London, UK: Comparitech, a technology comparison and research company, has today published a paper on the need for a security charter for cloud backup providers to protect privacy and confidentiality in light of several backup breaches over the last 12 months.
Comparitech’s research has found the answer ultimately comes down to encryption. Less quantifiable privacy concerns also play a role, e.g. any records of breaches by hackers, giving in to coercion by authorities, abuse by the backup provider itself, and the geographic location of the data centres. But these threats may not be publicly disclosed and in any case can be nullified with proper encryption practices. Not to mention that just because a company’s servers haven’t been compromised today doesn’t mean they won’t be tomorrow.
Their experts have honed in on several areas where cloud backup providers have let customers down over the last 12 months and has suggested that there need to be vast improvements across the board. A few areas they give particular emphasis to are:
256-bit AES, 128-bit AES, or 448-bit Blowfish encryption protocol: These are the strongest standards of encryption available for consumer-level cloud backup services. When a backup provider advertises “military grade” encryption, they’re using one of these. 128-bit encryption is technically weaker but should be more than sufficient for any modern-day attacks. If it takes 50 years to brute force 128-bit and 1,000 years for 256-bit, the difference doesn’t really matter. 256-bit is more future-proof, and the differences between it and 128-bit may become more apparent with the advent of quantum computing, but that’s still a long way off. The majority of cloud backup providers offer one of these types of encryption, but not all do.
SSL encryption: The encryption standards above are used for the data stored on the cloud server, but when the data is still being transferred to the server from the original computer, there’s SSL. This is the same encryption used on URLs prepended with “https”. Most ecommerce sites like Amazon use SSL to protect shoppers’ credit card details when they’re being sent through the payment process. Almost all cloud backup providers use SSL nowadays.
Metadata is not accessible. Besides the data itself being encrypted, no one but the user should have access to information about that data. Filenames, size, directory structure, and file creation dates are examples of metadata that should be left out of the backup provider’s reach.