What Apple Vs. The FBI Can Teach Us About Cloud Storage Security

Written by

The recent Apple vs. FBI debate hit close to home for the cloud community because it touched on one of the industry’s hottest topics: data security.

The FBI struggled to access information on the iPhone because the phone is encrypted using the owner's personal passcode, so not even Apple could access data on the phone. It had asked Apple to help create a backdoor that would potentially allow the government to access phones without the owner’s authorization or knowledge. The government already had the iPhone in its possession, and reported this week that it was able to access data on the phone independently.

Events like this highlight security as a major concern in general, but especially for cloud storage users. Your data is stored with your cloud provider; so many companies are concerned about backdoors, subpoenas, hacks and other access by third parties. Would you even know if hackers, the government, or foreign entities are trying to sneak a look at your data? In fact, you might not.

Like Apple, cloud providers can be subpoenaed for customer data. Not only do they have to comply - they might not even tell you if your data has been subpoenaed. Dropbox has a page on their website that provides statistics on search warrants, subpoenas and other government requests, and how they responded.

The Apple-FBI debate provides a good lesson for how we should handle data security in the cloud. There are five critical things you should consider:

Encrypt the data at the origin and keep your encryption keys. Your cloud provider should store your data but shouldn’t be able to access it directly - so that even if they’re breached or subpoenaed, your data can’t be compromised without your knowledge. This makes it more difficult for someone to get to your data as it is now a “two subpoena” process. Someone who wants your data has to get access through the cloud provider, and then get you to decrypt it.

End-to-end FIPS-140-2 certified encryption. Don’t rely on the cloud provider’s encryption alone. Know where your data travels, and where it’s stored in the cloud. All the providers or solutions involved should be certified to meet strict standards, like FIPS 140-2 (which is good enough for government security agencies), but some may have intermediary steps or servers that they control, so your data could be exposed at different points.

Encrypted drives. If you’re keeping some data cached on-premise, encrypted drives provide an additional layer of security. Cloud providers like Amazon also let you encrypt data at rest in the cloud. That prevents data leaks if the physical media is later compromised.

Ensure erased data is deleted -- everywhere. The great thing about cloud is data redundancy. For example, AWS S3 stores objects on multiple drives across multiple facilities so that they can sustain the concurrent loss of data in two facilities. All copies of the data should be deleted not only in the redundant cloud datacenters, but also on any cloud-integrated storage devices. When data is deleted, make sure you can meet the NIST SP 800-88 media erasure guidelines.

Obfuscate your data. Global data deduplication and compression technology is designed to reduce cloud storage, local storage, and network usage, but it also obfuscates the data. Even if someone defeats cloud-provided and your encryption - which as the FBI and the iPhone show, can be done given access, resources, and time - they won’t be able to piece together files without the complete deduplication table at the edge. Edge caching devices that both encrypt and deduplicate the data before sending it to the cloud can help make cloud storage more secure than on-premises storage.

Cloud storage can actually be more secure than on-premises storage. Trend Micro did a recent in depth study on data breaches and found that over 70% are due to inside jobs, unintentional disclosures and device losses, with only 25% due to hacking or malware. With cloud storage, people who know what data is stored do not have physical access to the data, and people who have physical access to the data do not know what is being stored.

If you’re going to use cloud storage, make sure your data is protected. There may not be a way to guarantee 100% security, but if you take a few basic steps, you can make the cloud much more secure than on-premise storage, and make it much harder for someone to steal (or subpoena) your data. If the door is locked, dead-bolted and alarmed, they’re much more likely to pass you up for easier targets.

What’s hot on Infosecurity Magazine?