storage providers such as Dropbox, SugarSync, Box etc. catering to personal and business users are also growing at a viral rate.

Current outlook indicates our personal and business files will eventually be on one or more cloud storage providers. Like all data storage facilities, it’s only a matter of time before the question of security becomes front and center not only to IT professionals but regular consumers.

Is Cloud Security a Real Problem?

The quick answer is: YES! One would only need to perform a quick search for “cloud security issues” or “dropbox security breaches” to find top headlines such as: Dropbox got hacked … again, Dropbox Security Breach: Who’s Guarding Your Secrets In The Cloud?, 5 (more) key cloud security issues or Megaupload and the Government’s Attack on Cloud Computing etc.

The sad truth is, we’re no longer surprised to read news of “Law Firm X” had some sensitive case documents leaked from one of the cloud storages or “Company Y” had some trade secret stolen by employees using Dropbox as a data storage facility.

As I write this article, Evernote is still trying to contain its recent security breach.

We’re not surprised because those aware of security issues already self-censored the data going into the clouds and those who are not … well, probably aren’t reading these news to begin with! When was the last time you put your tax return or a copy of your passport into Dropbox or SugarSync?

Here’s the kicker, how many of us, so-called “security-aware” or “tech savy”, wouldn’t think twice about sending a copy of driver license, passport or even SSN card via email to our life or auto insurance agents? How are those information handled by these parties? Is it one agent, a team of agents, the whole company or worse, another third party vendor they use?

The Promise of Security

When it comes down to it, our data is only as secured as the person we share with. You can be the most security-conscious person, but if you’re sending sensitive documents to someone with terrible security hygiene, then your data is most definitely at risk.

In this instance, an email is a terrible way to share files because when it gets to the recipient, you would have lost all control of these files.

All we can do then is to rely on a “promise” that whoever has our data will secure it appropriately. At best, it’s well-intended, at worst, it’s dishonesty. Why? Those aforementioned articles say: whether you like it or not, security breaches happen.

The Problem with Cloud Security

If cloud storage providers allow us to put data in a virtual “lockbox” with username & password as the key to open this box, then like any storage facility owner, they also have access to this data. Just imagine, your data is only as safe as the time it takes for an obsucre disgruntled employee to go rouge.

Remember the “promise of security” above? Here are a few excerps from Dropbox’s Privacy Policy:

Changing or Deleting Your Information: … In some cases we may retain copies of your information if required by law

Data Retention: … We may retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Consistent with these requirements, we will try to delete your information quickly upon request. Please note, however, that there might be latency in deleting information from our servers and backed-up versions might exist after deletion. In addition, we do not delete from our servers files that you have in common with other users.

Not exactly the most comforting information to learn from your cloud storage provider.

Cloud Security Solutions

The concept is quite simple: storage providers holding your data shouldn’t be able to open it. This is why whatever security solution cloud storage providers propose, it would most likely fail this very litmus test.

Then how do we solve this? Secure or lock your data up before it goes into the “cloud”.

You can easily do this right now by creating a zip archive with a password of your data using tools like 7-zip, which provides “strong AES-256 encryption in 7z and ZIP formats”.

Credential Management System in Cloud Security

One of the pitfalls of manual password management is the level of password uniqueness. People usually have one or a few passwords they like to use for all purposes. The chance of someone breaking one of those passwords and using it to open other files is very possible.

However, attempting to remember multiple passwords, repetition of extraction & compression every time you need to work on your files will definitely drive you insane!

What we really need is a practical credential management system for these secured data. Here, “practical” means something regular folks can actually use without sacrificing security.

Secure Collaboration and Sharing in the Cloud

Most of cloud storage providers currently have a way for users to share data with others. Sharing a secured file, however, is a more complicated problem.

Again, it still boils down to: how do we manage credentials for secured files in the collaboration use case? Surely sending the credentials via email isn’t the best solution; especially if the collaboration happens with a large group of people.

Seamless Credential Management System

For a credential management system to be viable for both consumer and enterprise, it needs to be able to:

  1. Generate unique passwords for each file
  2. Have mechanism to share or revoke access to file with others in collaborative workflows
  3. Have a foolproof way to recover file for owners in case of forgetting credentials (because we’re only humans and humans often forget!)
  4. Use open and standard technologies that won’t make files useless when the company goes out of business
  5. Abstract 1-4 and shield users from the all complexities and what’s going on under the hood

So far, there have been quite a few attempts at solving the cloud security & privacy problem. However, no one has emerged to be the clear winner and more are quickly joining the race.

One thing is clear, all players must first convince consumers that there’s a problem before they can go about peddling their solutions.