Selecting an Ultra-secure Cloud Storage Solution
Date: 24 January 2019
Please only read this blog if you are concerned about privacy, confidentiality and security of your data stored in the Cloud.
Cloud Storage - Uninteresting or Exciting
Like many others, our technical experts and I thought nothing of Cloud based File Storage and sharing. To be brutally honest, up until last year, we thought that this particular sector was a well established, commoditised and uninteresting sector.
Supporting this argument that this sector is unimaginative is the fact that the majority Cloud Storage providers, for example Dropbox, Box, Apple (iCloud) , Amazon, Microsoft (OneDrive) either keep increasing the free storage or lowering the prices of their existing plans. There is little to nothing to excite.
Put bluntly, many of our C-Level and technical friends, part of our CM-Alliance network endorsed the overall view that this sector was dull and boring.
Who should read this blog?
- If you are moving your file storage and or sharing of documents to the the cloud.
- Your business is migrating from an existing provider
- GDPR and regulatory requirements have meant you are looking for privacy friendly solutions.
The Current Landscape
Let’s start with a high level list of the current lay of the land. A quick scan of the Internet brings up close to 54 Cloud storage providers, though strictly speaking, some of these are more akin to Cloud file-sharing providers. Yes, if someone had the time the list of providers could easily touch a couple of hundred. If the search is expanded to include all countries I am sure the figure could be close to a thousand.
In no particular order, below are some of the more popular Cloud Storage providers out there. This list is not an endorsement of any of the brands.
Cloud Storage for the Masses: Dropbox is probably the most synonymous with cloud based storage. Founded in 2007, at one point I personally used to ask people to “Dropbox it”. Personally, I still maintain a dropbox account (though I no longer pay them their exorbitant yearly fee for a terabyte of storage) and was a heavy user. I used Dropbox for storage and for sharing large (non-email friendly) files with the outside world.
Corporate Focused Storage: Box Inc (formerly Box.net) claimed that it, unlike Dropbox was more of a corporate friendly and enterprise focused solution. It focused more on collaborative features. Another player, that I have used and historically more Mac focused is Crashplan. Back in the days (8 years or so) Crashplan came up with the idea to enable peer-to-peer storage and backups. A group of friends or colleagues agreed to become the “cloud store” for each other and the software would automatically sync the selected files and folders to the group.
The Big Players: Google, Microsoft, Apple and Amazon: These brands don’t need any introduction and they too, for several years now, offer cloud based storage options to their customers. However, with some, more than the others, you have to be in their specific ecosystem to take maximum advantage of their features.
Some of the others include Mega (formerly linked to the infamous Kim Dotcom but now not associated with him) Knowhow, Zoolz, Backblaze and Carbonite.
File Sharing: Some of the others are more geared towards secure sharing and temporary storage include IPswitch, WeTransfer and Tresorit’s file sharing service.
Security & Privacy: There are many players and some focus more on security and privacy including the likes of Tresorit and SpiderOak. We use Tresorit at Cyber Management Alliance Ltd.
Questions to Ask your Provider
Here are some requirements that you should keep in mind when evaluating your Cloud storage and Cloud sharing provider.
Previous Breaches: Has your provider been the victim of a cyberattack or data breach? If yes, ask for the details and what they have done to improve their cyber resiliency. I must stress that being breached must NOT be seen as a negative. Focus on what the company has done to recover.
Executive attitude to GDPR: Ok, this one’s not easy to obtain but if you can, sit with the senior folks, the CEO if possible, and ask them to share their thoughts on GDPR and privacy. Try to read between the lines of the clichés like “We value privacy” or “Privacy is very important to us.”
Processes and Policies: This could, like the above requirements, be seen as an invasive ask, but do interrogate anyway.
Access: Who can access your data store? Is there any way /process that would allow an employee to gain access?
Privileged Users in the Business: (The service provider must (I stress on must) be using a robust solution to manage its users with privileged access.
Data: What details can they share with you on data residency (where, physically, is your data located) and their hosting centres.
Certifications: We don’t like to rely no certifications as the benchmark, nevertheless, it’s always good to know if your provider has certifications like the ISO 27001:2013, SOC related certifications, Cloud Security certifications. A word of caution, certifications should be seen as a good to have and not a mandatory requirement.
Breach Readiness: Is your service provider breach ready? Apart from the certifications, you need to know if your provider has the processes, procedures and the executive focus on cyber resiliency. When (not if) your provider is hit by a major attack you must have the assurance that your data is safe or, at the least, you should know that your provider has been rehearsing their responses to a catastrophic cyber crisis.
“They are all the same” No - They are Not!
Given the proliferation and commoditisation of Cloud-file-storage services it’s easy to be dismissive and surmise that “They are all the same”. If only it was that simple.
Beware: I would propose that you run a mile away from providers that:
- Are dismissive of privacy and the GDPR regulation.
- Say things like “Trust us, we take security and privacy seriously”
- Seek to deny you audits (onsite and otherwise) of their practice.
The Crux of the Matter
We can spend several more pages by expanding on the above topics but we’ll keep it short for this blog. Yes, organic growth and the rush to the Cloud has meant many organisations expeditiously embraced the first available Cloud Storage service.
However, it’s never too late for a change. As I said at the beginning, if you are genuinely concerned about maintaining the confidentiality of your data, it is imperative that you reassess your provider’s business practices and values.
The following points must be at the top of your selection criteria.
Zero Knowledge Security: Sounds funky but it basically means no one, I mean no one, except for authorised personnel, must have access to read and change your files. There should be no grey areas in this topic.
Data Residency: This term is branded about hurriedly every time someone discusses regulations like GDPR and privacy. However, most vendors, deliberately or because they are genuinely clueless, claim their data is in GDPR-safe zones. If your data (or rather your organisation) falls under the GDPR regulations, please do not trust any such claims. Seek confirmation and verification that the provider physically hosts their infrastructure in a safe regulated European country.
End to End Encryption: Put simply, everything at rest (on your machine and the servers of the cloud provider) and in transit is encrypted and unreadable to unauthorised people.
Conclusion: Not All Cloud Providers are Equal
Sadly, in many instances, the purchasing decisions are often made where budgets and politics trump more serious considerations like confidentiality and security. It's not all doom and gloom. We are hopeful that good-intention regulations, like the GDPR, will hopefully one day mean that privacy and security are the deciding factors.
At Cyber Management Alliance Ltd we use Tresorit's Secure Cloud Storage to store and share sensitive documents. We like it for multiple reasons including the fact that we know the CEO and have interviewed him about his privacy and security beliefs.