Many people choose to back up their
most valuable data to an external hard disk or perhaps a memory stick, but this
plan is fundamentally flawed. If your home is destroyed by a meteor or simply
burgled, it’s likely the external storage will go the same way as your PC and
other possessions —
converted
to shouldering ruins or carried off in a sack marked ‘swag’.
Okay, so events like that are rare, but
cloud storage provides an alternative (or additional) bullet-proof solution
that’s immune to them.
For those who don’t know, ‘the cloud’
is tech speak for internet storage that’s accessed via special apps you install
on your PC or mobile device. On a PC the cloud storage apps usually create a
magical folder, the contents of which are automatically (and invisibly) synced
with the cloud storage whenever you add new files or modify existing ones. You
can install the client app on other computers and, once logged in, your files
will sync there too.
Alternatively, some dedicated cloud
backup apps simply sync folders or types of file that you specify and scan
periodically for changed files. Restoring data after a disaster is a matter of
installing the app on a different computer and selecting the files or folders
you wish to restore.
Cloud storage is undoubtedly one of the
greatest innovations of recent years, but a persistent concern is privacy.
After all, you’re passing your files to a third party and have to trust they
won’t peek at them. You also have to believe they’ve put in place sufficient
protection against hackers — and in our post-Snowden world,
government agencies fall into this category.
There are various solutions to this
problem, but it’s a mistake to believe all cloud services are created equal. In
you want true privacy and security, some thought needs to go into your choices,
as we explain over the following pages.
Basic Backup
The most fuss-free way of using cloud
storage to back up your files is to simply work within the cloud storage
folder, essentially turning it into your User folder. That is, when you create
files, you should save them to the Dropbox or Google Drive folder or copy
existing files there. Most desktop apps like Microsoft Office or Adobe
Photoshop let you change the default save location, so saving a cloud copy of
each file can become something you don’t even think about.
This way, your files will automatically
be backed up in the cloud, as will any changes you make to them, and restoring
them in the event of disaster involves simply installing the cloud storage
client app on a different computer and logging in, which will create a synced
clone of the folder.
In addition to backup, the benefit of
this approach is that you have instant access to your files anywhere there’s an
Internet connection. Want to show somebody you’ve just met your holiday snaps
that normally live on your PC? Well, now you can, and the major cloud services
offer mobile apps to let you get at your files.
Dedicated cloud backup services take a
different approach compared to basic cloud storage providers, in that their
apps sit in the background and periodically back up certain folders or types of
files, regardless of where they’re stored. Setup is usually automatic, although
if you don’t use the usual User folders such as Music, Movies, My Pictures and
so on, then you might need to delve into the settings to tell the app where to
find your files.
Unlike with a backup disk attached to
your PC, the goal of cloud storage and backup isn’t to clone your entire
system. If nothing else, that would be prohibitively expensive because cloud
storage is charged by the gigabyte. Instead, the goal is to back up your
personal data, such as pictures, music, office files and so on.
Because of the cost of cloud storage,
difficult decisions sometimes need to be made. For example, it might be cheaper
to burn your MP3 collection to DVD-R discs for backup than rely on cloud
storage. Or you might simply choose not to bother backing up your multimedia
collection. After all, if they’re purchased through a service like iTunes or
Google Play you’ll probably be able to download them afresh, and for free,
should disaster strike. Just look in the previous purchases section of each
service.
If you do decide to back up large
multimedia files, the initial backup could take a while to complete. Most home
internet services in the UK are asynchronous, which means that the upload speed
is significantly slower than the download speed. For example, my ADSL service
downloads at around 16Mbps, but uploads are limited to around 800Kbps.
Whichever method you choose for backing
up —
cloud
storage or dedicated cloud backup — privacy should be a prime
concern, and that means understanding what types of encryption are provided by
the cloud storage provider.
