The cloud storage security challenge

There are not just risks to your business introduced by employees' increasing desire to bring their own devices into the office - a phenomenon known as "Bring Your Own Device" or "BYOD".

There's also the associated issue of "BYOS", or "Bring Your Own Software/Service".

I spoke about this issue at the SC Congress in New York City last year.

One of the standout leaders in the BYOS cloud storage arena is Dropbox.

Dropbox provides a way for users to easily move data between the home-office and the office-office without the need for, say, a USB memory stick.

The good news is that this means the problem of users losing their USB memory sticks (and therefore the data held upon them) begins to disappear.

The only problem is that now users of Dropbox, et al are giving their data away, and third-party companies have to be trusted to secure it properly.

There's no doubt that the adoption of cloud computing is on the rise. But historically we have seen that attacks tend to follow the more ubiquitous technologies. In short, if something is popular chances are that the cybercriminals will explore how they might be able to take advantage.

Cloud storage providers have full access to your data and control where it is stored. You don't have much information about the infrastructure and the security mechanisms in place. And it might be that this storage isn't in your own country, which could cause legal concerns.

In a nutshell, if your data is being stored in the cloud, more data can be put at risk if there is a single successful breach.

The countermeasure to this risk is to utilize encryption technologies. Encryption is a leap forward in the right direction for any organization trying to deal with users who are already housing sensitive and/or protected data on third party servers.

Although officially unsupported, Dropbox tells advanced users who wish to not rely on the firm's own encryption that some have reported success with TrueCrypt to protect their data.

In my own personal experience, storing files across multiple computers with Dropbox and TrueCrypt to send to multiple third parties can be a challenge to setup. I agree with Dropbox that this is only a realistic option for advanced users.

Perhaps it's just me, but I would prefer a solution which is easier to deploy, with capabilities such as centralized key management, reporting, Active Directory integration and an intuitive user experience.

Oh yeah, and it's also important to protect the end-to-end data in motion and at rest from attackers, as well as, service providers willing to surrender anyone's data under subpoena.

David Schwartzberg is a senior security engineer at Sophos. You can read more of his posts here.