Cloud computing: Is it safe?

But how well is your information protected when it is stored online? For financial advisors, that’s an important question.

Ideally, a cloud-based service will encrypt your files as part of its service. This involves the use of software “keys” to scramble the data so it cannot be read. Encryption can be done using a variety of mathematical techniques, some of which are more secure than others.

Unfortunately, however, in most cases, you can’t simply upload a file to the cloud and assume it is protected.

Take Evernote, for example. This cloud-based service has gained huge traction over the past few years as people use it to store audio, photos, text notes and documents. Evernote replicates files between computers and mobile devices, and provides a useful indexing feature, enabling you to search through huge reams of files.

Evernote also allows you to encrypt text in your notes, but you have to do it manually. When you do encrypt your data, it is scrambled using 64-bit RC2, a relatively old encryption technique that is rarely used today. Evernote says it does not offer stronger encryption because of restrictive U.S. export laws.

Plain text

The other problem with Evernote is that while it encrypts text notes, it does not encrypt documents. This means if you upload a PDF or other file, it will be stored in plain text. It is therefore up to you to encrypt those files (and, potentially, your own text notes) yourself.

Other cloud-based services use stronger encryption. For example, Dropbox, which says it is used by more than two million businesses, encrypts your data when you store it on the service. It doesn’t store your data on its own computers; it uses the cloud-based storage service operated by Amazon.com Inc., which protects your data with stronger, AES 256-bit encryption.

Perhaps most worrying of all is the fact that these cloud-based services are, in many cases, responsible for storing and controlling the software encryption security keys used to protect your files. Security is taken out of your hands, forcing you to rely on the service provider.

Think of this as leaving the key to your safety deposit box with your bank manager. If the manager is trustworthy and well-protected, then all is well. But if the bank manager is dishonest, or if someone forces him or her to use the key at gunpoint, then your safety deposit box could be compromised.

Dropbox has seen its fair share of security breaches in recent years. In 2011, a software update introduced a bug that allowed attackers to log into user accounts and access files. Last year, Dropbox employees’ accounts were compromised and a project document with user email addresses was stolen, enabling the attackers to send spam to those addresses.

The company’s executives also admit that Dropbox allows a small number of employees to access user data for legal reasons.

Another concern is the U.S. Patriot Act, which has expanded the U.S. government’s powers to snoop on company data stored by U.S.-based cloud service providers.

“Business record requests” enable law enforcement agencies and intelligence services to harvest data on cloud service providers’ computers. Section 215 of the Patriot Act expands the scope of business records requests to cover more businesses than before. The act also permits searches for all kinds of information.

More snooping

Distrust of U.S.-based cloud services companies escalated in early June, when the Washington Post uncovered an alleged National Security Agency program said to involve information-gathering from at least nine major U.S. Internet companies. This news will make financial advisors and others nervous about using U.S.-based cloud computing services in general.

Regardless of who is providing access to your data, the level of uncertainty makes it clear: encrypting your data before uploading it to these cloud-based services makes it safer, because you have control of the encryption keys. That way, if a snooper tries to look at that information, they won’t be able to make sense of it.

Third-party service

One solution is to use a third-party service to encrypt your information before it is uploaded. Some free encryption software will create a virtual encryption folder for you that allows you to set and keep your own password without talking to online services at all.

There are several services available to help with this encryption strategy:

CloudFogger, designed to protect data before it is uploaded, is available for the Windows, Mac OSX, iOS (used on iPad and iPhone) and Android platforms. The service is free for non-commercial use and works for cloud-based services, including Dropbox.

Another service, Boxcryptor, will encrypt your information before you upload it to a cloud-based service. Designed for the same computing platforms as CloudFogger, it uses a virtual disc drive, located on your computer, that encrypts your files locally before uploading them. The system, which uses AES-256 encryption, supports a large number of cloud-based service providers, including Dropbox, Box, SugarSync and Microsoft Corp.’s Skydrive.

These types of solutions involve installing a third-party service’s software to complement the cloud-based service. But another option is to use a cloud-based storage system that includes encryption key management on your computer as part of its service.

A file-storage system from Northbrook, Ill.-based SpiderOak Inc. provides an application that enables you to set your password on your computer rather than on the web. Once your files are encrypted and uploaded, SpiderOak’s staff can’t see the contents (or even the names) of your files and folders.

However, this type of security also means that you won’t be able to recover your files if you lose your password.

So, by all means encrypt the information that you’re storing in the cloud, but ensure that your internal password-protection procedures are sound.

Protecting your information in the cloud is workable, as long as you know what you’re doing. But cloud storage comes with its own responsibilities.

© 2013 Investment Executive. All rights reserved.