It is likely that readers of this blog know where I stand on cloud storage. I have been fairly outspoken against the practice of storing personal data in the cloud. Unfortunately, I realize this may be an untenable solution for many who desire – or even require – the ability to use and access cloud storage. Even I had a personal experience recently that made me re-think the utility of cloud storage. Cloud storage does offer the benefit of being a strong hedge against data loss. Losing data can be crippling for an individual, and even more so to a small business. With these factors in mind (and at the request of a reader) I have taken a look at some cloud providers and developed some cloud storage threat models.
Before we proceed, though, I want to make clear my reservations around cloud storage. The major issue (as I see it) is this: information stored in the cloud has been permanently surrendered. Though you may remove these files or even delete your account, you have no assurance that these files have not been saved somewhere. These files may be saved in remanance on discarded hard drives. They may be (likely are) insecurely deleted. They may be captured by a hacker or rogue employee, or spilled in the next data breach. This makes using cloud storage a potentially irreversible decision. As I pointed out in the above paragraph, however, you must weigh the benefit of having a readily available backup against your security concerns. If you decide that cloud storage is necessary for you, please consider the following cloud storage threat models.
CLOUD STORAGE THREAT MODELS
Virtually all cloud storage services have the same front-end security features. These include the ability to use long passwords and two-factor authentication. You traffic to and from the server is encrypted with TLS, and you can monitor login attempts. With these security features being essentially equal, the other major consideration is how data is handled on the back-end.
Tier 2: Amazon Web Services, Dropbox, Google Drive, and iCloud Drive. Services in this category offer good security. However each has access to the data they hold. This makes these services vulnerable to rogue employess, data breaches, and legal pressure. However, all of these threat models
You should NOT use services in this model if you are serious about privacy, or if your threat model includes the governments of the U.S. or other Five Eyes countries.
Tier 1: Tier 1 providers are the so-called “zero knowledge” providers. These services encrypt your files on the client-side (locally) before they are uploaded. Files are saved or dragged into the desktop application where they are encrypted, and then synced with the server. Since files are encrypted on your computer before being uploaded they are secure in transit, and inaccessible on the server. There are several “zero knowledge” providers but the only one I recommend is Tresorit.
Providers in this category market specifically to the privacy- and security-minded. As such, they will likely elevate your profile. For the vast majority of users this is essentially a non-issue. If, however, you are an at-risk journalist, political dissident in an oppressive regime, or intelligence operative, this might not be the right solution for you. The other major disadvantage of these services is cost. Tresorit’s service is not available in small, affordable tiers; a personal account gives access to 1 TB of storage, but costs $30/month.
Tier 0: The foundation for a Tier 0 setup is a Tier 2 account. This is because these services are extremely popular which helps you avoid profile elevation. This allows you to remain more anonymous than individuals using privacy-focused services like Tresorit. This privacy comes at a cost, however. To make this a “Tier 0” solution you must encrypt client-side using your own method. This is analogous to using Gmail in tandem with PGP encryption for email as described in my post on Email Threat Models. The penalty for this privacy is inconvenience. You can use services like Cryptomator or CryptSync, but sharing is difficult, and decryption later can be time consuming.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.