Secure Cloud Storage, Everything You Need to Know
Short answer, end-to-end encryption with user-managed keys, including dormant encryption and transport encryption. Only as secure as a cloud provider.
Anything missing means you have an attack vector in which your data is encrypted and vulnerable to interception.
The fact that you log in and show files as encrypted does not mean that files are always encrypted. They must be decrypted somewhere along the way so that you can view this data before decrypting it locally. For example, with a server load balancer, it will often work as the man in the middle who receives the encrypted data but has the keys to decrypt it and properly distribute the data to the endpoint for use. During this period, any attacker with access to the load balancer will be able to validate your data while it is in the clear before it is re-encrypted and sent along the way.
It’s simple economics: if you add a function that the user can’t see or touch, the user doesn’t know about it. If you charge them for this feature, they feel like they’ve been taken advantage of. Security is often a feature that cannot be touched or seen, which is why some companies invest less in it than others. Simply because these investments do not bring tangible returns.
So if a cloud storage provider is investing in a lot of features that you can see and use, I would ask what they invest in security. The news is full of companies that have been hacked, and cloud providers are no exception. Attacks focus on “how to gain access” and the more code, the more attack vectors. This is simple math, as you can also find tons of error statistics per line of code.
So if they have a lot of functions, they have a lot of code. More code means more opportunities for hackers to find and exploit weaknesses. Lots of features can also indicate less investment in security, which also means more opportunities for hackers to find vulnerabilities.
Similarly, there are many issues with cached data that are often open and vulnerable to attacks. Even temporary files used as intermediate space for decryption could potentially contain decrypted data on the disk, even if it was deleted, the data will remain on the disk and can be retrieved through forensic analysis.
I know there are exceptions, but there are far fewer of them than these ideas. Simple economics: “invest in what benefits the consumer and increases profits.” I doubt that until consumers tell companies, “I’ll choose another product because I don’t like your safety.”
