Comparitech, a technology comparison and research company, has published a paper on the need for a security charter for cloud backup providers to protect privacy and confidentiality in light of backup breaches over recent months.
The firm says that the answer comes down to encryption. Less quantifiable privacy concerns also play a role, such as any records of breaches by hackers, giving in to coercion by authorities, abuse by the backup provider itself, and the geographic location of the data centres. But these threats may not be publicly disclosed and in any case can be nullified with proper encryption practices. Not to mention that just because a company’s servers haven’t been compromised today doesn’t mean they won’t be tomorrow.
Besides encryption standards, it’s also important that the backup provider owns private physical data centres as opposed to renting rack space or virtual server space, to keep any third parties out of the equation. The firm pointed to several areas where cloud backup providers have let customers down; and has suggested that there need to be vast improvements across the board. Areas they give particular emphasis to are:
256-bit AES, 128-bit AES, or 448-bit Blowfish encryption protocol: These are the strongest standards of encryption available for consumer-level cloud backup services. When a backup provider advertises “military grade” encryption, they’re using one of these. 128-bit encryption is technically weaker but should be more than sufficient for any modern-day attacks. If it takes 50 years to brute force 128-bit and 1,000 years for 256-bit, the difference doesn’t really matter. 256-bit is more future-proof, and the differences between it and 128-bit may become more apparent with the advent of quantum computing, but that’s still a long way off. The majority of cloud backup providers offer one of these types of encryption, but not all do.
SSL encryption: The encryption standards above are used for the data stored on the cloud server, but when the data is still being transferred to the server from the original computer, there’s SSL. This is the same encryption used on URLs prepended with “https”. Most ecommerce sites like Amazon use SSL to protect shoppers’ credit card details when they’re being sent through the payment process. Almost all cloud backup providers use SSL.
Metadata is not accessible. Besides the data itself being encrypted, no one but the user should have access to information about that data. Filenames, size, directory structure, and file creation dates are examples of metadata that should be left out of the backup provider’s reach.
For the full charter, visit https://www.comparitech.com/blog/.
