11

I have over 20GB of photos and documents stored on my hard disk without a backup. I'm thinking about saving all of them in a cloud service such as Microsoft Skydrive or google cloud, but I'm wondering if it is really safe... I mean, can I trust these services in privacy and responsibility just as if I was saving these files on an external hard drive?

AviD
  • 72,138
  • 22
  • 136
  • 218
Diogo
  • 657
  • 2
  • 5
  • 10
  • 1
    What are these pictures of? If they are just fun pictures of "stuff" then do you care if they are shared? If they are of your family on Christmas morning in their sleeping atire, then cloud storage isn't perhaps the best place for them. – Ramhound Apr 25 '12 at 15:18
  • This doesn't answer your specific question, but we should mention: you need to be doing a local backup *as well* as one to the cloud. You need an on-site in case the off-site provider burns down or such, and you need an off-site in case your house burns down or such. – Graham Hill Apr 27 '12 at 14:21
  • 2
    You can **not** trust Microsoft to keep your private data private. Google for `skydrive arrested`. There's a long history of Microsoft ignoring people's privacy, and going through people's Skydrives. – Ian Boyd Mar 07 '15 at 23:58
  • why nobody is talking about - what if they just loose the files? Delete or stop giving you access to them? – Darius.V Jul 15 '15 at 07:38

6 Answers6

16

The most sensible approach is to assume you cant rely on their privacy - it isn't their responsibility, although there are some services whose selling point is securing this data.

If you take that stance, as long as you encrypt all data before it goes to the cloud you can be safe (decide on what level of encryption you need in order to be safe)

This approach gives you a very practical backup, just make sure you protect your encryption keys.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 5
    Protect your encryption keys from both disclosure *and loss*. E.g., if your house burns down (floods, gets robbed, etc.), and takes your encryption keys with it, your backups are worthless. – derobert Oct 09 '12 at 18:30
13

I would say no its not suitable for storing criticial information,

From the sound of their terms Google essentially owns everyting you upload as well as anything derivitive of your data as well.

Here is an excerpt from the verge.com explaining the differences of the 3 major players, notice Google is very liberal with what they can do with your data.

Dropbox

https://www.dropbox.com/terms

"By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, "your stuff"). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services, as explained below."

SkyDrive

http://windows.microsoft.com/en-US/windows-live/microsoft-service-agreement?SignedIn=1

"Except for material that we license to you, we don't claim ownership of the content you provide on the service. Your content remains your content. We also don't control, verify, or endorse the content that you and others make available on the service."

Google Drive

http://www.google.com/intl/en/policies/terms/

"You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content."

dc5553
  • 365
  • 1
  • 8
  • Thank you for this. It would also be nice to see what exactly can each of them do with your data. – domen Apr 07 '14 at 08:23
9

Consider this from an Information Management or Information Assurance question rather than an Information Protection question. To the question if a service provider's level of security is "safe" (sufficient and appropriate), the answer is YES and NO - depending on the level of protection the specific information requires.

My suggestion is you create three big categories of information, Public, Personal and Private. You can ask yourself how much damage would I be willing to endure if I lost "personal" information to help you decide if a specific item of information should go in "private" or not. Private is the category where you need the most burdensome protections, and you don't want to put less valuable information in that category because those extra security measures cost you time, sometimes money, and generally some frustration.

All private information should be stored encrypted. It does not matter if you store it on a local drive or a cloud service, presuming the encryption is the right type (for example AES with 256 bit keys) and the pass-phrase sufficiently complex and is kept private. Odds are your home network is far less protected than networks managed by Microsoft or Google.

All personal information should be stored under the protection of network credentials by a service provider who publishes their security standards. In the case of Microsoft, all of their SkyDrive infrastructure is now on their Windows Azure platform, which meats very stringent protections such as HIPPA. Google, by contrast, is very upfront about scanning most information stored to target ads to you.

If you want to store personal information you can use an enhanced service from Microsoft called Office365. For $6 per month you get a privately segmented Exchange service for email and a full SharePoint (SkyDrive plus many extra features) that is designed to protect your information from being shared outside of your "namespace" (think of it as your domain name). Those Microsoft services have been reviewed in depth and (outside of government classified information which generally requires dedicated hardware), Office365 is approved for all highly regulated environments such as SOX, HIPPA, etc.

If a piece of information is not Private and not Personal, it should be public and then any of the services should be safe for you. Microsoft is hyper-vigilant about not losing customer data as they spend billions of dollars on Windows Azure, so my opinion is they are safe as a backup location.

