How secure are cloud data solutions?

Factual Questions
1

I have a file on my home machine with various sensitive data, like bank accounts, web site passwords, insurance information. I would like to be able to store this on some kind of cloud account to be able to access it from anywhere. I already have a DropBox account. I am considering these options:

  1. Copy it to DropBox, it’s 100% secure there.
  2. Copy it to DropBox, it’s not 100% secure but to find it, someone would have to know what they’re looking for. It’s not like they’re cracking a credit card database.
  3. Encrypt it using something like WinZip or 7-Zip and copy it to DropBox, nobody could ever crack an encrypted file.
  4. Use a completely different solution that I don’t know about yet.
  5. Don’t do it. There is no such thing as secure data on the Internet. Write it down and keep it in your sock.
2

Dropbox is probably pretty secure if you use two-step authentication. As far as security goes, nothing is really 100% safe unless it’s buried under 3 miles of concrete, but unless you use a crappy password and don’t enable two-step authentication you’re probably fine. I’d probably move the passwords to something like Lastpass, though. At the very least it spreads the info out over two places. (They have your bank info, but not your bank account password, for instance)

3

If you choose 7-Zip, AES encryption then it will try to encrypt with (probably) a 256 bit long key. But it will generate the key from the password you put in, so if you put in a 2 letter password, it’s like having a 10 bit key padded out to 256 bits - pretty easy to guess. If you put in a password that’s the equivalent of 100 pages of text, the resultant key will be about equivalent to truncating the book down to just a sentence or two. Most of it won’t actually add anything.

If you come up with a password that is sufficient to fully populate the 256 bits, then your file will be safe to the same extent as the US military requires for TOP SECRET data.[sup]1[/sup] If you can come up with a password with 50-60 characters, you should be safe (so long as it’s not something stupid, like the letter ‘a’ 50 times, the names of your children in alphabetic order, etc.). Adding two-step authentication and putting the file in a non-public, unshared folder of Dropbox both add further security.

4

If you trust Google (who also does two-factor auth), it’s easy just to keep everything in a Google Doc. Then you don’t even have to store it on your local computer (which is usually the weakest link), it all just lives in a cloud document, viewable from any computer or device, editable on the fly, no sync issues to worry about, no local copy for malware to steal.

As a bonus, if Google gets hacked, your file will just be one out of 1,000,000,000,000,000,000 documents, lost in the noise, and you’ll have the security teams of one of the world’s largest companies working to re-protect your data. The same still applies to Dropbox, just to a lesser degree because they’re smaller.

The real benefit, if you’re willing to trust Google, is that you can do all this without having to remember yet another annoying username and password. You can keep all the real-world stuff in a Google Doc, and Chrome itself can save all your logins for all the websites you use and keep it encrypted with your Google credentials (or optionally, with another passphrase of your choosing). And the other stuff can go to your Gmail, etc.

In my experience, the primary weakness of security solutions is that they are too inconvenient. People put on some mad security scheme, deal with it for a week, get tired of all the hoops they have to jump through to get to their document, and then give up and go back to wide open in two weeks. Having all your stuff in one Google account makes it a lot easier to secure it all at once yet access it easily.

Nothing on your computer or on the cloud is really secure anyway; all you need to do is prevent casual hacks and make attackers move on to easier targets.

5

Nothing is 100% but you can stack the deck in your favor:

  1. Use passphrases and not passwords. So instead of a password like: “johnny1” make a passphrase like: “TheSDMBisprettycool**” (easy to remember, hard to guess)

  2. Encrypt any data you want protected before uploading to the cloud.

  3. Change your passphrases on a semi-regular basis (once every three months or so).

Those three things alone will ensure no one but the most committed of cybercriminals will get access to your stuff. If someone does then they are out of your league anyway and probably not a lot more you could do to save yourself.

6

I use KeePass (open source vault at keepass.info) to encrypt my sensitive data that I keep on DropBox. That makes it doubly hard for a hacker to get at it but that still means it’s possible. However, you just need to make it hard enough for the hackers to look elsewhere.

7

I like SpiderOak.

8

Think about the threats first, then think about what to do about them.

I’ll start off with two basic threats:

  1. Someone accessing specifically your data. Two factor authentication is a pretty good guard against this.

  2. Data accessed en mass, often from the back end. E.g. by CIA / KGB / Chinese spying service / whoever. File-level encryption will help here.

There are other threats, of course, but those are a start.

And you need to think about the worst-case scenario: what if these documents do leak? If you can’t cope with the consequences, don’t do it.

9
  1. Dropbox Encryption — Protect Files
10

The other aspect of security I would worry about is the possibility of losing access to your own data. What happens if Dropbox goes bankrupt? All the (unpaid) employees walk away to search for other jobs, the unpaid electric company turns off power to the server farms, etc.

And that can certainly happen – look at Lehman Brothers, CIT Group, Washington Mutual, etc. And some of those were financial/banking companies, with Federal government/FDIC protection – while customers got their money eventually, many faced temporary problems. But there is no FDIC protection for Dropbox (or similar companies).

An organization I work with is in the process of switching their financial operations to an online service. To me, it seems that they will become completely dependent on that service – they have no local backups of their financial data, so they are completely trusting that this online company will not fail. Or possibly more likely, that the online company won’t get greedy and keep raising the monthly fee to use the service. (Like cell phone companies, utilities, banks, etc., etc.)

11

The DropBox model is that you have local copies of your data on any machine where you install DropBox, and it has a process that replicates it to DropBox servers and the other machines. The replication is very fast. So if DropBox evaporated I would still have the local copy.

12

Not that it is particularly relevant to Dropbox, (where as CookingWithGas notes, you always retain a local copy), but FDIC insurance, when it was applicable, paid out very quickly. Basically within days. The long, drawn out, “eventually” process was the non-FDIC-insured stuff where there was long wrangling over the values of the financial products, what was owed to whom, and given that there was not enough money to pay them all, who takes how much of a loss, but those are not “regular” customers with ordinary bank accounts.

13

We now have the ability to store the OED on a chip the size of a thumbnail (don’t quibble), and people still can’t be bothered to keep sensitive data where it can’t be seen.

Somebody should develop a USB (or whatever) plug-in which, when inserted, prompts for user/pswd/confirm before showing a text-only file.

Keep your data in your pocket and you don’t need to discover that yet another bored teen has hacked yet another “secure” datasafe.

14

Another option to consider is Viivo. Similar to boxcryptor (already mentioned), it encrypts locally, then puts the encrypted version on Dropbox (or other cloud disk space provider).

15

DropBox is great, but if somebody takes your laptop they’ll have access to your file whether or not your DropBox account requires a password - because there will be a copy of it in your local folder.