5 things Apple vs the FBI taught us about cloud security

Every iPhone user was impacted by the recent Apple vs. FBI debate. iPhones can store up to 128GB of personal data and access to that information was at the heart of the recent fight. The debate also hit close to home for the cloud storage community, where IT professionals manage many terabytes or petabytes of information.

Cloud data security is already a hot topic, so when the FBI asked Apple to help create a backdoor that would potentially allow the government to access phones without the owner’s authorisation or knowledge, it was a reminder that data – whether it’s on your phone or in the cloud – needs to be fully secured. The FBI reported this week that it was able to access data on the phone independently, but that clearly doesn’t mean the debate about data security is over.

Statistics vary, but most surveys show that over 60 per cent of IT professionals are concerned about cloud security. Though some of those fears may be unfounded, it’s hard not to be worried about an environment you have no control over. Many companies are concerned about backdoors, subpoenas, hacks and other access by third parties. Would you even know if hackers, the government, or foreign entities are trying to sneak a look at your data? Probably not.

Like Apple, cloud providers can be subpoenaed for customer data. Not only do they have to comply - they might not even tell you if your data has been subpoenaed. Dropbox has a page on its website that provides statistics on search warrants, subpoenas and other government requests, and how they responded.

So what can you do to make sure your data in the cloud is secure from prying eyes?

  1. Keep your key: You should encrypt the data at the origin and keep your encryption keys. Your data is in the cloud, but without the encryption keys, your provider can’t access it - so that even if they’re breached or subpoenaed, your data can’t be compromised without your knowledge. Someone who wants your data has to get access through the cloud provider, and then get you to decrypt it. This makes it more difficult for someone to get to your data since it’s now a “two subpoena” process.
  2. Get Certified: Don’t rely on the cloud provider’s encryption alone. All the providers or solutions involved should be certified to meet strict standards, like FIPS 140-2 (which is good enough for government security agencies), but some may have intermediary steps or servers that they control, so your data could be exposed at different points. Make sure all of the access points are equally secure.
  3. Extra Encryption. For any data you cache on-premise or in a co-location facility, encrypted drives provide an additional layer of security. Cloud providers like Amazon also let you encrypt data at rest in the cloud. That prevents data leaks if the physical media is later compromised.
  4. Delete, Delete, Delete. The great thing about cloud is data redundancy. Big public cloud providers like Amazon and Microsoft objects on multiple drives across multiple facilities so that they can sustain the concurrent loss of data in two facilities. But that also means when you need to delete data, there are a lot of copies out there to delete. All copies of the data should be deleted not only in the redundant cloud datacentres, but also on any cloud-integrated storage devices. When data is deleted, make sure you can meet the NIST SP 800-88 media erasure guidelines.
  5. Obviously obfuscate. Global data deduplication and compression technology is designed to reduce cloud storage, local storage, and network usage, but the deduplication process also obfuscates the data. Even if someone defeats cloud-provided and your encryption -- which as the FBI and the iPhone outcome show, can be done - they won’t be able to piece together anything meaningful without the complete deduplication table at the edge. Edge caching devices that both encrypt and deduplicate the data before sending it to the cloud can help make cloud storage more secure than on-premises storage.

TrendMicro did a recent in depth study on data breaches and found that over 70 per cent are due to inside jobs, unintentional disclosures and device losses, with only 25 per cent due to hacking or malware. Translation: cloud storage can actually be more secure than on-premises storage.

With cloud storage, people who know what data is stored do not have physical access to the data, and people who have physical access to the data do not know what is being stored.

You can and should still use cloud storage, but make sure your data is protected.

David Friedlander, Technology Marketing & Strategy Executive, Panzura

Photo Credit: Jirsak/Shutterstock