Below is a (sortable) list of cloud storage offerings including published security controls covering authentication, data at rest, data in transit, logging/audit and additional notes. Beneath the table is a guide to explain some of the details, with some suggestions to help you choose.
Published Security Controls
I only list security controls found in public statements made by the cloud storage provider. If it isn’t published, I don’t include it. Sometimes, I will include pointers to 3rd party sites where a useful security tip or tool is mentioned.
Always double-check the offer and terms before you sign-up as the information below could become updated.
|Name||Free Tier (GB)||Paid Tier||Max Filesize||Data at Rest||Data in Motion||Logging||API||Notes|
|Amazon Cloud Drive||5||20GB, $10/year; 50GB, $25/year; 100GB, $50/year; 200GB, $100/year||Unknown||None||TLS||None||None||TBC|
|Apple iCloud||5||10GB (15GB total with 5GB free), $20/year; 50GB, $100/year.||Application data centric limits||128-bit AES encryption (minimum – varies across content)||TLS||None||Registered developers only||Automatic filesync within Apple world (Windows Control Panel|
|box Personal||5||Personal account, 25GB for $9.99/month; 50GB, $19.99/month.||1GB (100MB for free tier)||256-bit AES encryption||TLS||None||Unknown|
|box Business & Enterprise||5||$15/user/month, 3 to 500 users; 1TB||1GB||256-bit AES with automatic redundancy||TLS||Real-time notifications via email or API||V2 API brings a RESTful API, EVENTS for real-time notification of state changes. Developer API||2-factor auth available. Login activity shown. You can explicitly grant box.com support access to your files for support purposes. Files can be accessed/changed through 3rd party sites; e.g. Zoho|
|Dropbox Personal||2||No limit from desktop app, 300MB limit uploading to website||RESTful API with client libraries for iOS, Android, Python and Ruby. Developer page|
|Dropbox Pro||2||“Pro” 100GB for $9.99/month or $99/year, up to 500GB for $49.99/month or $499/year.||256-bit AES encryption||RESTful API with client libraries for iOS, Android, Python and Ruby. Developer API|
|Dropbox Teams||2||1TB for $795/year for 5 users and $125 for each additional user.||256-bit AES encryption||RESTful API with client libraries for iOS, Android, Python and Ruby. Developer page|
|Google Drive||5||25GB, $2.49/month; 100GB, $4.99/month; 200GB, $9.99/month; 1TB, $49.99/month; 16TB, $799.99/month.||Yes||Files converted to Google Docs format are stored for free|
|Livedrive online storage||0||Unlimited for a single PC backup @ $7.95/month||Unlimited||256-bit AES||256-bit AES||None||Keeps up to 30 older versions of a file. In addition to Windows, and OSX support, also basic Linux support.|
|MediaFire Pro||50||250GB for $4.50/month||1GB||Unknown|
|MediaFire Business||50||1TB for $49/month||10GB||Unknown|
|Mega||50||500GB for $13/month, 2TB for $27/month, and 4TB for $40/month. 17% disount for annual payment||Unlimited||128-bit AES for file data, 256-bit AES for file metadata (name, size etc)||2048-bit RSA for receiving data. Data encrypted in memory Web client SSL/TLS by default||Session history (via “account” menu option)||HTTP/JSON||Mega client-side encryption/decryption to end-to-end-protect file transfers and storage|
|Microsoft SkyDrive||7||20GB, $10/year; 50GB, $25/year; 100GB, $50/year.||2GB (300MB via web upload)||Unknown|
|mimedia||7||100GB, $4.99/month; 500GB, $20/month or $199/year; 1TB, $35/month or $325/year||Unknown|
|SpiderOak||2||$10 per month or $100 per year for each additional 100GB increment.||2048-bit RSA encryption||256-bit AES encryption||Unknown|
|SugarSync||5||30GB, $4.99/month or $49.99/year; 60GB, $9.99/month or $99.99/year; 500GB, $39.99/month or $399.99/year||Unknown|
|SugarSync Business||5||100GB for three users for $29.99/month or $299.99/year.||Unknown|
|Synform||10||Community Cloud storage: you get what you put in. Your files stored encrypted on other users machines||Unknown|
|Syncplicity||2||50GB for $15/month||Unlimited||256-bit AES encryption||256-bit AES encryption||Owned by EMC||Unknown|
|Name||Free Tier (GB)||Paid Tier||Max Filesize||Data at Rest||Data in Motion||Logging||API||Notes|
Factors to Consider when Selecting a Cloud Storage Plan.
