When leaving data in the cloud, businesses are concerned if safety can be guaranteed. One of the biggest obstacles to cloud computing is the fear that sensitive data could get stolen. This problems concerns scientist as well: Fraunhofer Institut did an extensive study on the security of storage services in the cloud. Even though the study focused only on 7 providers, it did some groundwork developing a scheme of how to check providers for security.
We want to provide a check list with the most important issues:
Security checklist
- Is data transferred through the renowned SSL/TLS protocol? If providers are using unpublished proprietary protocols security is not granted when transferring data. Older browsers do not always support the actual protocol, so you need to force them into usage.
- Is there encryption for the files?
Encryption of the files has to be provided on the side of the client as well. If not, the provider can see all your data. Some providers only hide the content but not the filenames. Furthermore, it has to be guaranteed that attacks from server side are not possible. - Are the URLs encrypted if you want to share files? If you want to share files through the internet it is important that only your users are able to find the data and not everybody. Therefore URLs have to be encrypted and should not contain user names.
- Is data deduplication hidden for the user?
Deduplication is useful to save server costs and fasten the upload of data. Instead of uploading identical files providers use the file that is already stored on the servers, so that it is not uploaded again. But if deduplication processes are transparent for the user, he can find out what files are already on the server. In some cases an external user could find out about sensitive data. A solution would be that deduplication is only given on the side of the providers. Users could not find out, if data is already stored. - Do all devices have to be authorized?
User of cloud services want to have access to their data from different devices. This is one of the main advantages of cloud computing. If new devices are not authorized there is a security problem. Third persons would only need the passport once, in order to have permanent access to the users account. The user keeps control of his account only if all devices have to be activated and the user is able to deactivate devices. This is only relevant for services with software on a client. - Are the servers located in the European Union? Is the registered office of the provider in the EU as well?
Business located in the European Economic Area are obligated to keep sensitive data safe and are prohibited to give data to a third party, unless it can guarantee the security of the data. Providers of cloud services might be subject to different regulations than the country that is uploading the data. If the business has its registered office in the USA the US government could theoretically access data, even if the server is located in European Union (Patriot Act.)
This is our checklist to guarantee safe data. For questions or remarks, please leave a comment.