Monday, 25 June 2012

Personal cloud storage services

I signed up for Apple's Mobile Me service a while ago as it offered convenient syncing between Macs and other devices.  As part of the package, I also got some online storage which I used as backup for archival material - stuff that didn't change. I hoped that I'd never need it. Now, mobile me is shutting down and I have to decide what to do.

My requirements are pretty simple - I need 7-8GB of storage that I will write once and hopefully never read. I don't want to share files, access them from my phone, etc. I don't mind paying so long as the cost is commensurate with the usage i.e. I don't want to pay for 50GB when I only need 8.

If you are a Mac user, then icloud offers some online storage - but I don't use Lion on my principal Mac laptop - I have not been impressed by Lion and see no real benefits to upgrading. It is possible to upload files from a browser without Lion but it's a pain. So - that's out.

I already use Dropbox as my normal working storage system and, as an early adopter, I've recommended a few people so I have an 8GB free quota, of which I use just over 50%. However, Dropbox don't have a pay per usage model and I really don't want to pay $99/year for a lot more online store than I really need. One option might be to put some stuff into my Dropbox and other stuff elsewhere if I can't get the free storage that I need.

Google launched their Google Drive a few months ago, as a Dropbox competitor. I accept that Google have to make money and if you want free services, then you have to give up something. I'm happy to host this blog on Google and if they scrape it and target advertising to me so be it. But there's nothing of value on this blog or on my Google-hosted website but my files do have something of value (the text of a number of published books) and I am reluctant to hand these over to Google. There is a key sentence in their terms of conditions that make them different to over providers:

The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.

By contrast, Dropbox says:

You give us the permissions we need to do those things solely to provide the Services.

So, if Google decide to develop publishing services (by no means impossible) then in principle at least, they could use my books as examples of these services. OK - I am maybe being paranoid here but I really don't trust Google. On the other hand, Dropbox are less likely to expand into different areas so I'm more willing to take the risk with them.

There are several alternative storage providers - Microsoft who offer 7GB free with their skydrive system, Sugar Sync who offer 5 free GB and Box, who also offer 5GB.  Skydrive was the most appealing as it would allow me to keep more or less everything I needed to archive in one place.  However, my experiment with Skydrive lasted only a few minutes however. It shared the usual Microsoft idiocy about restrictions in file names - it didn't like names like C3-examples(C++). I had no intention of trying to find all the files it wouldn't like and change the names so abandoned Skydrive.

Sugar Sync was my next attempt. It is obviously trying to attract users and compete with the market leader Dropbox so they offer quite a lot of free storage for referrals and for sharing links. I referred my wife and shared a few links with her and my daughters so managed to get the free allowance up to more or less what I needed for my archive. No nonsense with file names this time and the nice thing about Sugar Sync was that it didn't require me to move the files to a separate directory.

Because it doesn't use a dedicated syncing directory, unlike Dropbox or Skydrive, SugarSync is wee bit more complicated setting up the syncing across computers - but I didn't find it too bad.

Upload is not fast - in fact, it is very slow over a home ASDL connection.It will take a while for me to upload 5GB but once it is there, the slowness won't matter.

I am a bit paranoid about the free services going out of business and the possible loss of files. Therefore, I would NEVER rely on any of these to maintain the main copy of a file. So, I reckoned that I should have a backup for SugarSync. offers 5GB free to personal users, although it is primarily aimed at businesses. Facilities for personal users are minimal - no syncing so I don't see it as a Dropbox alternative. But this is what I wanted really as I had no idea how syncing the same folders across two different services would work may be geared to businesses but I really can't recommend it. Like skydrive, my experiment with it only lasted a few minutes. I couldn't select a folder to upload - it would only upload files. It had a thing called 'Bulk upload' but this wouldn't work on my browser - possible because my default is to disable Java. I couldn't be bothered wasting time trying to get it to work.

Dropbox is the market leader - for good reason - I reckon it's the best for personal cloud storage. Sugar Sync seems to be OK but the others are certainly not for me. I will try Google Drive sometime but probably just to maintain things that are linked from my website.

Update: September 2012

I used SugarSync for a while and it was OK - but the client is very processor hungry on a Mac - it shortened battery life significantly and my laptop ran very hot. So, I stopped using it.

Thursday, 26 January 2012

Cloud security: A risk driven perspective

One of the reasons that organisations give for not moving their IT to the cloud is concerns about computer security. As a consequence, the area of cloud security is a ‘hot topic’ – an appropriate classification as the debate sheds more heat than light on the issue of security and cloud based systems.

A fundamental principle of security is that you should always approach it from a risk-driven perspective. It is impossible to achieve complete security so you assess the most likely or the most consequential risks and protect against these. You may insure against some of the other risks or you may simply accept them because they are unlikely to arise.

It seems to me that this has been forgotten in the discussions on cloud security.  There are extensive discussions on ‘security risks of moving to the cloud’ but these take place in isolation, without considering the security risks of ‘not  moving to the cloud’.

A simple example will illustrate this. A possible security risk, which is unique to the cloud, is that hypervisor vulnerabilities allows data to leak from one virtual machine to another. This is certainly a theoretical risk and I believe that it may have been demonstrated as a possibility. But I could not find a single example of this arising in practice, with ensuing loss to cloud users.

Contrast this with the figure in the SANSsurvey of top cyber-security risks which found that the most common vulnerability was unpatched client-side software.  If you move to a SaaS environment, you can dramatically reduce the effort required for management and it is much more likely that the services offered are updated in a timely way when vulnerabilities are discovered.

If we take a risk driven perspective, we should not worry about theoretical risks but about the real everyday risks that affect operation. The CSI computer crime survey suggests that more than 40% of losses are a consequence of insider attacks. Moving to the cloud will, at worst, be neutral here. It could improve security as the centralized operation means that there are likely to be fewer local vulnerabilities that can be exploited by insiders.

The other major common risk is the risk of vulnerabilities through the carelessness of users. These may be weak passwords, systems left logged on, sharing of authentication, and so on.  Moving to the cloud won’t solve this problem but again there is a possibility of more control improving the situation.

Two other areas are presented as cloud security risks but are no such thing:
  1. Third-party access to data. This is a general outsourcing risk rather than something that is specific to the cloud. If you outsource your payroll processing, you are taking exactly the same risk.  Before you outsource anything, you should go through a due diligence process to convince yourself that the service provider can be trusted. Cloud services are no different here and the old adage that ‘you get what you pay for’ is as true for clouds as for every other area.
  2.  Compliance risks where specific types of data have to be subject to particular jurisdictions.  For sure this is a serious issue and, for sure, it may make the choice of cloud provider difficult. The possible hassle may mean that it’s simply easier no manage the data in-house. But this is NOT a security risk (security is about confidentiality, integrity and availability), nor is it specific to the cloud. Again, it is an outsourcing risk that has to be considered – and which will become less of an issue as cloud providers are able to guarantee where your data will be located.
In summary then, we need a common sense approach to cloud security. The reality is that if you believe that your current system is secure, you are probably deluding yourself. Moving to the cloud may not bring any extra security issues of any significance but may improve the security of your information.