Cla78 - stock.adobe.com
Everyone should be concerned about becoming a victim of a data breach somewhere on the internet. But organizations also need to be more concerned about how their "trusted" providers might be using their confidential data, specifically as it pertains to the files entrusted to a cloud provider's storage.
This article provides background on cloud storage and offers five commonsense questions to ask providers about cloud storage privacy and how they use customer data. Because Dropbox is a vendor known to many readers, I use it to illustrate some points about data protection in the cloud, but note that these observations apply to many other cloud storage vendors as well, not only Dropbox.
Typical privacy policies are light on specifics
But what about the security and privacy of customer data?
Let's look at an example of how data availability works. Users sign on to Dropbox with their user IDs and passwords, perhaps even using multifactor authentication. Then, they decide who to share files with via the Dropbox GUI. At this point, users might assume nobody can view their Dropbox files without explicit permission. But they would be wrong.
For starters, Dropbox reported that, from July through December 2018, the company provided content in response to 526 search warrants. So, while Dropbox uses 256-bit Advanced Encryption Standard to encrypt the data it stores, it is apparent it also holds the encryption keys. After all, if the company didn't have the keys, it wouldn't be able to provide content in response to search warrants.
Government court orders aside, Dropbox users grant Dropbox broad permission by accepting its terms of service (ToS) agreement. Its terms explain how the company offers users various services, such as document previews and optical character recognition, but the ToS continue to say that, to offer these features, "Dropbox accesses, stores and scans your stuff. You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with."
Customers' valuable and confidential business data is just more "stuff" to Dropbox (its term, not mine). While I am not a lawyer, it would appear Dropbox could do just about anything it wants with data without violating the ToS.
Data protection questions to ask cloud storage vendors
If nothing else, users have a right to know how their data files are being used. If "private and confidential" is just a bubble to be burst, then Dropbox and other companies should be clear about it.
Here are five questions to ask any potential or current vendor to ensure cloud storage privacy and security. Clear answers will help you better understand just how private and confidential your data files really are.
- On encryption keys: Assuming that my file data is encrypted on your storage, who has access to the encryption keys?
- On tech support access to data files: Does tech support -- employees, contractors or third parties -- have access to the files I store on your cloud service?
- On keyword scanning: Do you or any third party scan or otherwise process my data files? If so, what is done with the information obtained during the scan?
- On copies of data files: To provide a secure, redundant service, is it safe to assume that you back up or replicate my data files to another location or system? If so, what controls are in place to keep internal staff or third parties from accessing those copies of my data files?
- On audits: How do you audit your own internal policies with respect to unauthorized internal access to customer data files?
For Dropbox specifically, I couldn't find clear answers to any of these questions in its various privacy, ToS or transparency pages. Enterprises should be sure to do their research before using such services.
While not particularly well known, some cloud storage vendors, including Tresorit, SpiderOak and pCloud, have implemented zero-knowledge services. These cloud storage providers encrypt customers' data files before the files leave their PCs. The files can then only be decrypted using a key that only the customers have. In that case, all the aforementioned issues become nonissues in one stroke.