Backup to the Cloud

[C1]

Given the understanding that the networks are being accessed/monitored and passwords and encryption keys being made available via secret court orders, it would seem risky to use backup systems which rely on the cloud (eg, Mozy, Carbonite).

Any company that would have proprietary information or private individual with sensitive personal information would be derelict to include such data in cloud backup/storage.

And why doesnt anybody think that, for shits and giggles, some contractor cyber security analyst working 3rd shift isnt going to pull up Paris Hilton's email to read at 3am when no one's around (and even maybe save some neat/juicy tidbits stuff to a flash drive)? (The Fed has on the payroll tens of thousands of contractors to manage these businesses including now even outsourcing the myriad war efforts.)

 

[PrincessFrosty]

That risk can be mitigated by not relying on built in encryption of those services and where possible encrypt your data yourself prior to using the service.

Furthermore court orders and laws surrounding encryption have yet to challenge deniable encryption, applications like TrueCrypt allow for plausible deniable encryption which when used correctly allow you to decrypt dummy data instead of real data, solving both of those problems.

But it's certainly something to watch out for as the scene of IT changes, cloud is powerful but also the laws around it are fuzzy, largely untested and bit of a blind spot/risk, megaupload was a classic example of peoples data getting F'd against their wishes and even more profressional services like AWS might end up handing over server racks to law enforcement because someone did something naughty and if your files happen to share the same equipment, that's a potential issue.

 

[TechByPC]

And why doesnt anybody think that, for shits and giggles, some contractor cyber security analyst working 3rd shift isnt going to pull up Paris Hilton's email to read at 3am when no one's around (and even maybe save some neat/juicy tidbits stuff to a flash drive)? (The Fed has on the payroll tens of thousands of contractors to manage these businesses including now even outsourcing the myriad war efforts.)

Accesses would be logged and audited. USB can be easily blocked if one tries.

Completely agree though. Encrypt your data prior to backing it up. Roll your own cloud solution with OwnCloud or similar. Use Amazon S3 / Glacier with your encrypted data. Layers are what are important here, and remember what you are trying to protect against.

Whole disk encryption protects my data from the person who steals my laptop. They'll format and start over before they attempt to break through. File based encryption (Axcrypt or similar) protects my data while the system is turned on, and in the case that the encryption in the cloud product (with a key I don't share with them) is somehow compromised. If someone finds a 0-day and accesses my laptop over the network while it is turned on, they can pull all my sensitive files but not decrypt them. There is still a way to steal my actual unencrypted data, but the barriers in place make the return on that investment more expensive than the cost.

Think about it like this: No one solution is going to cover every possible attack vector. Use multiple solutions to protect against the attack vectors you consider most likely or worth your effort to protect against. The one where the [government agency here] puts a camera in my ceiling, captures my password with video, pulls my whole disk encryption key out of running memory, and then walks into the house and walks away with the computer while I'm not there? Yeah, I'm not protecting myself fully against that one, and making that effort isn't worth my time compared to the likelihood that something I'm doing is worth them making that kind of effort to capture it.

 

[Mushkins]

Think about it like this: No one solution is going to cover every possible attack vector. Use multiple solutions to protect against the attack vectors you consider most likely or worth your effort to protect against. The one where the [government agency here] puts a camera in my ceiling, captures my password with video, pulls my whole disk encryption key out of running memory, and then walks into the house and walks away with the computer while I'm not there? Yeah, I'm not protecting myself fully against that one, and making that effort isn't worth my time compared to the likelihood that something I'm doing is worth them making that kind of effort to capture it.

Hanging around this forum, thats a hard view to sell a lot of the time But it's true, no security plan will ever protect you from every possible threat ever, and it's up to you to work out just how much security is enough to reasonably deter the threats that matter the most to you. Sure, keep your tax returns with your SSN on a fully encrypted thumb drive locked in your firebox, but your vacation photos probably don't need full disk encryption and a dedicated VPN proxy to back up on Mozy. Security for the sake of security isn't always the best answer.

As for Cloud backups, you should never be willingly handing over truly sensitive data to any un-vetted third party in the first place, encrypted or no. If it's that sensitive and that important, don't drink the cloud kool-aid and roll up one of the same secure backup solutions we've all been using for years before this cloud crap infected the minds of every business owner. Tape backups locked in a secure closet and securely transported and stored in an offsite restricted area or with a *trusted* third party under legal contracts like Iron Mountain. Mozy and Carbonite and the like have a looooong way to go before the services they provide could ever be considered vetted for any real security and reliability, kitschy TV commercials do not make you a serious contender in the security world.

 

[PrincessFrosty]

Agree with these posts, security is done in layers and you need to consider what lengths an adversary might go to in order to copy your data, or destroy it.