In traditional on-site backup systems security is mainly a physical concern – ensuring data is backed up in more than one location in case of hardware loss or failure and restricting access to the physical backup media to only trusted employees.
In cloud backup, security concerns are different. In many cloud applications such as G Suite (formerly known as Google Apps), Office 365 and Salesforce, data is created in the cloud and then copied to the backup provider. Cloud backup providers have their own security in place to ensure the security of the physical servers, but data may be vulnerable while it is in transit.
This is why data encryption is the most vital key to cloud security. Encrypted data cannot be accessed in a readable format, even if it is intercepted while in transfer online.
90% of organizations say they have concerns about cloud security and 45% cite security as the main barrier to further cloud adoption, with unauthorized access to data being the main security concern. 65% of those surveyed also recognize that encryption is the most effective security control for cloud data.*
Data should be encrypted both while in transit and once it reaches the servers of the cloud provider and remains in storage. Storing the data in encrypted format means that if an unauthorized person manages to achieve physical or electronic access to these backup servers, the actual data will still be inaccessible.
Table of Contents
Data Encryption in Transit via Communication Channels
Data Encryption Certification
Any communication of data between the client and the cloud provider must be encrypted. Not all encryption algorithms are equal and it’s important to make sure the provider you use is utilizing industry standard encryption protocols.
Cloud data services should use only protocol TLSv1.1 or higher. Additionally, they should own a security certificate that has been confirmed by a well-known and trusted certification center such as Symantec, VeriSign, Thawte or GoDaddy.
If you want to check the security of the communication channels of any cloud service provider, this is easily checked by visiting SSL labs and using their testing service, which will give you a rating. Reliable and secure providers should have a rating of A or B.
For example, you can see the rating of Spinbackup from SSL labs here:
Data Encryption at Rest
You can determine the overall security of encrypted data by considering four main parameters:
- The algorithm used
- The encryption mode
- The length of the secret key
- Management of the encryption keys
1. Encryption Algorithm
The algorithm used to encrypt the data is the most important aspect of its security.
One of the most well-known and secure algorithms is the AES algorithm, which was adopted as the US national encryption standard in 2001 and has a long history of use in data security. This algorithm was developed by two Belgian cryptographers in 1998. There are currently no known attacks that can be use to read data encrypted with AES and it would take billions of years to access via brute force. The US government has been using AES to protect classified data since 2003.
There is a lot of public information available about this algorithm and it has been thoroughly tested and studied for many years by scientists and cryptography specialists, so this is one of the most popular and secure algorithms used to secure data in cloud applications.
If a cloud provider claims to use their own algorithms for data encryption, this should raise a red flag, as they are unlikely to be as secure as the industry standard algorithms.
2. Data Encryption Mode
Secondly, the mode by which data is encrypted is another important piece of the overall security.
Encryption mode is a type of add-on encryption algorithm and can help to make your data secure. However if you choose an unsuitable mode, this could put the security of your data at risk, which may lead to data loss.
Encryption modes have been studied and tested extensively since the earliest modes of operation were developed in 2001 and sometimes new research discovers a weakness in a particular type of encryption mode.
For example, CBC mode (Cipher Block Chaining) was considered safe for many years but serious vulnerabilities have been discovered in it recently and it is now not recommended for securing customer data.
Most experts recognize GCM (Galois / Counter mode) as the most secure encryption mode currently. Using this mode allows you to increase privacy, as well as controlling the integrity of the encrypted data.
3. Length of the Encryption Key
It is also vital that cloud providers use an encryption key that is long enough to ensure cryptographic security of the data. Keys that are too short can be decrypted more easily.
Computer technology moves very quickly and advances are made in decryption techniques all the time. If a provider is storing sensitive client data, it needs to ensure it will stay intact for several years.
Currently, a key length of 128 bits is sufficient to insure the data is secured for to 2-3 years. Systems that use a 256-bit key can guarantee full data security for many years longer.
4. Management of Encryption Keys
The final aspect of encryption security, which is equally important as the previous three points, is how the provider manages the encryption keys.
Even providers who use the most secure and up to date encryption algorithms and technology will not be able to ensure complete security of your data if the encryption keys are not also secured in an adequate way.
Less than ideal scenarios for managing encryption keys that may lead to a data breach include:
- Keys are easily accessible to any employee or potential intruder so that the data can easily be deciphered by anyone who can access the keys.
- Encrypting all the data with one key, which means that all the data is vulnerable if the key is discovered.
- Keys are stored in pure form.
To ensure complete data security it is important that the cloud provider has a key management system in place ensuring that each object is encrypted with an individual key and these keys are not accessible by anyone. Even the most trusted employee should never be granted independent access to encryption keys of customer data.
Spinbackup Data Security
- Spinbackup never asks for your Google password. It communicates with your Google account via OAuth 2.0, Google’s latest and most secure API, developed by Google’s own developers.
- Spinbackup uses Amazon S3 to store users backed-up data. Amazon S3 guarantees 99.9% uptime in their Service Level Agreement (SLA). Even if Google is down you will have access to your Google data via your Spinbackup account.
- Spinbackup provides a 256-bit SSL secure certificate to access your user account. All security concerned financial services institutions (banks, brokerage firms, etc) use the same type of certificate.
- Spinbackup does not share any user data or emails with any third-party. No other entity will even know that you have an account.
- Recognising the importance of the GDPR compliance, Spinbackup applies best practices, international standards, and follows legal requirements when building a Information Security Management System (ISMS) within the company. We incorporate the highest security standards into every phase of Spinbackup’s software development process, from the outset to completion. Spinbackup employs the highest security and privacy controls, audited regularly in our SOC 2 reports. Spinbackup’s cutting edge services are driven by collaborative effort with leading cloud service providers such as Amazon, Google, and Microsoft, whose reliability is globally recognised. Spinbackup follows the recommendations provided by ISO/IEC 27002 to ensure that the information security controls are implemented in Spinbackup.
* source: Bitglass.com