Below are some important factors to consider before signing up to a plan. Fortunately, most plans allow you to sign up to the free tier without providing credit card information.
The first thing to check is that free plans are recurring and not just introductory (e.g. one month free). Next compare plan features – in addition to more storage, paid plans may offer additional security and collaboration features (e.g. more granular sharing). Don’t assume storage space is the only difference.
Terms and Conditions may also differ between free and paid plans from the same provider. Likely it will be the same actual document, but be sure to search for the word “free” and note any exclusions.
To provide you free storage, providers may not offer any support outside keeping the service online. If you are a power user or geek, you’re probably already used to supporting yourself (and your family) via community forums, but if not, consider the impact of slow or non-existent support on your future self (you know, when you need to download something urgently). Good support is worth paying money for, so factor in your level of technical troubleshooting prowess and the time you have to spend on fixing possible “client side” problems.
Security features, Correctness of Implementation and Platform weaknesses
Security “features” are designed, built and/or adopted by the cloud provider to provide a desirable security control to help assert trust; e.g. 2 factor authentication, or 256bit AES data encryption. In an ideal world, these controls are specified “correctly” and implemented perfectly. History teaches us that creating flawless specifications and bug free software for a complex system is far from easy, let alone economically viable with current practices. Obviously, a weakness in privileged security code can lead to a compromise of the service and underlying platform. It’s reasonable to assume these risks exist and think defensively: avoid putting all your eggs in one basket. Choose multiple cloud storage services from different providers (2 or 3) and divide up your data in ways that reflect the sensitivity of the data and your comfort level with the provider. This approach also helps in the event the service suffers significant downtime or corruption such that you can’t get to your data when you need it.
Just as with security controls, vulnerabilities in the platform itself, or operational security weaknesses by employees, can all lead to your data getting compromised. However, as with any provider (cloud or not), until a breach notification is issued, you may never know. On that point, I recommend double-checking the Terms and Conditions for statements around breach notification commitments and communication methods.
Ultimately, most of us will not be in a position to dictate security terms and required assurance levels to our providers, but this doesn’t mean we have to totally bury our heads in the sand. Features such as cloud service access logs and storage object meta-data may provide “enough” assurance, but only if you – or the apps you choose – make use of them.
Cloud Storage and overselling
Cloud storage providers oversell storage to survive in a competitive market: for every 1GB of space they “have”, they will sell it many times over. This is a common business practice and works when there is reasonably predictable consumer behavior. In short: the majority of “pre-paid” customers don’t use all the resource they are entitled to.
Storage innovation and smart sourcing practices drive up overselling ratios. De-duplication, compression, tiered storage (older files on slower, cheaper storage devices) combined with purchasing in bulk and fast access to market for more storage, make overselling storage practical and thus keep prices low.
Where overselling can go bad is when consumption patterns don’t follow the “norm”, or the technology gremlins strike. Much like a run on the bank, if the cloud provider is deemed “at risk” by the market and there is a rush to “withdraw”, you could be joining a very long queue of downloaders trying to get their 100GB. Or consider a de-duplication bug that causes data corruption that the provider isn’t or can’t monitor for. Freak events like these are hard for anyone to predict, but nevertheless you can plan for them. Use multiple cloud storage providers and make sure the most important files are stored in at least 2 or more cloud services (but read the supply chain warning below).
