Cloud storage’s hazy security lining at SC Congress NYC

SC World Congress 2011I was fortunate enough to attend SC Congress in New York City this year where Sophos was once again a Platinum sponsor – in addition to having a busy booth in the exhibition hall, Sophos had the opportunity to speak during one of the technical sessions.

Just like the SC Congress Canada in Toronto, I had a great time seeing old friends and making new ones!

The conference was held at the Metropolitan Pavilion, and is the fourth year SC Magazine organized the Congress of cybercrime and data security experts in NYC.

I started this article while in LaGuardia Airport en route back to Chicago after spending a couple days in energetic New York City. I spent some time helping out at the booth speaking with customers and security pros interested in learning more about Sophos’s new offerings around patch assessment and endpoint web filtering.

SC Congress speakers bannerIn addition to booth duty, I had the opportunity to speak on cloud storage data protection. The title of the session was “Cloud Storage’s Hazy Security Lining”.

The session began with Sophos being introduced by session moderator and Senior Reporter from SC Magazine Angela Moscaritolo.

The focus of the session was about how cloud storage providers have inadvertently enabled users through the BYOD (Bring Your Own Device) movement to also BYOS (Bring Your Own Software/Service).

For example, cloud storage software services such as Dropbox have made it incredibly easy for users to install the sync client software on their home computer, drop files into their Dropbox folder and voila the file can also be read from their handheld mobile device.

No need to tether your device or email your documents to yourself anymore.

The risk increases because now the third party provider also has a copy.

If your organization has already embraced the movement of enabling users to be more productive by allowing their personal smartphone or tablet (iOS or Android) onto your network and email servers, this topic is speaking directly to you.

Organizations concerned about data loss, accidental or otherwise, should now be looking at how much bandwidth is being used between their gateway and cloud storage services. One organization I spoke with reported that they had over 10 GigaBytes of traffic going to Dropbox, daily.

They did the prudent thing and blocked the service, but their users only moved to other services. That’s like playing whack-a-mole.

How can that problem be solved when there are dozens of cloud storage providers? Please leave comments if you have made attempts or solved this problem. Other readers want to know!

There is also the inherent flaw in all software, it can have defects which exploited.

In June of this year, Dropbox had a software defect that made passwords unnecessary to gain access to files. As my colleague Paul Ducklin explained.

Prior to that in May, Dropbox had FTC complaint charges brought against them because their file storage data protection model was put under scrutiny.

This is not meant as an attack on Dropbox, but to prove a point that even though the MIT students who created this service are the smartest of the smart technology students, they still made big mistakes. After all, we are just only human.

During the session I shifted gears to a recent entry into the cloud storage services land grab, iCloud. As security pros, we are curious by nature to understand technology, especially new technology, and sometimes we break it.

What is iCloud?Being curious, research on iCloud for the session took me to Apple’s website to understand more. I eventually found this article from Apple that explained their security and privacy.

To my disappointment there isn’t anything technical enough to explain how the data from the device is being transmitted, stored and replicated. Only the architecture diagram found in this Naked Security article.

I was hoping that Apple provided a PDF from their website with more details for those interested.

For example, which protocol is being used for transmission? How are the files stored? Is disk encryption or file encryption being used while the data is at rest? If so, what is the algorithm used to generate the key(s) and the length? Is the data commingled or in it’s own tenant in a database? Where are the physical locations of the repositories? Are they being replicated to repositories offshore?

If you are using cloud storage services, do you have agreements with your customers or business partners that their information won’t be stored offshore? Not knowing where the repositories are encumbers your organization with risk.

I think you get it.

My advice is that those questions apply to all cloud storage service providers you and your BYOS users prefer.

Attacks on handheld mobile devices have moved toward the largest return on investment. Handheld mobile devices are still at risk, with growing gigabytes of data stored and replicated to the cloud. It only makes sense that cybercriminals will focus their attacks there.

The solution is simple, encrypt your data with 256-bit keys using trusted algorithms (Let’s save the key management discussion for a future article.) This way, regardless of the transport security, the disk encryption or discovered software defects your organization will know unequivocally that the data was safeguarded on your computers, smartphones and tablets prior to your user giving up control.

With any of these cloud storage services, a combination of user education and intuitive encryption technology is required because your user’s aren’t losing company data, they are giving it away.

For anyone curious, I personally have accounts with several cloud storage providers, but I use encryption such as SafeGuard PrivateCrypto or SafeGuard PrivateDisk in order to keep my secrets safe.

I’m looking forward to the next SC Congress NYC in 2012! SC Magazine has made some photos of the event available. Enjoy!

A similar version of the presentation given at SC Congress NYC is available online.

Until next time, stay safe and secure online.