How secure is your data in the cloud?

Earlier last week, something bad happened at the cloud storage provider Dropbox:  for 4 hours you could log in to anyone’s Dropbox folder with any password.  This was an inadvertent operational error which happened during an update where some bugs were introduced in Dropbox’s authentication code.

“This should never have happened”, stated the Dropbox CTO on their blog, but it did happen, and security breaches like this are doomed to happen again at many of these Cloud Service Providers, as a result of either operational mistakes or malicious hacking.

This incident highlights a fundamental problem with Cloud-based service:  with its centralized architecture, Cloud-based services are vulnerable to mistakes from the Cloud Service Provider itself, as well as uninvited hacking from anyone with access to the Cloud.

It boils down to how much trust you have for your Cloud Service Provider to protect your data.  Most consumer-oriented Cloud services are trading some level of security for ease of use, by making it easy for users to log in with a single password, instead of a full set of encryption keys.  In this scenario, the Cloud Service Provider owns your security credentials, and you do not have much control over it.  All you can do is cross your fingers and give your “trust” to the Service Provider.
 
But even the best trusted service provider makes mistakes in their operations, and worse yet, the bigger and more trustworthy they are, the more likely they are to lure hackers looking to attack and find their vulnerabilities, just like a honeypot attracting bees.  A recent example is RSA, the well-know security firm founded by the inventors of public/private key encryption algorithms.  RSA’s widely popular SecureID product has been deployed by countless organizations as an anti-hacking mechanism to protect their security, and yet itself has been hacked back in March 2011.  The victims include Department of Defense contractor Lockheed Martin, whose virtual private networks were compromised two months later for its “defense secrets and related IP”.
 
So what can you do?  You probably should not put data in the cloud if you are not willing to give it away.  For sensitive private data, if you really have to put it in the cloud, you should at least encrypt the data with strong encryption, with keys owned only by you.  To manage the encryption keys yourself can be quite a hassle, and there’s the trade-off between strong security and ease-of-use: not everyone knows how to encrypt their data, and even fewer can manage their security keys easily by themselves.  It’s a difficult job to figure out how to make a consumer-focused produce/service like Remobo easy to use for every one, while keeping it secure by empowering users to have full control over their own security credentials.   And we at the Remobo team are trying hard to strike the balance between these two needs for our users.
 
It’s time to take control of your own security, and Remobo is here to help you.