/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsMany security analysts have come down hard on new cloud storage service Mega's claims of foolproof security, saying that there are obvious loopholes in its security protocol. Meanwhile, there are other successful cloud drives available such as Google Drive and Microsoft's SkyDrive. However, do they have better security than Mega? We compare their security features to find out...
Google Drive
When using Google Drive, you will always notice that the prefix is "https", not the common "http". This is because the website uses a secure socket layer (SSL), which means that all data traffic between your browser and the Google servers are encrypted! On top of that, the website needs to show a valid "certificate" to the browser, which is signed by a trusted authority such as VeriSign. Certificates have an expiry date, and if the certificate is not trusted, browsers will usually raise a warning to the user. This ensures that "man-in-the-middle" attacks are extremely difficult, where hackers pose themselves as the legitimate server and intercept data packets travelling between the user and genuine server. However, the disturbing thing is that your data is stored unencrypted on Google's servers, which means that only physical safety of the servers protects your data at their end. While Google claims that this is done so that users can preview their files, one of the key reasons could also be that Google needs to analyze your files in order to serve up target advertising, which is their main form of revenue. Additionally, Drive also offers two-step authentication, where a user has to enter a code delivered by SMS to their mobile before logging in successfully. A critical statement in Google's policy includes "When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works ..". This means that Google can effectively use your work and publish it in a different way, which is undesirable.
Dropbox
Dropbox is also one of the most popular cloud storage services around, and it also clarifies its security features on the website. Dropbox also uses SSL to transfer data securely, and AES-256 encryption to encrypt user files. Unlike Google Drive, this means that data stored on Amazon S3 servers already have a level of protection even if they are breached. Additionally, Amazon S3 storage has extremely robust security protocols, offering SSL encryption throughout all transmissions internally and externally, and storing data redundantly in multiple locations to
prevent outages from causing disruption of service. Dropbox also offers two-step authentication, and allows for SMS based confirmations as well as authentication via mobile apps. Google offers verification through text, voice and also offers a mobile app to retrieve codes
Microsoft SkyDrive SkyDrive also uses SSL (which utilizes both asymmetric and symmetric encryption) to transmit data securely from the user to Microsoft's data center. However, like Drive and unlike Dropbox, SkyDrive also does not encrypt files at rest. Once again, an advantage is that files can be previewed because they are unencrypted on Microsoft servers. SkyDrive has two-step authentication, but it is done by verification through an alternate email address. However, Microsoft does not provide any proper documentation on the security protocols used to protect data in their data centers. Additionally, their privacy policy says "You understand that Microsoft may need, and you hereby grant Microsoft the right, to use, modify, adapt, reproduce, distribute, and display content posted on the service solely to the extent necessary
to provide the service.". There is a subtle difference compared to Google's policy, because Microsoft assures that any information will only be used to improve the quality of the service, but Google's policy allows manipulation of content for their own purposes.
MEGA
Kim Dotcom's new venture claims it is the "most secure" cloud provider! For one, it encrypts all data on the client-side with AES-128 before data is transmitted to Mega servers. Then, since Mega uses SSL as well, an additional layer of encryption is applied during transmission of data. The data is stored encrypted on the company's servers, along with the "master" key, that is in turn encrypted with a hash of the user's
password. This means that even if the data was seized illegally, the hacker would have to do a brute force attack for your password before
even determining the key needed to decrypt the data. Think of this like a physical key being stored in a different locker that can only be
unlocked by you. RSA-2048 is asymmetric encryption used to share secret messages and files between users, and this is theoretically
impossible to break through computation. Although they do not disclose the locations of their servers, they do keep redundant copies
of data for physical security reasons. Also, they will not be able to use your data for advertising/publicity purposes because it is all encrypted!
Box
Another popular cloud storage provider, Box provides 5GB of free data storage with collaborative tools for teams to share documents and track comments and edits made. Box uses high-grade SSL for encryption during transfers, and encrypts data at rest with 256-bit AES. While encryption keys are stored on Box servers, they are stored in disparate locations and rotated often. Moreover, Box uses data centers which
are issued with "SSAE 16 Type II", which certifies a high level of physical security used to guard data centers. A critical feature of Box that other providers don't have is the availability of audit trails for admins. This allows admins of shared folders to generate reports to track user name, IP, emails for all the changes made. According to Box's privacy policy, "We will not give, sell, rent, share, or trade any of your personal
information or any data that you store using our services to any third party except as outlined in this Policy or with your consent." The only exception they make is in the case of legal requirements or personal emergencies concerning personal safety of users.
In conclusion
When users upload the same file multiple times, or share a file with their peers over cloud storage, some providers make multiple
copies of a file, while others just make pointers to existing files instead of uploading an entire file again. This is known as deduplication.
If a provider supports de-duplication, this means they must be able to compare the unencrypted data uploaded, However, this compromises the security of the user's data. The table below does a succinct comparison of all the security features with these cloud providers. While Mega seems to be the most secure public cloud provider at the moment, it always pays off for the user to take the additional precaution of encrypting their data on their local system before uploading it online in any form. This makes the data almost impossible to crack by any third party, because the encryption key will only be known to you, and providers will not be able to tamper with your data in any way!