The Computer Weekly Security Think Tank published my blog post about security of personal Cloud storage used for business. Please read the original article at: http://www.computerweekly.com/news/2240205204/Security-Think-Tank-Embrace-consumer-cloud-storage-at-your-peril
The full article:
Storing file in Cloud is so tempting. I myself use several consumer Cloud storage platforms, such as DropBox, Google Drive and SkyDrive. The convenience of these services mean I can access my files anywhere, and have them synchronised between all my computers automatically. Many companies, including big enterprises, are evaluating the usage of these cheap and easy to use storage services. Many ore companies are perhaps using such services, at their peril.
Consumer storage services come with big concerns and should induce some serious questions. The biggest security risk is that all files are stored in such a way that the cloud provider does have full access to it. Do no believe the your cloud provider that they will never look at the data. In the USA the National Security Letters (NSL) prevent companies from even informing their customers about such cooperation. In the age of NSA surveillance this is perhaps something to be wary of. Also, there have been a number of high profile incidents related to consumer cloud storage providers.
However, there is a way to overcome this risk: Pre-Internet Encryption (PIE) – encrypting data BEFORE it reach the cloud provider. Services such as BoxCryptor can work on top of cloud storage platforms and encrypt all data with customer-managed keys. This means that the cloud storage provider cannot technically get access to any of your data. Nevertheless, with any encryption comes hassle of key management, which is considered the hardest discipline in IT security. Moreover, loosing the encryption key means the data is lost forever.
The second biggest risk is related to linkage with company’s Identity and Access systems (IAM). As with all company applications, an account should be disabled when an employee or a contractor no longer works for the company. Consumer offerings do not support plugging in to corporate IAM systems; that is typically a premium service of enterprise ready cloud systems.
In summary, the consumer cloud storage services are great if you have files that are not overly sensitive and the company size is such that everyone knows everyone (the theory says this number is around 50). If your files classification and company size do not fit this profile you are most likely better off looking at enterprise class cloud storage offers.