What's the most secure cloud storage service?

Discussion in 'other software & services' started by Fox Mulder, Dec 18, 2012.

Thread Status:
Not open for further replies.
  1. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Hi everyone. I used to use Dropbox, but I heard that their security policy is much more lax than I was led to believe. Apparently their employees have basically unlimited access to your files.

    The problem is that I'm an attorney, and so I have an obligation to keep client files confidential. I'm not confident that Dropbox can meet my needs, so does anyone know of a similar cloud service that takes privacy seriously? I heard SpiderOak was good, but I wanted some opinions.

    Thanks!
     
  2. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Unfortunately, I think the best way to go about this is not to use cloud.
     
  3. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    Steve Gibson looked a lot at cloud storage this year on Security Now and he championed SpiderOak. I've been using it for a while and I'm very happy with it but I'm probably not the best person to comment on how secure it is.

    You could always encrypt your folders with True Crypt and then save them to the cloud. You could also use an email account instead if you're not intending to store massive amounts but I guess that's only going to be as secure as you feel your email's going to be.
     
  4. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    I hate to keep plugging my own stuff but it's 1000% relevant to the post. Earlier this month I did a comparison of how 22 different cloud providers handle security. Encryption, login authentication and key ownership were of special interest. I only looked at free services but they have paid accounts.

    http://www.thesimplecomputer.info/articles/cloud-storage-page1.html


    SpiderOak and Wuala are the usual recommendations and I'd put ElephantDrive at the higher end of the spectrum because you can opt to create your own personal keys which ED never obtains. Cyphertite is spectacular but it's more for backup than sharing & syncing so it's somewhat limited in features compared to the others. TeamDrive, again more for backup but a good choice with personal keys. Cubby has huge potential if LogMeIn plays their cards right but for now, it would be best with your own encryption but at that point, Dropbox would be fine too.

    I've seen JungleDisk, Carbonite and Tarsnap highly recommended but I've not tried them myself.

    The Encfs, Truecrypt and GPG4Win sort of solutions are the most secure and preserve most (not all) of the usability of Dropbox, SkyDrive, etc.


    edit- Here's a PDF link to what Steve Gibson did.
    http://www.grc.com/sn/sn-349.pdf
     
    Last edited: Dec 18, 2012
  5. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @ awkwardpenguin: WOW: what a good list, thx for posting.

    There are so many options.

    And this:
    http://www.cnet.com.au/free-cloud-services-compared-339333526.htm

    and this:
    http://www.theverge.com/2012/4/24/2...-skydrive-sugarsync-cloud-storage-competition

    Lots of comparitives on the web.


    All the options have good security but all have some vulnerabilities:
    google "dropbox insecure" :ouch:

    What may be another legal issue for you is the servers are subject to the access/privacy laws in the country where the servers are located.

    With respect to legal files, there must be some services already in place for secure handling of both physical and digital files ??

    If you have closed cases: scan and physically file somewhere in secure storage or just lockup the files.?
    If you have current cases to share docs or access out of office, then cloud service with encryption keys and syncing might be OK.?

    Cubby has been getting some positive press but is relatively new, seems to have double layer encryption.
    SpiderOak and Wuala seem to top the lists for most particular users.
     
  6. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    unfortunately, the Spider Oak program is buggy on both Linux and Windows.

    that was 3-4 months ago though so hopefully things are better now.
    Wuala requires Java so that's a no-go for me.
     
  7. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    377
    Good thread idea Fox Mulder.

    Great work, awkwardpenguin, have some reading to do!

    Apart from the "usual suspects", being SpiderOak and Wuala, don't forget client-side encryption and decryption programs which keep the key on your pc. Cloudfogger and BoxCryptor are usually mentioned. The first is free and has been endorsed by Steve Gibson (transcript), the second is free for personal use.

    A thread here at Wilders on Cloudfogger. Another brief local thread. A review of three client-side encryption programs.

    Looking forward to additional comments on this topic.
     
    Last edited: Dec 20, 2012
  8. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Going beyond what security and privacy features, do any cloud providers actually back up these features up with any guarantee of liability in contract ?

    If not then security measures or not, they are simply not suitable for storing information about others.
     
  9. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    SpiderOak was very buggy for me. It was not syncing a damn thing many times, and one day remained in the syncing state for always. Couldn't remove the synced files, couldn't add new things, couldn't do nothing.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Further to merisi's excellent idea, you could encrypt files/folders/docs etc & send them to your own email addy, or create a new one just for storage.

    As long as you used Strong encryption, with a Good PW, you should be fine.

