SpiderOak: High-Security Cloud Storage

SpiderOak is an attractive, secure solution for file synchronization across multiple PCs and mobile devices running different operating systems and browsers. With the advent of cloud services and the “bring-your-own-device” phenomenon, the need to access everything from anywhere has only been highlighted. SpiderOak attempts to secure sensitive data by combining security associated with internal file sharing options with the capabilities of cloud-based file-syncing products. This article takes a closer look at this cloud-syncing software.

Cloud-Syncing: Secure or Not?                                         

More and more users are turning to so-called “cloud-syncing” software as a solution to their synchronization problems. For instance, a user with a desktop at the office, laptop, netbook, smartphone and a couple of computers at home wants to keep her files synchronized across all her devices at all times.

Cloud-syncing software allows users to designate folders on their computers or devices to function as a “sync” folder. Similar sync folders are set up on other computers or devices. When a file is added, deleted or modified in the folder, the changes happen in the folders on the other devices as soon as they connect to the internet. This is the beauty of cloud-syncing. The market for such services is highly competitive and includes providers such as Dropbox, SugarSync and Box.

The largest security flaw that experts can see is that the employees of all these different cloud-syncing companies can still access your data. According to each of their privacy policies, the operators of these synchronization services will only access your files in response to a request from law enforcement authorities, or some other similar situation. However, this possibility leaves your data more susceptible to breaches or other unauthorized access.

In environments where users may upload sensitive or private information (e.g. trade secrets, client contact details, etc.) to a third party, there are notable security and privacy issues to consider. Often, system administrators will need to demonstrate to their superiors that a data breach or accident on the part of a third party will not expose sensitive or proprietary data.

The SpiderOak Solution

SpiderOak responds to the need in the market for data security and privacy. This cloud-sync service boasts a solid privacy policy and is able to back it up with client-side encryption. In addition, SpiderOak looks good against its major competitors – SugarSync, Dropbox, and Box. It is comparable to the other options in terms of client support for major desktop and mobile platforms, storage capacity and pricing scales.

The major difference between SpiderOak and other cloud-sync options is how the company treats user data. Consider the fiasco last year when some poorly-written changes to the Dropbox Terms of Service purported to give the company rights to its users’ intellectual property! This highlighted the fact that Dropbox employees can, in fact, obtain file-level access to their data when deemed necessary.

SpiderOak makes it clear to users that the company will never know users’ passwords or encryption keys. For the security and privacy-conscious, this means that no one at the company can access users’ data for any reason. Like Dropbox, SpiderOak encrypts user data on its servers with 256-bit AES encryption, however, the latter encrypts the decryption key itself. The key can only be decrypted with the user’s password, which the company will never know.

On the other hand, this high-security service does come with disadvantages. If users ever forget their passwords, their data is pretty much unrecoverable since no one else has access to the files. However, since users are guaranteed security and privacy, this opens the market for use by professionals and organizations that must deal with sensitive or personal data. This means that things like Social Security numbers, financial data and student records can be stored securely on SpiderOak.

Two-factor authentication is also an added bonus for paying SpiderOak customers in North America. This means that users will need to provide two pieces of identification before they are allowed to access their files. This is a security measure that is commonly used by banking or other financial sites, which will normally ask for a PIN or the answer to a secret personal question, in addition to the regular login credentials. SpiderOak’s two-factor authentication requires a code sent to users through SMS as well as the user’s login credentials.

Summary

Cloud-syncing software (e.g. Dropbox, Box and SugarSync) allow users to synchronize their files across multiple computers and devices. However, a major security concern is that the employees of all these different cloud-syncing companies can still access your data, albeit for “necessary” reasons. SpiderOak is another cloud-sync service that offers users greater privacy with their “zero-knowledge privacy policy” and client-side encryption.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

• Provider selection (Domain 8 )
• Encryption practices (Domain 11)
• Identity federation, authorization and access control (Domain 12)