Encrypted Backup
There are three basic ways cloud
storage providers operate when it comes to security provisions. With the
simplest approach, data is sent from your computer to the cloud server, where
its stored unencrypted. This has obvious security implications. Anybody with
physical access to the cloud storage server computers could access your files,
as could any hacker who gains unauthorized access. Alternatively a rogue member
of staff might look at your private data.
To remove these possibilities, the data
might be stored encrypted on the cloud server. In fact, this is the approach
used by most cloud storage and backup services. Unfortunately, the encryption
is usually controlled by the cloud storage provider, so they can still access
your files by simply decrypting them whenever they want. This level of
encryption does present a brick wall to any hacker that somehow gains access to
the server, though.
The best form of cloud storage is where
providers have a ‘zero knowledge’ policy, which is to say the encryption takes
place on your computer before the files are uploaded. As such, the cloud
storage provider is simply unable to access the files, and to them the files
appear to be gibberish.
It’s worth noting that no matter which
of the three above approaches is used, the connection to the cloud backup
service across the internet will always be encrypted with transport layer
security (TLS), which is the same type of security used to protect https:// websites such
as online banking. In fact, when cloud services boast that they provide encryption,
this is often what they’re referring to, and it can be very misleading: this is
encryption for the sake of data transfer and has no bearing on whether files
are stored encrypted on the cloud storage servers.
However, if a zero-knowledge approach is
clearly the best, why don’t all cloud storage providers use it? The answer lies
in convenience —
for
you as an end user and the cloud service provider itself.
One severe limitation of zero-knowledge
cloud storage is that your account password becomes supremely important,
because it’s used to create the encryption key that protects your files. If you
forget the password, then your backed-up files are completely inaccessible to
you or anybody else. Worst of all, people tend not to realize they've forgotten
a password until they need to use it.
If the cloud backup service controls
the encryption, then they’re able to offer niceties such as password resets
should you forget your login details and technical support whereby they can dig
into your file collection to fix errors. Equally, if files are encrypted by the
user before uploading, then they simply can’t be shared with other users.
Offering files for download from public web pages becomes impossible, as does
collaborative working. These are key features of cloud services like Dropbox
and Google Drive.
More importantly for cloud storage
providers, keeping control of encryption allows space to be saved on the server
by only storing one version of a file, regardless of how many users upload it. This is called
deduplication. If users Bill, Chris and Mike upload the same MP3 file, then
only one copy of the file is stored, even though all four users appear to have
their own copy. If the MP3 file is individually encrypted by each user, then
it’s impossible for cloud service providers to know it’s the same file, meaning
much more storage space is used. This is why zero-knowledge cloud services tend
to be more expensive.
Zero Knowledge
For those who desire the best possible
security, zero-knowledge encryption — sometimes referred to as
personal encryption —
appears
to be the way to go. But even here there are caveats. Not all zero-knowledge
services are the same.
An encryption key is needed for a file
to be encrypted and subsequently decrypted, and this is usually stored as a
file. Imagine a situation where this key file is stored only on your computer,
where its used to encrypt files for upload to the cloud backup service and for
decrypting during any files you choose to restore. This sounds like the perfect
solution, right? Nobody else will be able to ever decrypt your files, because
they simply don’t have the key.
Unfortunately, this is a dangerous
setup, because if your hard disk fails, then the encryption key stored on it
will also be lost. Once that’s lost, there’s no way to decrypt the cloud backup
data.
Because of this risk, most cloud
services offering personal encryption use a ‘secrets file’, which contains the
encryption key, alongside other authenticating data. This resides on your
computer’s hard disk and is itself encrypted using a password you supply. It’s
also uploaded to the cloud server, along with your data, so it can be restored
in future and subsequently unlocked using your password, to allow the
decryption of all your files.
Although sensible, this approach
provides a point of weakness, because should a hacker get hold of the secrets
file, they can attempt to brute force its password — something
that’s significantly easier than attempting to crack the actual encryption key.
A brute force attack is where hackers try literally billions of guesses,
generated automatically by a special program running on powerful computers (see
the 21st Century Security feature in issue 1274 of Micro Mart).
