With increasing usage of cloud-based document storage facilities, there is growing concern about data security. Recent headlines about data security breaches at major corporations have sensitized the business world to the damaging consequences of such incidents. For law firms to proceed with confidence in making decisions regarding cloud-based storage, vendor policies regarding data security should be clearly understood.
Cloud storage vendors differ in the degree of data security they provide.
While they all claim that customer data is highly secure, there is a crucial difference between vendors that retain the ability to access customer data and those that provide access only to the customer. This difference is based on the handling of encryption keys.
Modern advanced encryption methods are impregnable to cracking, so the only path to the data is possession of the encryption key. Many leading cloud storage providers keep a copy of the customer’s encryption key. This allows them to satisfy government and law enforcement disclosure demands. This is a cause for concern because:
- There is uncertainty regarding the current and future extent of official demands for access to customer data. Recent disclosures by Microsoft and Google regarding the receipt of FBI National Security Letters requesting customer information suggest that all cloud storage vendors may be subject to these secret requests.
- Procedural safeguards may not prevent the compromise of customer data keys held by vendor personnel. Cloud storage sites are attractive targets for hackers operating for a variety of motives. Moreover, disgruntled, negligent, or unethical personnel with access to customer keys may mishandle them, resulting in a security breach.
- A security breach may occur without disclosure, giving the data owner no warning of negative consequences. This may occur because the breach was undetected by the vendor or undisclosed for business reasons.
Cloud storage vendors that permit only the customer to hold encryption keys cannot deliver up customer data in response to official requests. The outside party must go to the customer to demand access. Because no vendor personnel have access to the customer’s encryption key, it cannot be compromised by hackers or vendor personnel. The main down side to this arrangement is the possible loss of the encryption key by the customer.
What if you are already using a cloud storage provider that can access your data and wish to ensure absolute privacy?
The answer is to double-encrypt the data by applying your own encryption processing before sending the data to the cloud. This makes the management of data more cumbersome, but it eliminates the possibility of data compromise by the cloud storage provider.
A key question that potential users of cloud data storage should pose to a vendor is “Can your personnel access my files?” If the answer is yes, and the data is highly sensitive, then the customer should either implement additional local encryption or seek a different cloud solution provider.
The table below shows the customer data access capabilities of some representative cloud storage vendors
|
Vendor |
Vendor Access To Customer Files |
| Box | Conditional * |
| Citrix ShareFile | Yes |
| DropBox | Yes |
| NetDocuments | Yes |
| SpiderOak | No |
| Worldox Cloud | Yes |
| Watchdox | Yes |
* EKM service option provides customer-only encryption key access
Haig Hovaness is an experienced IT consultant who works in the New York office of Crosspointe Consulting Group. Haig earned an MBA in information systems and lists over two decades of experience in corporate IT work. He has published numerous articles on information technology and its effects on organizations and society.
