I love the concept of working in the cloud as far as me being able to access my work from any computer, and not having to have all these different versions. But just how secure/private is working this way? For instance, I just download Google Chrome and signed up for Google Documents. I accessed one of their documents (thinking I could then work on it on my computer (sans cloud), but don’t think that’s possible. My concern is that if I’m working on some highly confidential assignment, is doing so in a cloud app environment safe? Sensible?
There is no answer to this question because every application and environment is different.
If you are talking specifically about Google Apps, using it is as safe as using any other website. Your information is visible in transit to anyone who shares the same logical network or who can install a network monitoring tool on it. So you should use encrypted sessions (https) if you’re working on anything sensitive.
Even if you do that, your documents themselves are stored on Google’s server farms, presumably in plaintext. Anybody who guesses your password has them. Anybody who tricks you into giving your password has them. Anybody who happens to work at a Google data center, remove a hard disk from a malfunctioning machine which just happens to have a redundant copy of your documents on it, and who then copies the drive for shits and giggles before replacing it, has them.
That said, the likelihood of compromising your secrets is fairly low, if you take sensible precautions. Make sure your Google Account is protected with a strong password which you don’t give to people, use https, don’t hang out on untrusted WiFi networks, and don’t have malware running on your machine.
I use SpiderOak for backup over the Internet. They make a big deal about privacy and security, insisting that the data is encrypted before you send it, and that they do not have the necessary key/password to read it on their end, even if they wanted to. Likewise, it should be unreadable by someone who can snoop on the transmission of the data.
Since Joe Blow can set up a cloud service from his garage with no security, you definitely want to evaluate each vendor and service separately.
It’s not. Period. You’re trusting a third-party with your data, and those third-parties are notoriously not-so-good at protecting it. From a legal standpoint, you might be able to stop them from disclosing it to, say, the media. But If you’re worried about official investigations and that type of thing, you’re likely hosed.
Also, if you’re working on the overthrow of the US government, the government can legally subpoena providers to both turn over data and not tell you that data has been turned over.
Cloud computing can be made as secure as a closed environment, and if someone like Google tells me that they have the security in place, I would be inclined to trust them. If they have it set up right, then even subpoenas wouldn’t make much difference, since the data that they have would be useless to the subpoenaing court. But one important reason why it’s true that good cloud computing is as secure as non-cloud is that non-cloud computing isn’t actually as secure as you think, either, since cloud or not, you’re still involving humans. If you had some secure data that I wanted enough to go to unscrupulous lengths to get it, I wouldn’t try to get it by cracking into Google Documents; instead I’d take you out for drinks and hope that alcohol would loosen your lips, or get an attractive person of your preferred sex to try to seduce you, or threaten you with some dire consequence unless you told me, or otherwise try to get the information out of you, personally.
Dropbox is a service of Google.
Google generally knows what it’s doing with security. Whether or not Google is trustworthy is a separate issue that I won’t explore.
It appears that Dropbox can’t decrypt your files without your password. If you choose a lengthy, random password then that means you’re relatively resistant to hackers who get into your Dropbox data at the Dropbbox end.
If I wanted to get at your Dropbox data, the first thing I’d try to do is infect your machine with a keystroke logger that would catch your password being entered.
Once someone has your password and a few hours of other keystroke logging, they can probably figure out how to get your Dropbox data.
Barring that, with a good password and a non-hacked client system, I’m guessing your data is 99.9999% secure.
The other concern is if you save your Dropbox password on your system in a non-encrypted location, then either snagging that file remotely from you OR you losing your hard drive (stolen laptop, etc) becomes a problem.
Here’s the advertised security featureset of Dropbox:
Dropbox uses modern encryption methods to both transfer and store your data.
Shared folders are viewable only by people you invite
All transmission of file data and metadata occurs over an encrypted channel (SSL).
All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password
Dropbox website and client software have been hardened against attacks from hackers
Online access to your files requires your username and password
Public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable
Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)
Dropbox uses Amazon’s Simple Storage Service (S3) for storage, which has a robust security policy of its own. You can find more information on Amazon’s data security from the S3 site or, read more about how Dropbox and Amazon securely stores data.
Cite: Dropbox Security for Your Files and Data - Dropbox
It’s not, period, secure/private compared to what, though? How many people fail to password protect their computer, use a secure password, maintain a proper firewall, keep virus definitions up to date, scan frequently for viruses, apply all system patches, encrypt their data and maintain redundant backups?
If you can afford an IT department, I’m sure that gives you greater security and privacy than the cloud. For most individuals and small businesses, though… the weakest point of the system is the user’s own computer, not the third-party maintainer of the cloud. I’m not saying that Amazon, Google and the like are not imperfect and fallible, but they’re not the weakest link.
What you need to evaluate is what your weakest security link is. This sounds like you work on a laptop - if you carry it around with you, I’d bet that you are much more likely to suffer a data breach from your laptop being stolen than from someone breaking into the storage area for Google Apps and taking your data. In fact, storing your data on a cloud is probably safer than storing it on your laptop.
On the other hand, if you work in a secured environment the cloud might be the most vulnerable spot. I never, and we are not allowed to, store any of our data on the cloud or send it using a public email service like Yahoo.
Fair(ish) points. I’d agree that the end-user is the weakest link, certainly. On the other hand - using the Google “cloud” as an example - you’re still giving a third party your sensitive data. Google has had insider breaches a few times… so the data is vulnerable.
For an SMB, it’s totally feasible and reasonable - they’re not a high-priority target; much the same, if you live in a low-crime neighborhood, you might leave your house doors unlocked.
You won’'t see any national government’s intelligence agencies using third-party clouds any time soon. For good reason.