In the ongoing war to gain more users, many web services have adopted simplistic landing pages designed with the sole purpose of getting users signed up as quickly as possible. In most cases, the security aspect of the service is typically related to a minor footnote, or a vague assurance that it is “safe and secure.”
The marketing hyperbole and lack of detail on such pages means that it can be difficult for those in a smaller business who likely don’t have the security expertise to properly understand and appraise what they’re really signing up for. With this in mind, I outline two key points for SMBs to decipher the security message for cloud services in order to help prevent possible data loss.
Secure Sockets Layer (SSL) is a cryptographic protocol that makes it possible to conduct secure communications over the Internet. Without SSL or the use of a similar encryption system, data transfers will be conducted “in the clear” and are completely open to being snooped upon by any system that the data passes through while on its way to the destination system.
There are two key parts to SSL: the asymmetric portion is a 1024-bit digital certificate; the latter is a 128-bit symmetric encryption key. The asymmetric component offers the ability to validate the authenticity of a remote website and transmit a secret symmetric key used for subsequent data transfers between the two parties. Increasingly, though, sites such as Google, Microsoft and Symantec have already moved to 2048-bit digital certificates, while the use of 256-bit encryption keys are also becoming more common.
While considered robust, SSL pertains only to the data transfer aspect and has nothing to do with how it is stored when at rest. Unfortunately, many web services refer only to SSL when touting how good their security is.
Fortunately, not all cloud vendors leave data in an unencrypted state. To be clear, encrypted data have to be decrypted on the fly in order to be displayed on a website. So the effectiveness of such encryption in protecting your data may vary widely depending on their security architecture and implementation.
Similarly, while online storage services such as Dropbox and SugarSync store data in encrypted form, they also hold the decryption key to facilitate data access across multiple devices or on the Web. There are also cloud backup services that encrypt data prior to it being uploaded though, such as SpiderOak and Mozy.