Storing in the Cloud securely: 30 services compared

1. The consumer Cloud
2. Who owns the data?
3. Keeper of the keys
4. A snapshot of secure services
5. What to look for

In perhaps the most comprehensive roundup on the net, we take a look at Cloud storage services for personal and business use from the perspective of the CIO: What they offer, what's important and what to look for.

The consumer Cloud

The ubiquity of Cloud services combined with the consumerisation of technology in the workplace is creating interesting challenges for CIOs. Where once storage was internal and hardware was a factor of your IT infrastructure, today's workplace landscape is becoming a very different silicon beast.

Increasingly, everything from hosting to email and office productivity is being outsourced to Cloud services placing business data, intelligence and intellectual property in the hands of others. The trade-off is usually efficiency and cost, but it's not just the enterprise that's taking advantage of Cloud services: employees are doing it too. Sometimes for personal use, sometimes for business, often both.

This is in part enabled by both the ease of access to such services (most all have 'free' accounts making a very small barrier to entry) and the prevalence of consumer devices in the workplace: Smartphones, tablets and laptops. Where once it may have been an option for IT policy to prohibit or limit these devices, this is no longer realistic— today, these are the tools through we which we conduct business.

As a result, policy has to move with the times and adapt, so when it comes to employees uploading business data to third-party Cloud storage services—simply as part of the natural order of doing business with clients, contractors, freelancers or other staff—how can you be sure which services are 'safe'?

We asked this same question and scoured the net to put together our comprehensive guide covering most Cloud storage services currently available. But first, let us define the problem.

Page Break

Well, you do—until such a time as it may suit another party—perhaps. If the Megaupload case teaches us anything, it's that the inherent risk with Cloud storage services isn't necessarily that they are not secure, but simply that once data leaves your network it is, by definition, beyond your control. And, while most services will clearly detail their commitment to keep your data safe, this may be no more than ink on a page when government or law enforcement comes calling—especially when you consider the data is likely to be stored offshore in jurisdictions with different laws from our own. The Patriot Act and  Digital Millennium Copyright Act (DMCA) in the States, for example, has exemplified the vulnerability of data stored on US soil. Under the Patriot Act, there is no requirement that you be informed your data has been accessed, so you wouldn't even know. And DMCA guidelines can be found on many cloud storage sites for accelerating the submission process.

This may seem like a non-issue—after all, your business data isn't likely to raise the ire of law or government one would hope—but there's no guarantee when you don't even know where your data physically resides: many services use geolocated data centres, which makes it nigh impossible to determine what rights you have should a legal request—justified or not—be received by the service provider. The posterboy for Cloud storage, Dropbox, for example, clearly states that employees can access your data if legally required to do so (though to be fair, this is true of most services, not just Dropbox).

Which raises another issue: How far do you trust the service itself? What's stopping abuse of access by administrators or other employees of the service? Would you even know? And this says nothing of a service being hacked through a vulnerability or socially engineered, or if it should be bought out by a third-party—then you'd be at the whim of the third-party as to the sanctity and sovereignty of your data.

And all of this is possible because, even though a service may clearly state that your data is encrypted both in transit and at rest, the fact remains the service provider usually has the keys. If they have the keys, the data can be decrypted, so you ultimately don't have full control over what happens to it.

It muddies further when you realise that many Cloud storage services rely on outsourced networks such as Amazon's S3. While on the one hand this could work in favour of a given service if you know the pedigree of its partners (one provider even proclaims in its literature that its data centres are patrolled by armed guards!), it's yet another layer apart from having control over your data.

And this is the crux of the issue. IBM recently made the news when it announced that the use of Siri was banned for employees. Why? Because in processing voice requests, the audio is sent to Apple data centres—and while we like to think Apple wouldn't data-mine it, let’s face it, this is business (nothing personal, as the saying goes). For IBM, this is about limiting the inadvertent disclosure of sensitive information—a description equally apt for describing employee use of cloud storage services too. No surprise then that IBM has also banned the use of Dropbox and Apple's iCloud.

This is not to say Cloud storage services can't play a role in your business, and most services offer specific enterprise class accounts with more features, but even with these you need to consider what data is to be stored with them, and most importantly, how secure it will be.

Page Break

So if Cloud storage services are an enabler in your business—either as a platform for the whole company or simply used piecemeal by some employees—then ideally you want to be able to manage the keys. This is usually known as private-key encryption, and is so secure that, for example, as stated by SpiderOak, if you lose the key, they can't help you. It's gone, there's no other way to decrypt it.

This also means, naturally, that should a service be compromised, or the provider receives a legal request, or an employee abuses access, or a third-party buys the company... or any of the things we can't think of—then your data won't be readable. Only you, or your employees, have the key.

Fortunately, a number of Cloud storage services do provide private-key encryption. Determining these can be a little like sifting the wheat from the chaff, but beyond explicitly stating it on their web pages there are other tell-tale signs—for example, some services provide an extra layer of protection by scanning uploaded documents with a virus scanner like McAfee. Nice to have, but this could only be possible if the data you're uploading is readable, ergo not private-key encrypted.

See the embedded table for a breakdown of the services that provide private-key encryption. There are a lot of other features to look at too, which we'll get onto in a moment. Even if your business isn't currently looking to use an enterprise class Cloud storage solution, with the consumerisation of the workplace where even the best network security doesn't mean much if you have employees uploading data to third-party cloud services from their smartphones over 3G, it helps to be able to set a policy detailing which services are 'safe' for employees to use.

