Thursday, June 30, 2011

A Quick Look At Cloud Storage Security

I was curious about free cloud services and their security practices with transfering/storing data, so I did some research and figured I'd post it. All of these services provide a free account with 1 gig or more of online storage.

Dropox (https://www.dropbox.com)

From the official Dropbox blog.
http://blog.dropbox.com/?p=735
The files you store on Dropbox’s servers are encrypted using an industry standard, AES-256. We manage the encryption keys on our users’ behalf. This encryption protects against a variety of security threats, particularly when your data is at rest.

All data that goes from your client to the dropbox server is over SSL, which handles encryption during transit (the same stuff that encrypts secure websites). Files are encrypted on the server using a single key that dropbox employees could use to unencrypt your data. So you need to have a little bit of faith here, that the employees are trustworthy enough to handle your data responsibly.

Ubuntu One (https://one.ubuntu.com)

From the Ubuntu One website.
https://wiki.ubuntu.com/UbuntuOne/FAQ/AreMyFilesStoredOnTheServerEncrypted
Q: Are my files stored on the server encrypted?
A: No. If you are interested in having your files encrypted both on your local machine and in the cloud, you could use Ubuntu's Encrypted Home Directory feature, and only synchronize your $HOME/.Private folder...

Wuala (http://www.wuala.com)

From the Wuala website.
http://www.wuala.com/en/learn/technology
All your files get encrypted on your computer, so that no one - including the employees at Wuala and LaCie - can access your private files. Your password never leaves your computer.

This sounds like the most secure cloud storage around. Encrypting files on your client before they are transferred to the server (I believe over an encrypted SSL connection) and then stored in fragments across multiple servers.

Google Docs (http://docs.google.com)

An explanation from a user (not a google employee) taken from google docs support forum.
http://www.google.com/support/forum/p/Google%20Docs/thread?tid=34631f3d6c627514&hl=en
Google Apps does not encrypt data at-rest. Instead they are using data sharding with obscured file names/identities. Basically any one email or document has parts of it on different servers and they are all pulled together when you request the file. If I was to compromise their server and copy all the data, it is rather unlikely to find a complete file and even less likely to find the file in you are particularly looking for. Security though obscurity.

What if I Need Better Control Over Security?
Even with a service like Ubuntu One where files are not encrypted on the cloud, you can choose to do the file encryption yourself before hand. This way you are the only one who has a key to unlock the data and you can still access the data from the cloud. Take a look at something like TrueCrypt for creating encrypted volumes.

Unfortunately TrueCrypt is not available for Droid or iOS yet, so you wont be able to open your encrypted volumes from those devices even if your cloud service supports those platforms.

2 comments:

JJ said...

How about SpiderOak?

Bryan said...

Checking it out now...Seems to have similar features to dropbox, but more secure and maybe a little more complicated to setup/use.

I'll have to setup an account and give it a shot! thanks JJ :D