July 08, 2010

Dropping Data into the Cloud

Yesterday I signed up for DropBox, a personal cloud storage folder that stores and synchronizes a folder across any machine that I install the software and login to my account with on the web. It's sort of like a flash drive that I don't have to carry with me, and they start you off with 2.25GB of storage. You can earn up to 8GB of free storage (if you tell other people about the service and they sign up through your referral link).

A short word on a security standpoint. DropBox makes a claim to encrypt your data, but the software that you would use to encrypt your data is theirs, so trusting it to actually secure your data would need to be earned. Their encryption claim states that your password is the only way to decrypt your data. You'll be storing your password in the client you use to access the information, though, so if someone steals one of your devices with a client, you're going to lose the security of the account until you change it. Using cloud storage for your information is entrusting your data to complete strangers. If you decide to use the dropbox service, you need to understand that it is completely likely and eventually probable that at some point in time, your information (that you've placed in your dropbox) will be made available to someone else. It could be an internal break-in from a DropBox employee, but even more likely it will be a weakness in the DropBox system that exposes your data.

So, what good is cloud storage? It's good for storing semi-public information. For example, I use it to store several copies of my resume that I need to be able to access just about anywhere. I've also put some pictures in the dropbox to share with a friend. If you treat the storage container as if it were a public lockbox and the lock is no more secure than a gym locker padlock, then you'll be able to keep the right frame of mind on the service. Be careful out there.

EDITED: DropBox claims to encrypt your data, with a key protected by your userid/password. Remember that the security of an encryption algorithm is only as secure as its implementation and the security of the encryption key. If your userid/password can get the decryption key, then the security of that information is how strong the encryption is. There is no mention as to how that information is protected at DropBox.Com.

1 comment:

Anthony said...

I like the way you remind the reader not to assume that encryption implies safety. I also think it is worth reminding people that user error is also a significant cause of security risks. For instance, by misuse of the interface and unintentionally making contents of your drop-box public. Perhaps this is an example of what you meant by "weakness in the DropBox system"?