How secure are the major cloud storage providers?

In the wake of COVID-19, most of us are more dependent on cloud storage services than ever. Uploading our files to the cloud is a great way to be able to collaborate with colleagues remotely and work across multiple devices – but with cybercriminals more determined to access our data than ever, it’s also important to consider how safe our files really are when we upload them to a cloud storage provider. 

This June, IDCare – Australia and New Zealand’s national identity and cyber support service – reported a 34 per cent increase in demand for its frontline case management services. This reflects a wider trend of cybercriminals looking to capitalise on a world that has been forced to adopt remote work quicker than it’s been able to adapt the best security practices for doing so.

The explosion in remote work and the acceleration in digitalisation caused by COVID-19 has exponentially increased the attack surfaces that are available to cybercriminals, and made it harder for breaches to be discovered. The Australian Cyber Security Centre recently saw a 200 per cent increase in reports of ransomware, while the cost of a typical data breach has risen where remote work is a factor, and cyber insurance policies are struggling to keep up.   

We shouldn’t assume, then, that we can simply store our files in a popular cloud server and forget about it. If you want to ensure your important documents are protected, you need to know you’re going with a secure service. 

Right off the bat, there are a couple of things that each of the major providers are doing right. Firstly, they each offer optional two-factor authentication, which adds an extra layer of security to your account by requiring two separate forms of identification to access your account. The first is usually a password, and the second can be a code sent to your phone or email address, or a biometric scan using your fingerprint, face or retina. 

And they each offer at least some level of encryption, both for data at rest (data not actively moving from device to device or network to network) and data in transit (data actively moving from one location to another, either across the internet or through a private network).

And while there have been blemishes – some bigger than others – most of them have managed to avoid major breaches so far, although the same can’t be said for their parent companies. 

But there’s one major problem that hobbles each of the major cloud services – and it has to do with who can access your encrypted files. 

Who holds the key? 

When it comes to cloud storage security, the gold standard is Zero Knowledge encryption. Under Zero Knowledge protocols, your cloud service provider doesn’t store a copy of your encryption key, so they can’t decrypt your files – even if they wanted to.

The problem is that none of the mainstream cloud storage providers – the ones attached to giant parent corporations, for the most part – follow these protocols. Instead, the encryption key to access the files in your cloud stays with them. 

That means that no matter how strong your encryption is, or how strong your passwords are, your cloud storage provider still has access to all of your data, and can decrypt it whenever they want, bypassing all of your security. 

There are a couple of reasons why they do this. The first is that most of the major cloud storage providers tend to be part of a suite of products, or a workspace, if you will. By holding onto your encryption key, they can access your files faster and speed up the connection between these products. 

Holding onto the encryption key also enables them to scan your files – for instance, one major cloud storage provider flat-out tells users in their privacy policy that they scan the documents users upload to the cloud in order to find things like “which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like”. (In other words, their privacy policy is that you don’t have any.) 

The same privacy policy states that they will process your data when they have a legal obligation to do so – if, for instance, they’re responding to an enforceable governmental request. In fact, that’s true of all the major cloud providers, who are all subject to US laws, including the Patriot Act, which gives government agencies the ability to demand access to the data on their servers.  

But if they didn’t have your encryption key, then they wouldn’t be able to hand over your data, no matter how badly the government wanted them to. 

Keeping your encryption key on their servers also means that, if those servers were hacked, the keys could be obtained by cybercriminals and used to decrypt data stored in the cloud on a massive scale – defeating the entire purpose of uploading your files to a secure cloud storage service.  

A safer alternative 

Unlike the ‘big three’ cloud storage providers, we’re proud to say that Cryptoloc abides by Zero Knowledge protocols, which means that we can’t see the data you store with us, and we can’t share it with a third party – even if we wanted to. Which we don’t. 

Better yet, our patented three-key encryption technology combines three different encryption algorithms (AES 256, RSA 4096 and RSA OAEP) into one unique multilayer process, so even if someone gains access to your private key without your consent, they still won’t be able to access your data. 

We’ve deployed this technology across multiple products, including Cryptoloc Cloud, which is built to the highest ISO 27001:2013 information security standards. Every piece of data in the Cloud is assigned its own separate audit trail; every user and action is tracked, verified and accounted for; and access for individuals or groups can be revoked at any time. 

That’s why no Cryptoloc product has ever been breached, and why no other cloud storage service comes close to Cryptoloc for secure, safe and convenient data management.

Learn more about how you can store, share, sync and secure your files with Cryptoloc Cloud here.