Cloud Storage Supply Chain
Cloud storage providers do not always “own” the hardware they use. In the “best case”, they may be re-selling storage from a reputable provider like Amazon Web Services. At the other extreme, the “provider” may be a so-called “summer host” with one or more cheap servers with aging disks rented at bargain basement prices. If they don’t make enough money to cover the next month, you’ll be left chasing your data and looking for a proper provider. Remember: one persons cloud is another persons server… If in doubt, ask!
Unless the “front-end storage provider” is adding something of value that is important to you – for example, a “sync across all your devices” client – you’re probably better off financially and availability wise, going direct.
Where extreme overselling can really hurt, is not on the storage side (assuming a well managed setup), but on the network; i.e. how fast you can push or pull your data to cloud storage. If the cloud provider went “lowend” on their choice of upstream networks (high packet loss) or underprovisioned bandwidth for the storage deals they sell (thin pipes), that “unlimited storage” deal suddenly looks a cloud mirage. The best advice I can give here is to insist on a trial period (most providers offer them) and monitor throughput both up and down with real data over a number of days.
You might discover that your cable provider is reducing your throughput to the cloud service through traffic shaping (translated: foot on hose pipe). You may be able to live with this if it’s only during specific time windows, but if it’s always throttled, I recommend checking your contract and giving them a call to see if they will remove the shaping (possibly by paying a little more and getting a fixed IP that they exempt from the shaping). Failing that, switch providers, accept a glacial backup or buy more USB disks…
Data at Rest
If a provider offers data encryption at rest, this means they encrypt your data for you. The obvious disadvantage is that you really have no way to prove that they – or a higher authority – haven’t looked at your data (regardless of what they claim/promise). One of the reasons that storage providers are keen to encrypt your data for you is so they can perform de-duplication (remember the bit about overselling?). If you encrypt your own data independently, they effectively see random data which they can’t dedup. The benefit of dedup for you is if the files you wish to store are the same as other peoples; e.g. a backup of your laptop will include common operating system files.
Avoid any provider that uses “homegrown” encryption algorithms.
Note that some services – such as Apple iCloud – reserve the right to apply different strength encryption to different “buckets” of your data. See the notes section in the table.
Data in Motion
I’m not aware of any mainstream cloud providers that don’t encrypt data in transit. However, if they offer multiple methods (or protocols) to access their service, you may find yourself opting to use a weaker than default option; e.g. FTP or WebDAV with no SSL.
One thing to avoid is confusing the encryption endpoint cloud providers use when you push/pull your data, with the encryption they use on their website. So you might check their website SSL certificate, see its issued by a reputable CA and feel reassured. In reality, your devices will communicate with their storage endpoints running on different servers with different SSL/TLS setup. And this is where problems can creep in. For example; a provider may require you to use their software to access their service. Their software may not be programmed to verify the SSL certificate of the storage endpoint (this is not specific to storage security, it’s surprisingly common across SSL clients). But since you are using their software, you won’t see any message alerts or pop-up boxes warning you that your SSL session is subject to a man in the middle attack next time you are sitting at Starbucks.
Some cloud storage providers do not provide any user accessible logs. Only they know what data was accessed by who and when (we hope). It’s safe to assume that if they do not expose this data to you via their website or an API, you will not be able to obtain this information. This is nearly always the case on free plans. Logging and audit features tend to come with “Professional” and “Enterprise plans”.
Storage providers offering monthly plans generally do not charge separately for logging – it’s usually baked in (but do double-check before signing up).
Pay as you go cloud storage services such as Amazon S3 offer logging but do charge – both for the bucket space consumed by the logs and the number of API calls made to read/write the logs. The charges are small so for most use cases, this isn’t an issue.
Supplemental to logging and audit trails is whether the storage provider exposes an event API. This is like an activity feed that a program can subscribe to and react to events. For example; if your business partner started erasing all your shared files, you could fine out in real-time… Real-time notifications (with a way to program a “reaction”) may be the fastest way for you to learn when an cloud account or file has been compromised.