What's the most secure cloud storage service?

Hi everyone. I used to use Dropbox, but I heard that their security policy is much more lax than I was led to believe. Apparently their employees have basically unlimited access to your files.

The problem is that I'm an attorney, and so I have an obligation to keep client files confidential. I'm not confident that Dropbox can meet my needs, so does anyone know of a similar cloud service that takes privacy seriously? I heard SpiderOak was good, but I wanted some opinions.

Thanks!

 

Unfortunately, I think the best way to go about this is not to use cloud.

 

Steve Gibson looked a lot at cloud storage this year on Security Now and he championed SpiderOak. I've been using it for a while and I'm very happy with it but I'm probably not the best person to comment on how secure it is.

You could always encrypt your folders with True Crypt and then save them to the cloud. You could also use an email account instead if you're not intending to store massive amounts but I guess that's only going to be as secure as you feel your email's going to be.

 

I hate to keep plugging my own stuff but it's 1000% relevant to the post. Earlier this month I did a comparison of how 22 different cloud providers handle security. Encryption, login authentication and key ownership were of special interest. I only looked at free services but they have paid accounts.

http://www.thesimplecomputer.info/articles/cloud-storage-page1.html


SpiderOak and Wuala are the usual recommendations and I'd put ElephantDrive at the higher end of the spectrum because you can opt to create your own personal keys which ED never obtains. Cyphertite is spectacular but it's more for backup than sharing & syncing so it's somewhat limited in features compared to the others. TeamDrive, again more for backup but a good choice with personal keys. Cubby has huge potential if LogMeIn plays their cards right but for now, it would be best with your own encryption but at that point, Dropbox would be fine too.

I've seen JungleDisk, Carbonite and Tarsnap highly recommended but I've not tried them myself.

The Encfs, Truecrypt and GPG4Win sort of solutions are the most secure and preserve most (not all) of the usability of Dropbox, SkyDrive, etc.


edit- Here's a PDF link to what Steve Gibson did.
http://www.grc.com/sn/sn-349.pdf

 

@ awkwardpenguin: WOW: what a good list, thx for posting.

There are so many options.

And this:
http://www.cnet.com.au/free-cloud-services-compared-339333526.htm

and this:
http://www.theverge.com/2012/4/24/2...-skydrive-sugarsync-cloud-storage-competition

Lots of comparitives on the web.


All the options have good security but all have some vulnerabilities:
google "dropbox insecure"

What may be another legal issue for you is the servers are subject to the access/privacy laws in the country where the servers are located.

With respect to legal files, there must be some services already in place for secure handling of both physical and digital files ??

If you have closed cases: scan and physically file somewhere in secure storage or just lockup the files.?
If you have current cases to share docs or access out of office, then cloud service with encryption keys and syncing might be OK.?

Cubby has been getting some positive press but is relatively new, seems to have double layer encryption.
SpiderOak and Wuala seem to top the lists for most particular users.

 

unfortunately, the Spider Oak program is buggy on both Linux and Windows.

that was 3-4 months ago though so hopefully things are better now.
Wuala requires Java so that's a no-go for me.

 

Good thread idea Fox Mulder.

Great work, awkwardpenguin, have some reading to do!

Apart from the "usual suspects", being SpiderOak and Wuala, don't forget client-side encryption and decryption programs which keep the key on your pc. Cloudfogger and BoxCryptor are usually mentioned. The first is free and has been endorsed by Steve Gibson (transcript), the second is free for personal use.

A thread here at Wilders on Cloudfogger. Another brief local thread. A review of three client-side encryption programs.

Looking forward to additional comments on this topic.

 

Going beyond what security and privacy features, do any cloud providers actually back up these features up with any guarantee of liability in contract ?

If not then security measures or not, they are simply not suitable for storing information about others.

 

SpiderOak was very buggy for me. It was not syncing a damn thing many times, and one day remained in the syncing state for always. Couldn't remove the synced files, couldn't add new things, couldn't do nothing.