Because of the way encryption works,
brute force guessing an encryption password is time consuming, but it isn't
impossible and gets a little easier with every faster model of CPU or GPU
that’s created.
You can make the hacker’s job
significantly harder by ensuring your cloud password is extremely strong — at least 20
characters long and random, including letters, numbers and symbols.
To protect against the admittedly
unlikely eventuality of hackers getting hold of the secrets file, a handful of
cloud storage services provide the option of not uploading it, thus providing
the best possible security. In this instance, you should back up the secrets
file to something like a USB memory stick (or perhaps two or even three sticks,
to prevent against loss). Some providers even advocate printing it out, so it
can be re-inputted by hand, should the need arise — despite the
fact it’s usually several lines of user-unfriendly gibberish letters, numbers
and symbols.
Choosing A Provider
The table on page 28 provides an
at-a-glance view of some major cloud services you might choose to go with.
We've only included services that provide zero knowledge encryption, because we
think that, in today’s world, this is a necessity. Unfortunately, there aren't
very many of these at present. Most offer free plans, so you can discover how
the service works for you.
Most cloud providers not only back up
files but store older versions of your files. In other words, if you tweak a
photo, save your changes but decide you've made a mistake, you can use your
cloud storage to retrieve an earlier version. Older versions are usually stored
for a limited time, although some storage providers hold them indefinitely.
Sync Yourself
A DIY approach to encrypted cloud
backup can be significantly cheaper than services like Dropbox or Spideroak.
The trick is to use online storage space that you ‘rent’ yourself, and use a
dedicated client app on the PC to back up to it. The client encrypts files
before
uploading them.
While just about any online storage can
be used for backup, such as FTP space provided as part of web hosting deals,
many people rely on Amazon Glacier (aws.amazon.com/glacier). This is extremely
inexpensive bare-bones cloud storage designed for archiving files and is
offered by Amazon as part of its wider Web Services product. With Glacier you
pay for what you use, rather than via monthly or yearly subscription fees.
Prices start from US$0.01 per gigabyte of space, per month. However, retrieving
data in the event of a disaster also has a cost attached, with the cost
dropping significantly if you retrieve data slowly over several hours. See
goo.gI/bVcSOJ for details.
Files uploaded to Glacier are encrypted
automatically and invisibly to the user, although this approach means Amazon
holds the encryption key and can potentially access your data. Therefore,
encrypting files before uploading is a necessity for full peace of mind.
Apps like CloudBerry Desktop Backup
(www.cloudberrylab.com/amazon-s3-cloud-desktop-backup.aspx) cost $29.99 and
offer the same features as dedicated cloud backup apps, except they let you
choose your destination, which can include Amazon Glacier. CloudBerry Desktop
Backup also includes individual file encryption.
Before using apps like CloudBerry,
you’ll need to sign up for Glacier, which will involve
handing over credit card details and
being issued an Access Key ID and Secret Access Key, which you’ll need to enter
into the backup software.
A semi-DIY solution is to use any cloud
storage service, regardless of whether it offers encryption, and encrypt files
yourself before uploading using a third-party app like Boxcryptor (free from www.boxcryptor.com), which will
automatically and invisibly encrypt files by creating a new virtual folder that
you use instead of the main cloud storage folder. The cloud backup service then
takes care of uploading in the background as usual.
If you regularly use two of more
computers, such as a desktop and laptop, then a third free potential solution
is to use BitTorrent Sync (www.bittorrent.com/sync). This works
like Dropbox, in that the contents of a magical folder are automatically synced
to other computers on which the software is installed, and on which a secret
passphrase has been entered. However, BitTorrent Sync is purely peer-to-peer, which
means syncing only occurs while both computers are up and running; there’s no
central cloud storage. However, if you have an old PC or laptop that you don’t
mind keeping running 24/7,
then
installing BitTorrent Sync on it, along with your everyday computers, makes for
a very usable solution. A similar but slightly more hands-on technology is
SparkleShare (sparkleshare.org).
