Cloud Security Promises out of thin Air

René Pfeiffer/ May 15, 2012/ Discussion, Security

The „Cloud“ is a wonderful link between the BYOD disaster, data loss and broken security promises. Yet users of all kinds are lured into the web interfaces with eye candy. The German IT magazine Golem.de has published an article about the cloud security study of the Fraunhofer Institute for Secure Information Technology SIT. Researchers have put Dropbox, Cloudme, Crashplan, Mozy, Teamdrive, Ubuntu One and Wuala under scrutiny. The results should be a wake-up call for businesses who blissfully shove all kinds of data out into the thin air of the „Cloud“.

The quintessence of the study is that none of the listed „Cloud“ services can provide a basic security or even sensible encryption technology. Some registration forms do not verify the e-mail addresses entered. Some platforms do not use SSL/TLS. Some use their own protocols that are not published or even peer-reviewed (a decent protocol design featuring security is hard). Some do without client-based encryption and receive the client data unencrypted. Some data is accessible by obfuscated URLs (which you will never guess and which will never leak, of course). Some of these URLs even contain user names or other gems useful for hats of all colours alike.
The study contains more, and all these findings are a sign of bad or no security design. In turn all these storage platforms are no place for sensitive data. This should be reflected in your security policy (we’re sure you already have incorporated this into your policy documents).

If you really want to follow the trend (or just be cool), you might want to think about using superencryption (i.e. encrypting your data twice or more) or other additional security measures. Additional encryption won’t help you against badly formed URLs or other design flaws, but it’s better than nothing. The study has a more in-depth view of what you can do and what you should not do.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.