Data security is not just a consideration for big business; it’s something even domestic users of cloud storage services have to think about. The issue surfaced again recently in the light of stories about potential email snooping by the National Security Agency (NSA) in the US. Yet many people don’t encrypt email and they certainly don’t bother with encryption for cloud storage services.
In the Washington Post, Timothy B Lee says that encrypting popular web products would impede their usefulness, profitability and fun. He adds: “Consumers have overwhelmingly chosen convenience and usability.” Is this a sensible decision or should we pay more attention to the security of the data we store online?
I have to confess to some bias here, because I avoid using encryption for the same reasons as other users of email and cloud storage services – it’s often just too complicated. I flirted with PGP which has been around for a couple of decades for encrypting email, but the need to make sure the recipient had the decryption key made it useless for the amount of email traffic I handled (though totally useful for the occasional really sensitive document).
Even if you do use encryption, there are other issues, which Mitchell Allen raised in our recent interview with him. “Encryption is a double-edged sword. We only have the security experts’ word that AES and Blowfish are secure.” All the security measures we’ve used in the past have been fine till someone found out how to hack them – and someone’s probably working on breaking the latest encryption techniques right now.
Allen adds: “Even if they are, the bigger problem is dealing with the safe storage of encryption keys.” As we’ve found in the past with complex passwords, there’s a limit to people’s capacity to remember them, so you have to store them somewhere. Some use online tools like LastPass, while others write them down on Post-It notes and on notepads, neither of which is very secure.
Cloud Storage Case Study
I think a better way to approach the issue is to look at the likelihood that someone gaining unauthorized access to your stuff will cause serious damage. If you are already using a secure password or two-factor authentication to protect the files in your chosen cloud storage service, how likely is it that someone will be able to gain access?
That’s why my answer to the question of data security is a sort of triage. I have three main types of documents in my cloud storage repositories: general personal documents, client documents, and private personal documents.
While it would be annoying if someone accessed my general personal documents, I don’t have information on them that poses a security risk, so I don’t need to encrypt them. That’s the same for most of my client documents which are copies of posts I have written for various sites. Those are already out there on the web, so I don’t need to encrypt those either.
The only issue is documents that I need to keep secure and I like Mitch’s solution of setting up an encrypted folder to store those in. For even more sensitive data, like the passwords to financial accounts or anything that could lead to identity theft, the best approach is to keep those off the computer and in my head. As long as I don’t lose my marbles, that should be OK.
Encryption and Business
But what about running a business? In that case, you might have different requirements, especially if you are handling and storing sensitive customer data. We expect our banks, credit card companies and other businesses holding financial details to keep those secure.
Usernames and passwords are the first line of defense, but encryption is a good way to keep unauthorized people out. One of my banks requires me to sign in with two passwords and a rotating security question and will boot me out if I get it wrong more than twice. And it uses bank-level encryption, which is doing the trick for now. But, as many point out, if the NSA can break encryption, others can too.
So what’s the bottom line? Here’s what I think – and feel free to disagree. If your data is mostly staying in one place where only you have access to it, then maybe encryption is overkill. If you are walking around with sensitive data on a device that might get stolen or keeping sensitive data in the cloud, then consider one of the cloud storage encryption solutions listed in our previous article.
I think Simon Rice says it best on the ICO blog: “The crucial aspect to making it work is to identify the most suitable form of encryption and follow a common sense approach to keeping the key, and therefore the data, secure.”