Page Break

By definition the most attractive services are the personal free ones. Almost all Cloud storage services provide a free account with limited features and then build on a paid service by offering advanced options and more storage space. These 'personal' accounts are usually quite sufficient too for a single user—a document can be uploaded and a URL link sent to a client or associate quickly and easily.

Free and personal accounts often have limitations to encourage purchase of higher-level plans (for example, Flipdrive limits file size to 25MB for the free service and 1GB for its lowest paid service), with the highest level plans placing no restrictions except total volume of the storage space.

The 'business' accounts can vary greatly but usually add features such as multi-user access to an account, access controls, and even logging—which is great if you want to keep track of who's uploading and downloading what. There are usually no restrictions except on the total volume of data that can be stored (and in the terabyte range—such as ADrive's 10TB top-tier plan). For those services that offer personal-key encryption, this is sometimes only provided on the business accounts.

The sheer range of services available can make it a minefield for a CIO to determine what is an acceptable service. It doesn't help that some 'personal' accounts can offer limited business features such as shared access for teams, while 'business' services can be as simple as multi-user access— scaling up to the most expensive plans that can include installing dedicated hardware within the company linked to offsite storage. Competition is fierce, and so as a result are the services and the confusing array of options.

Hence we've put together a table covering 30 Cloud storage services, their essential features, and which ones offer private-key encryption. With respect to security, see the table embedded below:

Page Break

Every business has its own requirements, and the following will help you to narrow down the choices to those that meet your needs.

Platform support—Naturally, most services can access files through a browser, and most will provide a native Windows client as well. But if you support multiple platforms, are native Mac and Linux clients important as well? And what about mobile smartphones and tablets?

Note that, even for services that don't provide a native iPhone, Android or Blackberry client, such services can usually still be accessed by the web browser on the phone or tablet, with services often providing a mobile-formatted web front-end.

Although not specifically stated in the table, most services also provide syncing across platforms and devices.

Collaboration—Personal services don't usually do much in the way of collaboration options beyond basic link-sharing. However business focused products can include a wide range of extra collaborative services including multi-user access to the same account, editing privileges, access controls and in some cases threaded commenting to track discussions. Importantly, as plans err to the enterprise side, most services provide full-featured logging and reporting functionality, so you know what has been uploaded/downloaded, by whom, and when. Beyond ensuring data is secured with encryption (see next), being able to monitor who has accessed what is the next best thing to keeping tabs on your data. Naturally, however, the plans that offer this functionality usually cost a bit more too.

Security—The crux, ultimately, of these products: as before, all services claim encryption of data at rest as well as in transit (by which they mean using SSL). Some services also provide the option for password protected files, folders and links while only a handful allow you to set manual expiry dates so files are deleted after a period.

The most important feature, of course, is private-key encryption and we've highlighted this in the table with services such as SpiderOak, Wuala and Jungle Disk. Others like Mozy, ElephantDrive and Box make it optional (more on this below) or provide it only with business plans.

Any service offering private-key encryption will usually state (if not directly in its supported features, then in its FAQs or Knowledge Base) that if you lose your key, they cannot help you recover your data. Which is, of course, the idea—only you should be able to decrypt it. Private keys are almost always based off a pass-phrase, and data is encrypted before being uploaded (also encrypted, as above, using SSL). This means from end to end no other party, including the service provider, is able to access your data, which is naturally the goal.

Note, however, that the use of private-key encryption can sometimes limit the extensibility of sharing—after all, the service provider isn't able to decrypt the data, so sharing of private-key encrypted files requires the recipient to have the password as well. This is likely why some services make it optional, especially in the case where encryption can only be offered for the whole account. Some services, however, can enable private-key encryption on a file/folder basis.

Finally—and this isn't addressed in many documents from service providers—note that mobile phone and tablet clients don't necessarily support encryption at all, due to the processing limits of the device. This not only applies to data, but sometimes to login credentials as well. If the use of a mobile client is desired, ping the support of the provider you're looking at to confirm if encryption is supported on their mobile clients.

Sharing—While some cloud storage services focus on being a backup for personal and business data, others highlight their ability to make it easy to share data with others. Certainly this is going to be the case for most free personal services employees might already be using. Sharing is usually through direct URL links to files on the service, which may be able to be password protected, but can also be through cross-account sharing with other users of the service. Note that for link-based sharing this is often only for sharing of individual files. If the sharing of large numbers of files is required, look for services that allow folders to be shared as well.

Services with an emphasis on backup tend to offer clients that allow you to schedule backups automatically, as well as file versioning to recover previous versions or deleted files. Both are nice to have for personal and business accounts alike.

Other features—A handful of services provide for directly editing documents on the service for certain file types, usually office documents (Word, Excel etc). This includes the ability to do so through mobile clients, which can be handy, and for those services that provide collaboration features this can include file-locking to ensure two people don't edit the same document at the same time. The two popular choices here appear to be Zoho's offering and Google Docs, and naturally Microsoft's Skydrive uses its own online Office offering.

Some administrators might feel comfortable about getting raw access to the service via FTP and so it's not surprising that some providers allow for this—a number of other providers, however, list 'getting rid of FTP' as one of their selling points in the marketing literature as means to exemplify how far we've come with network storage, and naturally don't offer the option to use FTP!

Making a choice

Given each business is unique and the extensive features Cloud storage services now provide, it's hard to recommend any particular service, with the exception that if—like IBM—you're concerned about the nature and sovereignty of data being uploaded that you choose a service that allows for private-key encryption. And then, don't lose the keys!