Michael Meyer, CIO and CSO, MRS
Disaster Recovery file storage is getting cheaper and easier to use every day as each new cloud storage vendor enters the market. One of the areas that aren’t getting easier, however; is the management of security for the common cloud storage providers such as Amazon, Box, Dropbox, Google, iCloud, One Drive.
Most of the well-known cloud storage services provide a pretty good security foundationfor you to build upon nowadays, but the security they provide is just the beginning of what you need to have in place. So while they may say that they are secure, not all of them are secured equally, have standard settings or even have the same configuration options - which are confusing.
"if a configuration error is made with your individual storage area by you or your cloud storage provider, your data could be at risk"
In addition, if a configuration error is made with your individual storage area by you or your cloud storage provider (they are also called partitions or instances depending on the provider), your data could be at risk. These are all contributing reasons why we regularly read about cloud data being hacked into because while people are learning how to secure their primary data, they aren’t always securing their backup or disaster recovery data. And if your backup data were to be hacked - the provider normally puts the onus for this vulnerability on you…
One of the best ways to ensure that your information is protected is to encrypt it before you store it on the cloud provider and for those that are paranoid, add on an additional layer of security with digital rights management (DRM) using a tool like Watchdox from Blackberry or even a second layer of encryption using tools that each provider recommends.
You might be thinking that this additional or second layer of security (DRM or encryption) is unneeded and unnecessary, given the fact that most of these services say the data is already encrypted at rest. Since there are a number of ways to implement this encryption at a cloud provider, each way with its own strengths/weaknesses, consider encryption at rest asmainly a guard against physical theft of a hard driveor a copy of the drive being made (assuming the attacker doesn’t have the password to unencrypt it).
Speaking of passwords, let’s face it - people are lazy and reuse passwords all over the place, so most likely the passwords (or a simple passphrase) for the backup data and even first level encryption might be a reused password. So would your or your company’s backups withstand every password out there in the known/unknown hacker areasbeing applied to your backups? I think we know the answer to that one already for the average company...
For the ultra-paranoid, encrypt your data the second time using a different algorithm than the first time with a long passphrase and then take the files from each save set and alternate them between accounts at the same or different storage providers for even greater security.
So to ensure peace of mind for your disaster recovery data stored in the cloud, at a minimum, encrypt the data prior to storage, because the next time data it is taken – it might be yours!