 

Further to merisi's excellent idea, you could encrypt files/folders/docs etc & send them to your own email addy, or create a new one just for storage.

As long as you used Strong encryption, with a Good PW, you should be fine.

NEVER try to decrypt Anything online, download & do it locally.

 

I know some attorneys/firms and they all have 1) a professional grade burglar and fire resistant safe, and 2) a professional grade, monitored, burglar and fire alarm system at their place of business. Even in those cases where they practice out of their home office. This is SOP. It allows them to keep a variety of materials (including files/backups on removable storage) secure while also allowing them to keep those materials within their own control. Some also utilize a secured offsite storage location, such as a privately locked box within a bank safe deposit box, a privately locked room in a secure storage facility, or another secured building of their own. So there is always at least one layer of physical protection that they provide themselves. At least a few also use private encryption of files so as to add an additional layer of protection. You might want to consider thinking along those lines rather than trying to find the least worst approach to uploading sensitive client information to an online/cloud storage provider.

 

One thing I learned quickly was that just about all cloud storage providers are imperfect solutions if security requirements are high. You must lower your standards and then keep that in mind when discussing which is 'secure' or 'best'. Some companies really try to make things tightly-knit and do a good job of it, but most don't put out much effort and have interest only in being secure enough.

@NGRhodes. There is no guarantee of liability and the TOSs I've read all state that you agree not to hold the service provider responsible for any data loss. The only exception I've seen is from ZenOK who offers a data warranty.
http://www.zenok.com/en/data-warranty

My experience with ZenOK was less than stellar, though.
http://thesimplecomputer.info/articles/cloud-storage-page2.html#ze

Really the best (not the 'best') thing to do for security is encrypt your own stuff with a strong password.

 

Others here have given suggestions. Still, pardon me but I can't help but to wonder why you are looking at cloud storage services. Given your scenario and responsibility, isn't it much better keep your client files offline?? Credibility and trust are important qualities of an attorney. I assume the better so there must be a justification for what you're seeking.

 

I was hoping the OP would reply and comment on that as well. When it comes to information security the objective is to keep information away from the Internet and off of other people's systems. One situation where that really does become a problem is when the client and attorney want to exchange some information. Meeting in person, dropping things off, law firm runners, those won't work for all situations. Mail, fax, and email aren't secure but they are good enough for some things and can be beefed up (using a special courier service to deliver secured/tamper-evident materials, using encrypted email or exchanging encrypted attachments). One approach, which I think has potential, is the secure message center approach used by many financial institutions. Messages and files can be exchanged that way.

I know a small three attorney, three paralegals, plus a few others size firm that used to and probably still does use entirely in-house systems (web server, email server, plus everything else) and for larger firms it is even easier to do so. For an even smaller firm or perhaps single attorney trying to start their first practice, such infrastructure could certainly be a problem. They might not even know much about technology and security to begin with. One thing someone could do is explore support services via their local bar association(s). IOW, try to find a reputable outfit that offers truly professional grade IT solutions to attorneys and firms.

 

Cloud storage services are commonly used in the legal field. Mainly because if you're away from the office, you can't lug a fireproof burglarproof safe everywhere you go if you need to work on something with your laptop.

Every state bar that has looked at the ethics of cloud storage has approved its use, as far as I'm aware.

I see no problem with a "zero-knowledge" solution like SpiderOak coupled with Full Disk Encryption.

People can break into safes; can people break into AES? I'd argue that a fully encrypted solution is stronger than any physical solution.

 

Heh. Note, however, if the context is as it should be and one is only using secured/approved computers to access the sensitive information, you will have such a device with you no matter where you happen to be when you try to access your files. One which, in order to prevent tampering and/or theft of sensitive information still resident on the device as a result of local caching of remotely stored files, temp files, log files, etc would be protected in the same way at all times. IOW, the "convenience to access files regardless of where I am at" argument would be countered by the ability (if not certainty) to have the files you might need already on the secured/approved device you must use. Of course, there also remains the option to use a private remote storage solution as opposed to a public one.