Let me leave you with a way of thinking about information that was shared by a crusty old IT guy that knew (kids avert your eyes):

Public is a picture of your best friend.

Personal is a picture of your wife in lingerie.

Private is a picture of your best friend with your wife in lingerie.

How much you protect each level of information depends on how embarrassed you would be seeing the picture (document, etc.) on the cover of your local newspaper.

OnTheShelf
  • 309
  • 2
  • 1
  • 2
    Illustrative way to highlight the differences between Public/Personal/Private. – George Sep 26 '12 at 10:54
  • 1
    @OnTheShelf Would you provide a citation for SkyDrive running on Windows Azure? I’ve been unable to find such reports. Thanks. – ȷ̇c Aug 24 '13 at 13:55
  • @JCChu Azure is really a brand name for wide range of services, including very simple REST API access to MSFT global data centers, regionally or geo-redundant data (blob) storage, queues, identity and notification services, and a range of Windows Server hosting options (including much of the “fabric” which underlies Azure that is running on Windows Servers). It is not clear if you are looking to see the Azure brand name tied to SkyDrive, or have some concern that it may be less reliable because of some quantifiable difference. For example, while some SkyDrive data racks may be hosted in a MSFT – OnTheShelf Aug 29 '13 at 19:16
  • data center which pre-dates the Azure brand (for example the Bellevue DC’s which Bing, Windows Live and MSN used), MSFT Global Foundation Services (GFS) still runs them as they do Azure branded DCs. It is really a brand migration issue. Likewise Office365 is a separate brand, but the identity service it provides it is really Azure Active Directory, as SkyDrive Pro is really SharePoint Online. – OnTheShelf Aug 29 '13 at 19:16
  • Have you looked at their various SLA (service level agreements) to see if your concern is addressed? If it helps, SkyDrive (or whatever it is renamed to) is tightly integrated into Windows 8.1, so MSFT is HIGHLY MOTIVATED to ensure there is no data loss which might tarnish the global Windows brand. – OnTheShelf Aug 29 '13 at 19:16
  • Shouldn't it be: "Private is a picture of you with your best friend's wife in lingerie"? :-) – Rabarberski Aug 05 '14 at 09:57
5

My concern with any cloud service would be that one day you'll wake up and they'll be gone. -- so long as they're a backup, not primary storage, it's an ordinary risk.

ddyer
  • 1,974
  • 1
  • 12
  • 20
5

As others have mentioned, general-purpose cloud storage providers, like Microsoft, Google, Apple, and DropBox are not completely safe, since although they encrypt your files, they have copies of the keys (needed so they can index your files for search purposes).

And as Rory points out, you can make this super-secure pretty easily: encrypt the backups yourself before putting them in the cloud. This is the best option.

But there is also a middle-ground. There are some cloud storage providers who focus on security by not keeping copies of your encryption keys. SpiderOak are a popular one for backing up documents. Carbonite are also popular, and also offer an option to back up the whole of the machine (i.e. OS as well as documents.)

Graham Hill
  • 15,394
  • 37
  • 62
  • The main players like SkyDrive, DropBox, Google Drive, don't encrypt in the cloud anyway. They only encrypt the transmission between cloud and client. They also are at liberty to scan contents, which is why there have been cases of individuals having content deleted because they break rules (copyright or in some way illegal). – tjmoore Dec 14 '12 at 13:45
  • Actually, Dropbox do encrypt at rest. See https://www.dropbox.com/help/7/en. Google don't, and Microsoft won´t say if they do or not. – Graham Hill Dec 17 '12 at 12:21
  • Is that a recent change then as many articles on cloud encryption I'd been reading when reviewing them said they didn't and they only encrypted on transfer not at rest? Interesting, your point stands of course. They have the keys! and can (and probably do) look at the content, pass onto government authorities etc. It's as good as no encryption really. – tjmoore Dec 17 '12 at 12:33
4

Why not using a combination of truecrypt volume and those cloud storages! truecrypt for confidentiality and the cloud services for redundancy and backup

  • Truecrypt is terrific for Private information, although often overkill for Personal information. The key task is to un-mount the encrypted volume so replication to the cloud can occur. SkyDrive, DropBox, and others handle that replication of volumes-in-use differently, so confirm that your updates are being pushed to the cloud as you expect them to be. Consider converting larger volumes into many smaller truecrypt volumes to ensure less data is delayed from replication. – OnTheShelf Apr 25 '13 at 02:00