2012-05-01

2012.05 Article: How to Tell If Your Cloud Provider Can Read Your Data

By Rich Mogull in TidBITS (Excerpt only. Read full story here.)

With the tremendous popularity of services like Dropbox and iCloud there is, rightfully, an incredible amount of interest in cloud data security. Sometimes it’s hard to figure out exactly who can look at our information, especially since buzzwords like “secure” and “encrypted” don’t necessarily mean you are the only one who can see your data.

In part because there are numerous ways cloud providers could protect your data, the actual implementation varies from service to service. All consumer cloud services are what we in the cloud world call public and are built for multi-tenancy.

A public cloud service is one that anyone on the Internet can access and use. To support this the cloud providers need to segregate and isolate customers from each other. Segregation means your data is stored in your own little virtual area of the service, and isolation means that the services use security techniques to keep people from seeing each other’s stuff.

Practically speaking, multi-tenancy means your data is co-mingled with everyone else’s on the back end. For example, file-storage services intermingle everyone’s files and then keep track of who owns what in the service’s database. Some, like Dropbox, will even store only a single version of a given file and merely point at it from different owners. Thus multiple users who happen to have the same file are technically sharing that single instance; this approach also helps reduce the storage needed for multiple versions of a file for a single user.

Although multi-tenancy means co-mingling data, the cloud provider uses segregation techniques so you see only your own data when you use the service, and isolation to make sure you can’t maliciously go after someone else’s data when you’re using the system. The cloud provider’s databases and application code are key to keeping all these bits separate from each other. It isn’t like having a single hard drive, or even a single database, dedicated to your information. Multi-tenancy is used for files, email, calendar entries, photos, and every other kind of data you store with a cloud service.

A multi-tenancy architecture has two obvious problems. The first is that if there’s a mistake in the application or database the service runs on, someone else might see your data. There is a long history of Internet sites (cloud and otherwise) inadvertently allowing someone to manipulate a web page or URL to access unauthorized data, and the bad guys are always on the lookout for such vulnerabilities. The second problem is that the cloud provider’s employees can also see your data. Yes, the better services usually put a lot of policy and security controls in place to prevent this, but it’s always technically possible.

One way to mitigate some of these concerns is with encryption, which uses a mathematical process coupled with a digital key (a long string of text) to turn your data into what looks like random gibberish. That key is necessary to decrypt and read the data. Most cloud providers use encryption to protect your Internet connection to them (via SSL/TLS — look for https URLs) so no one can sniff it on the network. But encrypting data in transit is only half the battle — what about your data in the provider’s data center? Encryption of storage is also necessary for any hope of keeping your data secret from the cloud provider’s employees.

Some providers do encrypt your data in their data center. There are three ways to do this:
  1. Encrypt all the data for all users using a single key (or set of keys) that the cloud provider knows and manages.
  2. Encrypt each individual user’s data with a per-user key that the cloud provider manages.
  3. Encrypt each individual user’s data with a per-user key that the user manages.

Each has advantages and disadvantages, trading security for convenience. There are three different (but similar) indications that your cloud data is accessible to your provider:
  1. If you can see your data in a Web browser after entering only your account password, the odds are extremely high that your provider can read it as well. The only way you could see your data in a Web browser and still have it be hidden from your provider is if the service relied on complex JavaScript code or a Flash/Java/ActiveX control to decrypt and display the data locally.
  2. If the service offers both Web access and a desktop application, and you can access your data in both with the same account password, odds are high that your provider can read your data. This is because your account password is also probably being used to protect your data (usually your password is used to unlock your encryption key). While your provider could technically architect things so the same password is used in different ways to both encrypt data and allow Web access, that really isn’t done.
  3. If you can access the cloud service via a new device or application using your account user name and password, your provider can probably read your data. This is just another variation of the item above.

Last year it was widely reported that Dropbox accidentally allowed any user access to any other user’s account. With iCloud I have a single user name and password. It offers a rich and well-designed web interface where I can manage individual e-mail messages, calendar entries, and more. I can register new devices and computers with the same user name and password I use on the website. Thus, from the beginning, it was clear Apple had the capability to read my content. That doesn’t mean Dropbox, iCloud, and similar services are insecure. They generally have extensive controls — both technical and policy restrictions — to keep employees from snooping. But it does mean that such services aren’t suitable for all users in all cases, especially businesses or governmental organizations that are contractually or legally obligated to keep certain data private.

There are services that offer users flexible encryption (and thus more security). If you want to be certain that your data are safe from both attackers and the cloud provider’s employees snooping, look for services that offer additional options for encrypting data, either with a password or an encryption key known only to you. If such an option isn’t available at the next cloud service you check out, you’ll know that the provider’s employees could technically read your data. And when the next big story of a cloud provider reading data hits the headlines, you can smugly inform your friends that you knew it all along.

No comments:

Post a Comment