Public Cloud Security: What’s It Worth?

Free storage and sharing are part of the allure of public cloud storage services like Dropbox, Box and Google Drive. When it comes to the security of your data in the Cloud, there’s a substantial difference between “free” and “no value.”

Cloud vendors do a fantastic job of helping people work together by providing easy, fluid storage for the modern, mobile nature of business. Along with the ease of use on free public cloud platforms, you’re assured by the providers of the security of your personal and business files. But does that security really match what you expect and what your business requires?

For their part, public Cloud vendors provide encryption and decryption of data while it’s in their data centers. Cloud vendors talk up this encryption as a central point of security. But what value do encryption and decryption have if they are entirely in the control of the Cloud vendor? It’s like having a locksmith put a new deadbolt on your front door, but then letting the locksmith keep all of the keys. And, to make matters worse, all the houses in the neighbourhood have the same key!

What the security Cloud vendors actually offer is more along the lines of “zero-value encryption” as it’s been dubbed by trusted enterprise data security voice Steve Gibson and others. It’s a level of security for their data centers, but no great protection when it comes to how you sync, share and store files in the Cloud. The data should be safe inside the perimeter of the data center but as we have discovered, this vendor-backed security wavers.

Diving into the functionality of Cloud vendor-controlled security, a few cracks from this “zero-value encryption” have been revealed. In a recent instance, certain Web apps were regularly opened by Dropbox during the regular process of storing and sharing. One Box user found that a “complete stranger” had been allowed to delete all his files. Cloud vendors have been unable to shake security concerns since the start of the big Cloud adoption boom. Every week brings more tales of business data breaches, exposure of unencrypted personal information and revelations on federal snooping into programs. Every year, the cost of a breach goes up, registering nearly $200 per file in the most recent estimates from the Ponemon Institute.

The Cloud providers are even at odds with each other over what value their encryption provides. Recently, Dropbox and Google leaders got into a back-and-forth spat on the legitimacy of at-rest security of data. Digging into the details, cloud providers acknowledge that security-conscious customers would be best to take on their own layer of data protection. As Google Drive product manager Dave Barth summarized in a company blog outlining their in-house encryption and the control they retain over locking and unlocking the data: “Of course, if you prefer to manage your own [encryption] keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”

Barth’s statement here cuts to the core of the matter. If you want true control over cloud security of value, it’ll take a bit more of a “trust no one” approach and some third-party software.

On the software front, there’s an emerging ecosystem of software, platforms and apps to fill in this security gap between business expectations and zero-value encryption on Cloud platforms. You can go the route of “containing” laptops and mobile devices through policies that implement an extra step or portals to share and store in the cloud. New security “as a service” vendors are offering what amounts to APIs for sharing and storage outside of the traditional business firewall. Coming from an encryption perspective with our product stack, including Viivo, we opt for data-centric protection of data where you hold the keys and authentication for data security in transit and at rest. Your data is protected wherever it goes regardless of how it gets there.

Storing data securely in the cloud is an uncomfortable prospect compared with how businesses typically seek security for their critical documents. Understandably, businesses within their own networks and systems aim for full control of data. Protection is expected for all information in transit or in storage. With public cloud storage services, users have opened up an exposure challenge to security norms, many under the perception that the cloud alone gives them full, valuable protection.

Businesses working in the cloud need protection of value, a level of control to go with security that doesn’t sacrifice user experience. With no shortage of risks and threats to business information, it’s worth your while to expect – and obtain – security and control in the cloud.