I have been quite surprised in recent months at how many individuals and companies store content in the cloud without thinking about who might have access to their data and how these files are being used. There seems to be an implicit trust. After all, backing up data to the cloud is more reliable and recoverable than backing up to onsite hard drives.
Common sense mandates that you should do due diligence before storing data in the cloud. This article provides you with a four step roadmap to guide you through the process of assessing your cloud storage provider’s security policies.
1. Read the Fine Print
We are all guilty of scrolling through terms and conditions on web sites and pressing the agree button without actually reading anything. Even though we have all heard horror stories about people who failed to read the small print, we either perceive that it is not worth spending time on or think that we will not be able to interpret it correctly.
“By submitting or posting such Content ….. you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available, without any compensation or obligation to you.”
A storage service provider needs to be able to manage the data stored on their network. This means that the service providers need be able to move your data and even translate your data to a more efficient format. It is natural that they need an agreement to allow them to do this, however these terms can leave your content exposed.
The first step to protecting your data is to take the time to read the small print and assess the risk to your content. If the terms are not clear or you determine that they put your data at risk, then you need to look for another storage service provider.
2. Find Out Where Your Data is Being Kept
Many cloud storage providers have data centers located all around the world. The good news is that placing data centers overseas can provide redundancy and keep the cost of storage low. The bad news is that your data is subject to the regulation of the country and the state that it is stored in.
For example, suppose the storage provider data center is hacked and there is a risk that your data has been compromised. Depending on the country and state your data is stored in, your storage service provider may or may not be legally obligated to send you notification of the theft. Similarly, if the in-country law enforcement may issue the service provider with a warrant to view your data, the storage service provider is not obligated to notify the data owner that their data is subject to a legal investigation.
“When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
The second step is to make sure that the SLA agreement that you have with your storage service provider details where your data is being stored, and that you will be notified on an potential breach in security that could affect the integrity of your data.
3. Determine if Your Videos and Images are Being Compressed
If you are storing pictures or videos in the cloud, you may be surprised to find that the storage service provider will compress them. You will therefore never be able to regain the original quality. Depending on your planned usage for your content this may be or may not be a problem.
“Apple may transmit your Content across various public networks, in various media, and modify or change your Content to comply with technical requirements of connecting networks or devices or computers.”
Step three is simply to look for a site that does not compress your video and images. If you are not sure, run a test by simply uploading and downloading raw video footage.
4. Encrypt, Encrypt, Encrypt
Many storage service providers encrypt your data while you are transferring your data between your computer and the cloud, but then store your data in plain text. This protects your data while it is being sent over the public Internet, but it is not protected against possible breached in security at the data center. Extract from Federal Trade Commission investigation last year:
“The choice of encryption algorithms is an important component in the security of a system. However, equally important is the storage and management of the keys used to encrypt data. The keys used to encrypt users’ data are know some Dropbox employees and stored on the company’s server.”
Step four and perhaps the most important action you can take to protect your data in the cloud, is for you to encrypt your data prior to uploading it to the cloud and store your keys separately and securely.