    NEVER try to decrypt Anything online, download & do it locally.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I know some attorneys/firms and they all have 1) a professional grade burglar and fire resistant safe, and 2) a professional grade, monitored, burglar and fire alarm system at their place of business. Even in those cases where they practice out of their home office. This is SOP. It allows them to keep a variety of materials (including files/backups on removable storage) secure while also allowing them to keep those materials within their own control. Some also utilize a secured offsite storage location, such as a privately locked box within a bank safe deposit box, a privately locked room in a secure storage facility, or another secured building of their own. So there is always at least one layer of physical protection that they provide themselves. At least a few also use private encryption of files so as to add an additional layer of protection. You might want to consider thinking along those lines rather than trying to find the least worst approach to uploading sensitive client information to an online/cloud storage provider.
     
  12. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    One thing I learned quickly was that just about all cloud storage providers are imperfect solutions if security requirements are high. You must lower your standards and then keep that in mind when discussing which is 'secure' or 'best'. Some companies really try to make things tightly-knit and do a good job of it, but most don't put out much effort and have interest only in being secure enough.

    @NGRhodes. There is no guarantee of liability and the TOSs I've read all state that you agree not to hold the service provider responsible for any data loss. The only exception I've seen is from ZenOK who offers a data warranty.
    http://www.zenok.com/en/data-warranty

    My experience with ZenOK was less than stellar, though. o_O
    http://thesimplecomputer.info/articles/cloud-storage-page2.html#ze

    Really the best (not the 'best') thing to do for security is encrypt your own stuff with a strong password.
     
  13. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Others here have given suggestions. Still, pardon me but I can't help but to wonder why you are looking at cloud storage services. Given your scenario and responsibility, isn't it much better keep your client files offline?? Credibility and trust are important qualities of an attorney. I assume the better so there must be a justification for what you're seeking.
     
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I was hoping the OP would reply and comment on that as well. When it comes to information security the objective is to keep information away from the Internet and off of other people's systems. One situation where that really does become a problem is when the client and attorney want to exchange some information. Meeting in person, dropping things off, law firm runners, those won't work for all situations. Mail, fax, and email aren't secure but they are good enough for some things and can be beefed up (using a special courier service to deliver secured/tamper-evident materials, using encrypted email or exchanging encrypted attachments). One approach, which I think has potential, is the secure message center approach used by many financial institutions. Messages and files can be exchanged that way.

    I know a small three attorney, three paralegals, plus a few others size firm that used to and probably still does use entirely in-house systems (web server, email server, plus everything else) and for larger firms it is even easier to do so. For an even smaller firm or perhaps single attorney trying to start their first practice, such infrastructure could certainly be a problem. They might not even know much about technology and security to begin with. One thing someone could do is explore support services via their local bar association(s). IOW, try to find a reputable outfit that offers truly professional grade IT solutions to attorneys and firms.
     
    Last edited: Dec 21, 2012
  15. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Cloud storage services are commonly used in the legal field. Mainly because if you're away from the office, you can't lug a fireproof burglarproof safe everywhere you go if you need to work on something with your laptop.

    Every state bar that has looked at the ethics of cloud storage has approved its use, as far as I'm aware.

    I see no problem with a "zero-knowledge" solution like SpiderOak coupled with Full Disk Encryption.

    People can break into safes; can people break into AES? I'd argue that a fully encrypted solution is stronger than any physical solution.
     
  16. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Heh. Note, however, if the context is as it should be and one is only using secured/approved computers to access the sensitive information, you will have such a device with you no matter where you happen to be when you try to access your files. One which, in order to prevent tampering and/or theft of sensitive information still resident on the device as a result of local caching of remotely stored files, temp files, log files, etc would be protected in the same way at all times. IOW, the "convenience to access files regardless of where I am at" argument would be countered by the ability (if not certainty) to have the files you might need already on the secured/approved device you must use. Of course, there also remains the option to use a private remote storage solution as opposed to a public one.

    Yes people can break into AES encrypted files. We basically just try to make the conditions such that they must use a brute force approach and then hope that the extremely unlikely probability of success actually pans out. We shouldn't forget that it might not though. Thankfully, there is a range of options and ways to layer things and thus we aren't limited to, for example, only storing unencrypted information in safes or sharing encrypted information with a third party who knows what encryption algorithms were used.

    Sounds like you've made or are close to your decision. In the past I looked over the SpiderOak site and found it interesting enough to bookmark. IIRC, the client side software is closed source and that is something to weigh and consider taking some precautions against (care if/when updating, private encryption before exposing files to their software). Some other things to consider if you haven't already done so:

    1) Their policy and obligations WRT notifying customers of vulnerabilities and/or breaches which could have resulted in customers' encrypted files or other records being copied/compromised.
    2) How they, themselves, handle offsite backups if those apply
    3) Your own approach to maintaining secure backups of what you intend to store in someone else's cloud
    4) Their policy and obligations WRT notifying customers of, and giving customers an opportunity to legally respond to, attempts by other parties to "legally" acquire files or other records. That wouldn't necessary protect things, for example against strong-arming or a national security letter.
    5) Their policy and obligations WRT deleting all copies of things upon request and attesting to that.
    6) What, if any, auditing by outside specialists they've had done and/or will be doing in the future.
    7) Disclosing your use of such third party solutions to your clients

    Good luck with whatever approach you choose.
     
