Every cloud backup service out there will brag about how safe it is, even if they don’t need to. But should we all expect at least some level of privacy when we back up our personal information online? What does “good security” mean when it comes to cloud backup? We decided to answer many such questions and create a set of rules that anyone who cares about privacy should ask their backup provider to follow.
In the end, the answer comes down to encryption. There are also privacy concerns that are harder to measure, such as records of hacker attacks, giving in to government pressure, abuse by the backup provider, and the location of the data centers. But these threats might not be made public, and if they are, they can be stopped with good encryption. Even if a company’s servers haven’t been hacked today, that doesn’t mean they won’t be tomorrow.
We support a policy of knowing nothing. This means that the backup service only sees encrypted packets of files being uploaded and has no idea what they contain.
Security Plan for Cloud Backup
Under the Security Declaration, cloud backup services must guarantee the following to be considered safe and private:
256-bit AES, 128-bit AES, or 448-bit Blowfish encryption protocol: These are the most secure encryption standards for cloud backup services for consumers. When a backup service says that their encryption is “military grade,” they are using one of these. Technically, 128-bit encryption is weaker than 256-bit encryption, but it should be more than enough to stop any modern attack. If brute forcing 128-bit takes 50 years and 256-bit takes 1,000 years, the difference doesn’t really matter. 256-bit is better for the future, and when quantum computing comes out, the differences between it and 128-bit may become clearer, but that’s still a long way off. Most cloud backup services offer one of these encryption types, but not all of them do.
SSL encryption: The above encryption standards are used for data stored on the cloud server. SSL encryption is used when data is still being sent from the original computer to the server. This is the same kind of encryption that is used for URLs that start with “https.” Most e-commerce sites, like Amazon, use SSL to keep shoppers’ credit card information safe when it’s being sent through the payment process. SSL is used by almost all cloud backup providers today.
Encryption happens on the local machine. When data is backed up to the cloud, it’s best for the data to be encrypted on the local machine before it’s sent to the server, even if it’s protected by SSL. So, user data never sits on the cloud server unencrypted for even a second. When doing a restore, you should decrypt the data on your local machine rather than sending it to the server. It can be hard to tell if a service provider does this or not because they don’t usually talk about it. Some people send the information to their servers and then encrypt it afterward. The users might have to ask customer service to find out.
Set a private key. It doesn’t matter how well data is encrypted if someone else has access to the encryption key, which is basically a password that can be used to decrypt all user data. Instead of using the company’s encryption key, backup services should let users set their own. If the user chooses this option, no one but the user can decrypt the data, not even the provider who is hosting it. Even if hackers get into the servers, user data won’t be lost. If the government can force the company to give up access to its servers, user information will be safe. By setting a private encryption key, you are the only one who can protect your backup. Just remember that if you lose the key, you can never get the data back. Also, users must be extra careful not to give the key to anyone else. Make sure your antivirus is up to date and don’t store the key on your device without encryption.
In addition to all of these encryption standards, it’s important that the backup provider owns its own physical data centres instead of renting rack space or virtual server space. By doing this, there is no way for a third party to get involved.
Metadata is not accessible. Aside from the fact that the data itself is encrypted, only the user should be able to see information about it. Metadata like file names, sizes, directory structures, and creation dates should be kept out of the hands of the backup provider.
Lastly, cloud providers must make sure that only the user can access his or her own data. Employees of the company can’t get to it. Hackers won’t be able to get in because there is enough security. And officials from the government can’t look at it without a warrant. The last one may be the hardest to do because governments all over the world are pressuring tech companies to give them backdoors so they can look at users’ data. This promise is even harder to keep now that Safe Harbour has failed and the future is uncertain. This means that the cloud provider is ultimately in charge of keeping user data safe.
Backup services that meet the standard for privacy
We’ve put together a list of cloud backup and storage services that are up to date and meet all the above encryption standards to make your search a little easier. Here they are, not in any special order.
This is by no means a complete list, so let us know in the comments if you have more ideas. If you want to keep using a cloud backup service that doesn’t meet our standards but would like to add encryption, visit our guide on the best programs to encrypt your data before you upload it to the cloud.
We think it’s reasonable and possible for cloud backup providers to follow this declaration. It would be better for a lot of people, but there is no perfect answer. IT professionals have said that these kinds of encryption schemes still have flaws, but the alternatives could be just as dangerous. That’s why it’s still important to make strong passwords and keep them safe.