Yes people can break into AES encrypted files. We basically just try to make the conditions such that they must use a brute force approach and then hope that the extremely unlikely probability of success actually pans out. We shouldn't forget that it might not though. Thankfully, there is a range of options and ways to layer things and thus we aren't limited to, for example, only storing unencrypted information in safes or sharing encrypted information with a third party who knows what encryption algorithms were used.

Sounds like you've made or are close to your decision. In the past I looked over the SpiderOak site and found it interesting enough to bookmark. IIRC, the client side software is closed source and that is something to weigh and consider taking some precautions against (care if/when updating, private encryption before exposing files to their software). Some other things to consider if you haven't already done so:

1) Their policy and obligations WRT notifying customers of vulnerabilities and/or breaches which could have resulted in customers' encrypted files or other records being copied/compromised.
2) How they, themselves, handle offsite backups if those apply
3) Your own approach to maintaining secure backups of what you intend to store in someone else's cloud
4) Their policy and obligations WRT notifying customers of, and giving customers an opportunity to legally respond to, attempts by other parties to "legally" acquire files or other records. That wouldn't necessary protect things, for example against strong-arming or a national security letter.
5) Their policy and obligations WRT deleting all copies of things upon request and attesting to that.
6) What, if any, auditing by outside specialists they've had done and/or will be doing in the future.
7) Disclosing your use of such third party solutions to your clients

Good luck with whatever approach you choose.

 

I'm not set on my decision, but SpiderOak is definitely leading the pack right now.

When it comes to my passwords for encrypted volumes, they're extremely long; if anyone were to steal my laptop, I'd be long dead before they could brute force it. I'm not terribly worried about that aspect of it.

Despite the Dropbox privacy concerns, I do know some attorneys that are sticking by the service. Most ethical requirements are not as strict as you would expect. However, I'm not comfortable with it. I suppose ANY service is okay if you use a TrueCrypt container though. AES with an appropriately long password, of course.

I hoped to get more opinions about SpiderOak and related services, instead of opinions about the ethical rules.

 

FWIW, I'm not (and I don't think anyone else is) addressing or questioning ethics. The intention was/is simply to encourage you and others who will read this thread to be sure to consider alternatives and all angles. Hopefully you will get more replies about SpiderOak and any other such services that interest you.

 

If you choose to use cloud storage for your legal data, then I would highly encourage you to have some backups elsewhere, maybe even use two cloud service providers for duplication. There is absolutely no guarantee that your data won't be siezed by the authorities during an investigation of someone else's data that happens to be on the same server as yours. (That's ultimately all that Cloud Computing is- just a server that you don't own.)

If you can upload encrypted data and only unencrypt it locally, then IMO the security increases. Even if someone gets ahold of it, they'll just see gibberish unless they've got the encryption key.

 

@Fox Mulder

Thanks for the reply. I hope you were not offended in any way. It was an attempt at understanding your situation better...nothing more than that. I wish I can help but this is one area where my knowledge limits me. Hopefully, you find what you need

 

I haven't been offended in the slightest, I actually appreciate the posts. I was just hoping that someone had some SpiderOak stories to share. In a way, it's almost encouraging. If you ask most security buffs about Dropbox, I'm sure they'd talk all about the recent privacy problems. But it doesn't seem that way about SpiderOak. I know this isn't dispositive of anything, but there's some value to the zeitgeist.

 

If I was the orginal poster (I'm not) I would NOT use cloud at all for private client data.

If he must do this for operational convenience then he should get client permission to do it and get them to sign a waiver.

Whatever use local computer encryption NOT depend on cloud methods and their promise to NOT to capture your keys.

If it arrives encrypted over an https connection to the cloud that is best. Put only active cases on when you are off site no history ever.

But the bottom line is don't do it.

 

based on the reviews at the simple computer, I would pick Idrive for standard stuff.
Titanfile & TeamDrive for the confidential/strictly private data.

 

I would not use Cloud Storage unless it's a really really must have feature based on circumstances . . .