    Last edited: Dec 22, 2012
  17. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    I'm not set on my decision, but SpiderOak is definitely leading the pack right now.

    When it comes to my passwords for encrypted volumes, they're extremely long; if anyone were to steal my laptop, I'd be long dead before they could brute force it. I'm not terribly worried about that aspect of it.

    Despite the Dropbox privacy concerns, I do know some attorneys that are sticking by the service. Most ethical requirements are not as strict as you would expect. However, I'm not comfortable with it. I suppose ANY service is okay if you use a TrueCrypt container though. AES with an appropriately long password, of course.

    I hoped to get more opinions about SpiderOak and related services, instead of opinions about the ethical rules. :p
     
  18. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    FWIW, I'm not (and I don't think anyone else is) addressing or questioning ethics. The intention was/is simply to encourage you and others who will read this thread to be sure to consider alternatives and all angles. Hopefully you will get more replies about SpiderOak and any other such services that interest you.
     
  19. BrandiCandi

    BrandiCandi Guest

    If you choose to use cloud storage for your legal data, then I would highly encourage you to have some backups elsewhere, maybe even use two cloud service providers for duplication. There is absolutely no guarantee that your data won't be siezed by the authorities during an investigation of someone else's data that happens to be on the same server as yours. (That's ultimately all that Cloud Computing is- just a server that you don't own.)

    If you can upload encrypted data and only unencrypt it locally, then IMO the security increases. Even if someone gets ahold of it, they'll just see gibberish unless they've got the encryption key.
     
  20. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    @Fox Mulder

    Thanks for the reply. I hope you were not offended in any way. It was an attempt at understanding your situation better...nothing more than that. I wish I can help but this is one area where my knowledge limits me. Hopefully, you find what you need;)
     
  21. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    I haven't been offended in the slightest, I actually appreciate the posts. I was just hoping that someone had some SpiderOak stories to share. :p In a way, it's almost encouraging. If you ask most security buffs about Dropbox, I'm sure they'd talk all about the recent privacy problems. But it doesn't seem that way about SpiderOak. I know this isn't dispositive of anything, but there's some value to the zeitgeist.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    I selected and use two different cloud storage services. I used 3 factors and will explain each

    The two services were Idrive and Jungle Disk. Jungle Disk is a subsidiary of Rackspace which is a well know commerical Cloud Service.

    First Factor Security

    Both over two levels. The first is the standard password level. At this level if you lose your password, they can recover it for you. Not very secure. The 2nd level is your can set your own encryption key. This makes your data in accessible to anyone else, and both services warn you sternly, if you lose your key, you are out of luck. This is the strength I wanted.

    Second Factor Data Retention as it relates to versioning.

    Since both services are paid, time of retention is not an issue with each.

    Idrive for the service I use is $4.95/month for 150gb. The only charge the first of any versions of the file against your usage, but they only retain the 30 most recent versions. For somethings I do, this fine, but not all.

    Jungle disk, starts at a small fixed fee, gives you 5gb, and there is a very small per gig charge after that. But they offer the option of retaining only so many versions, or retaining all versions.

    Third Factor is Geographical diversity. Idrive is located in california. Although they say their servers are seismically protected, but still.... Jungle disk servers are located between Texas and Ill. So they are all in the midwest.

    There is also another difference that could be a factor. With Idrive, I can go in and delete files that are stored. Jungle disk offers two different approaches. The original approach also stores by file and folder, and you can delete files, but it takes more space and is a longer upload. Their other approach is called a vault system. In this approach uploads are faster, and storage space is reduced. Only draw back is you can't go in an delete a folder or files.

    Hope this helps.

    Pete
     
  23. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    If I was the orginal poster (I'm not) I would NOT use cloud at all for private client data.

    If he must do this for operational convenience then he should get client permission to do it and get them to sign a waiver.

    Whatever use local computer encryption NOT depend on cloud methods and their promise to NOT to capture your keys.

    If it arrives encrypted over an https connection to the cloud that is best. Put only active cases on when you are off site no history ever.

    But the bottom line is don't do it.
     
  24. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    based on the reviews at the simple computer, I would pick Idrive for standard stuff.
    Titanfile & TeamDrive for the confidential/strictly private data.
     
  25. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I would not use Cloud Storage unless it's a really really must have feature based on circumstances . . . :D
     
Loading...
Thread Status:
Not open for further replies.