Of course, convenience is important. If you can’t get your hands on your files when you need them, there’s very little point in having a cloud storage account. At that point, you’d be better using a USB stick.
However, security is equally as important. In fact, it’s arguably even more important. If you use cloud storage a lot, you probably have a vast number of sensitive documents in there. You might use your account for everything from bank statements to passport copies.
Clearly, you don’t want those files to get into the wrong hands. But is your provider doing enough to protect you? In this article, we take a look at which cloud solutions are the most secure.
Google Drive boasts 800 million users and 15 GB of free storage, thus making it the most popular cloud storage provider on the web.
Interestingly, it wasn’t until 2013 that Google enabled any form of encryption on its servers. The company was only forced to act after the revelations about NSA surveillance from around that time.
Today, the situation has improved. When you upload files, Google encrypts the data using the TLS standard. When your files reach Google’s servers, they are de-encrypted then re-encrypted in 128-bit AES. The encryption happens before Google adds the data to your account, therefore reducing the risk of data leakage.
Lastly, the AES keys themselves are encrypted with a master key. It adds a secondary level of encryption protection.
Google Drive’s biggest weak spot, which also afflicts some of the other services I’ll talk about shortly, is its password.
Microsoft OneDrive is the other big player in the world of cloud storage. Users only receive 5 GB of free space with their Microsoft Account, but Office 365 subscribers are automatically bumped up to 1 TB.
When you’re sending data from your computer to your cloud account, OneDrive deploys SSL encryption. Unless you have a business account, however, the service does not encrypt your data when it’s “at rest” (i.e. when it’s sitting in your account). If you’re a security-conscious user, this will immediately set off alarm bells.
Business users can also benefit from per-file encryption: if the encryption of one file is hacked, the rest of your documents will stay safe. Personal users enjoy no such benefit.
Microsoft is also open about how it might share your data with third parties. Here’s a direct quote from the company’s Privacy Statement:
“We will access, transfer, disclose and preserve personal data, including your content . . . to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.”
“If we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property belonging to Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.”
It would be worth your while to read Apple’s iCloud: iCloud security and privacy overview document. As its name hints, it spells out how your data is encrypted—both when it’s transmitted between your computer and Apple’s servers and when it’s stored on those servers.
The gist is that Apple uses a minimum of 128-bit AES encryption. This is the encryption standard used by banks and other financial institutions. As I write this, there is no practical way to crack AES-128 encryption—unless, of course, the NSA has found a way to introduce a weakness that allows it to get around it. But unless you’re an International Man of Mystery, I seriously doubt any government is interested in your private affairs.
Given that I occasionally scrawl my social security number on forms and pass my credit card to perfect strangers with no more assurance than the faith I place in my fellow human being, I rest easy at night knowing that Apple and other online entities are at least as trustworthy with my personal information (and provide greater protection).
Your local-storage solution is certainly an option, but one that’s not very convenient. After all, if you’re concerned about that data touching the Internet you won’t want to allow it to be accessible via any means other than your local network. And even then, you’ll have to lock down that device with a very firm password should someone break into your home and steal it. And you should memorize that password rather than write it down in case an errant nephew wanders by, finds the password that you’ve taped to the bottom of the drive, and accesses your stuff. And then you’ll need to back up its data to yet another device and keep that device in another location in case the original hard drive fails or is damaged.
Oh, and you should buy a safe and lock up your wife’s purse and your wallet and put a padlock on your mailbox.
I don’t mean to make light of your security concerns, but once you head down the path of “just how safe is safe?” it doesn’t take long before concern turns to obsession. I suggest, instead, that you take reasonable precautions.
For example, writing down passwords and sticking them to the side of your computer monitor is a bad idea. Using the same password for multiple accounts is little better. Creating passwords that can be easily guessed is just asking for trouble. Placing sensitive information such as a credit card number or social security number in email isn’t a good idea as email is rarely encrypted. Failing to password-protect your mobile devices and computer isn’t a risk you should take.
In other words, the things we commonly do for the sake of convenience are often far riskier than trusting your data to services such as iCloud.
You can probably spot the weaknesses in the process. Any time you send your data anywhere on the internet, you’re assuming risk. What’s more, it’s stored on a central computer that you have no control over. This requires that you trust in the company to treat your data properly.
So is Dropbox doing everything the right way? Let’s take a look at their security process.
- The Dropbox client (program) is installed on your computer. This program is what creates a secure connection between your computer and their servers.
- Dropbox encrypts the data on your computer in preparation to send it over the internet using the industry standard SSL/TLS with AES 128-bit encryption.
- Your data is copied to the Dropbox servers and decrypted once it reaches its destination. Thanks to the encryption performed in the previous step, no eavesdroppers will be able to read your data as it zooms over the internet.
- Your data is then encrypted again for storage with AES 256-bit. This is to prevent hackers from seeing your data if it’s stolen from their servers.
- The data is then copied from the servers to your other devices over the internet. Again, using SSL/TLS encryption.
- Once on your computer, your data is then decrypted and stored on your hard drive.
None of them necessarily make your data more secure, but they certainly help to make your business more secure.
Do You Trust Cloud Storage Providers?
If nothing else, I hope this article has made you realize that not all cloud storage is born equal. Even between the three biggest names in the sector, there are noticeable differences that can dramatically affect how secure your data is.
If you never plan to store more than an odd recipe or family photos, these security considerations might not be important to you. But if you use cloud storage as an extension of your computer’s hard drive, you need to give careful thought to where you store your data.
Do you use cloud storage providers for sensitive documents? Are you confident in the ability of providers to protect you? As always, you can leave all your thoughts and opinions in the comments below.