This is a follow-up post to my earlier one talking about my experience with a “zero knowledge encryption” cloud storage provider – TresorIt. My article is focussed on a strategy that balances risks with cost and convenience.
“Without convenience, we cannot be successful in driving user acceptance.” – Anon
Likewise, without security, we cannot run a successful business or health care trust or whatever. We better find something that ticks the key boxes or else be at risk. For me, mobile-first is a mantra I live by day to day and 90% is spent on my trusty iPhone. It’s like a digital Filofax only much lighter and more resistant to liquid damage.
I digress, my plans sadly cannot simply focus on one provider because my life is spent looking at trends and helping people learn about using their technology better. As much as I’d love to just run everything off my own mail and web server, I have to have a Google account and I’d better have Office 365 too because of my education and Enterprise customers.
“I have to find a way to have my cake and eat it.” – Anon
Here’s an idea: onions (please bear with me)
Like layers of an onion, which is a reasonably common thing to say when you describe your backup or security strategy, why not apply it to my cloud storage and collaboration problem too?
It goes from low- to high-value tier, data and services are deployed based on this rating in the following fashion.
Before we start, let’s set some quick definitions of what I mean by that:
Stuff that doesn’t contain sensitive information or personal details not available publically.
Things that are private but don’t need to comply with official regulations.
High value (incl. Ultra)
Anything that contains personal and sensitive data, and information I rather not share with anyone (Ultra) without strict controls. High applies to anything that needs to comply with official regulations.
Google apps (low)
I use this for my personal stuff and Analytics, etc. In fact, there’s hardly anything I can’t use it for, so it’s a versatile thing to have. From authentication to collaborative document editing and low-value file storage. I often use Virtru for Gmail, which offers a convenient way to encrypt my email.
It works nicely with a myriad of third-party services, which help to make my life easier. So using this (in its paid form) is a good idea and probably helps restrict Google’s desire to scrape metadata from my stuff as well as granting more certainties and controls.
Office 365 (low-medium)
Probably best described as the modern Enterprise Gold Standard, there’s no way around this if you have clients in pretty much any industry (bar perhaps digital marketing agencies). I use it for business and we resell it here at be braver too, together with a convenient first line support service that teaches you how to use it effectively and set’s it all up for you.
Virtu works with Office 365 email and Outlook (including web) so you can send emails securely here too.
Office 365 can include Dynamics CRM and SharePoint services, which together with OneDrive and Skype for Business make a cost effective offering even to smaller businesses.
Again, OneDrive doesn’t do “zero knowledge” type encryption, so data stored here is lower-value. Microsoft is doing a fine job complying with US/EU/UK data protection regulation, so keeping data here is no issue. Unless you need to keep health-care related private data, in which case…
HIPPA (etc) compliant, “zero knowledge” encryption for all the medium- to high-value data. It’s still shareable and thanks to its digital rights management tools (DRM) convenient to manage effectively.
I keep personal and business stuff nice and safe here.
GnuPG Encryption (high-ultra)
For data I rate as ‘ultra’ or high-value, I employ another layer on top of files stored in TresorIt, meaning that even on my local machine, you’ll need a particular set of keys to open them. Even if you broke into the secure vaults (aka Tresors), you would not be able to read them.
In addition to the primary cloud storage providers (and associated services), here’s how I deal with data on my devices and backups:
Disk encryption (high)
Speaking of data at rest, most disks are encrypted to protect against unauthorised access to data if a device get’s lost or stolen. I employ a similar approach here and have special volumes sensitive data is stored on using strong encryption.
The reason for this split is simple: on Mac certain tools don’t work on encrypted volumes. Whole disk encryption is nice but I prefer to use non-vendor specific encryption I can control and do so on volumes holding data that need it. This may be overkill and I am reviewing regularly.
Backup encryption (high)
I store all backups in three locations: my primary devices (mobile and laptop), my remote backup server and an offline location.
Naturally, all backups are encrypted using a special key that only I know and regularly tested to make sure I can get back to a version of a file when I need to.
Nothing is perfect and I constantly review my strategy and tactics. Amending things when required means you got to be responsive (agile even) to do this with reasonable speed. If you don’t, your adversaries will.
What do you do to stay safe while using cloud technologies?
I am looking forward to hearing your comments and answering questions here or on social media. If you want a private conversation, you can find my on most secure messengers too.
I am not affiliated or associated with any of the business mentioned here, apart from be braver. I do not provide any guarantees nor imply a particular service is better or worse than another.
Also published on Medium.