Can You Have Privacy on Public Cloud Storage?

Tuesday, April 26, 2011

Eli Talmor

7af56c65866a442699d6dd1dfb02b528

Cloud computing includes various types of services where a customer makes use of a service provider’s computing, storage or networking infrastructure.

Cloud infrastructures can be roughly categorized as either private or public. In a private cloud, the infrastructure is managed and owned by the customer and located on-premise (i.e., in the customer’s region of control).

In particular, this means that access to customer data is under its control and is only granted to parties it trusts.

In a public cloud the infrastructure is owned and managed by a cloud service provider and is located off-premise (i.e., in the cloud service provider’s region of control). This means that customer data is outside its control and could potentially be granted to untrusted parties.

Storage services based on public clouds such as Amazon’s S3 provide customers with scalable and dynamic storage. By moving their data to the cloud customers can avoid the costs of building and maintaining a private storage infrastructure, opting instead to pay a service provider as a function of its needs.

For most customers, this provides several benefits including availability (i.e., being able to access data from anywhere) and reliability (i.e., not having to worry about backups) at a relatively low cost.

While the benefits of using a public cloud infrastructure are clear, it introduces significant security and privacy risks. In fact, it seems that the biggest hurdle to the adoption of cloud storage (and cloud computing in general) is concern over the confidentiality and integrity of data.

Ideally we should aim to achieve the “best of both worlds” by providing the security of a private cloud and the functionality and cost savings of a public cloud:

1. Confidentiality: the cloud storage provider does cannot access customer's files

2. Integrity: no unauthorized modification of customer data by the cloud storage provider

3. Non-Repudiation: any access to customer data is logged, while retaining the main benefits of a public storage service:

a. availability: customer data is accessible from any machine and at all times

b. reliability: customer data is reliably backed up

c. efficient retrieval: data retrieval times are comparable to a public cloud storage service

d. data sharing: customers can share their data with trusted parties.

Main concerns with cloud computing were outlined by the Cloud Security Alliance and are addressed by SentryCom:

1. Regulatory compliance. Most countries have laws in place that make organizations responsible for the protection of the data that is entrusted to them. Customers can be assured that the confidentiality of their data is preserved irrespective of the actions of the cloud storage provider. This greatly reduces any legal exposure for both the customer and the provider.

2. Geographic restrictions. Data that is stored in certain legal jurisdictions may be subject to regulations even if it was not collected there. In SentryCom sofware app. data is only stored in encrypted form so any law that pertains stored data has little to no effect on the customer. This reduces legal exposure for the customer and allows the cloud storage provider to make optimal use of its storage infrastructure, thereby reducing costs.

3. Subpoenas. If an organization becomes the subject of an investigation, law enforcement agencies may request access to its data. If the data is stored in a public cloud, the request may be made to the cloud provider and the latter could even be prevented from notifying the customer. This can have severe consequences for customers. First, it preempts the customer from challenging the request. In a SentryCom software app., since data is stored in encrypted form and since the customer retains possession of data access rights, any request for the data must be made directly to the customer.

4. Security breaches. Even if a cloud storage provider implements strong security practices there is always the possibility of a security breach. If this occurs the customer may be legally responsible. Cloud computing encompasses both a server and a client side. With emphasis typically placed on the former, the latter can be easily overlooked.  Having a backdoor Trojan, keystroke logger, or other type of malware running on a client device undermines the security of cloud or other Web-based services. SentryCom software app. is malware resilient.

5. Data retention and destruction. In many cases a customer may be responsible for the retention and destruction of data it has collected. Inability to decrypt data on the cloud makes this straightforward.

SentryCom allows the users of Cloud-based Webmail such as GMail or Cloud-based file storage services such as Dropbox to address the privacy issues in the most convenient and secure fashion , while keeping all the advantages of these popular services .

All you have to do is: Choose the file you want (any type), Choose file delivery method (save to Dropbox folder or send to Webmail), Define file recipient (yourself for backup, or your colleague(s)), Click encrypt. The file will be encrypted with top-secret grade  AES 256 bit key, that will be stored at SentryCom MACS-Managed Authentication & Crypto Service.

To fetch this key - file recipients will need to perform malware-resilient multi-factor strong authentication vs. SentryCom MACS. This process, performed independently from Cloud Service Provider, ensures  customer's privacy. No one , except specified file recipient(s) , will be able to access this file.

Cross-posted from SentryCom

Possibly Related Articles:
8381
Privacy Cloud Security Storage Managed Services Data Hosting Public Cloud
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.