Security Think Tank: Embrace consumer cloud storage at your peril

How can businesses make use of free or low-cost cloud storage services aimed at consumers, but ensure their data is safe and secure?

Storing files in consumer cloud is tempting. I use several consumer cloud storage platforms, such as DropBox, Google Drive and SkyDrive. The convenience of these services mean I can access my files anywhere and have them synchronised between all my computers automatically. Many companies – including big enterprises – are evaluating the use of these cheap and easy-to-use storage services. Many more are perhaps already using such services – at their peril.

Consumer storage services come with big concerns and should prompt some serious questions.

The biggest security risk is that all files are stored in such a way that the cloud provider has full access to it. Do not believe your cloud provider will never look at the data. In the US the National Security Letters (NSL) prevent companies from even informing their customers about such co-operation. In the age of National Security Agency (NSA) surveillance, this is perhaps something to be wary of. Also, there have been a number of high-profile incidents related to consumer cloud storage providers.

However, there is a way to overcome this risk: pre-internet encryption (PIE), encrypting data before it reaches the cloud provider. Services such as BoxCryptor can work on top of cloud storage platforms and encrypt all data with customer-managed keys. This means the cloud storage provider cannot technically get access to any of your data. Nevertheless, with any encryption comes the hassle of key management, which is considered the hardest discipline in IT security. Moreover, losing the encryption key means the data is lost forever.

Read more about free or low-cost cloud storage

  • Security Think Tank: How to keep data secure when resident or used by cloud applications
  • Security Think Tank: In the cloud, low or no cost means little or no control

The second biggest risk is related to linking to a company’s identity and access management (IAM) systems. As with all company applications, an account should be disabled when an employee or a contractor no longer works for the company. Consumer offerings do not support plugging in to corporate IAM systems; that is typically a premium service of enterprise-ready cloud systems.

In summary, the consumer cloud storage services are great if you have files that are not overly sensitive and the company size is such that everyone knows everyone (the theory says this number is around 50). If your file classification and company size do not fit this profile, you are most likely better off looking at enterprise-class cloud storage offers.

Vladimir Jirasek is managing director at Jirasek Consulting Services

Read more on Cloud security