How Secure Are Your Online Backups?

How Secure Are Your Online Backups?
By Sally Keeper

When looking at online backup solutions, it is paramount to consider how secure your data is with your chosen provider.
Statements from providers that you should discard;

  • We use a really secure password to protect your data. (How do you know the password is secure and who has access to this password? It is a bit like giving your front door keys to a stranger and hoping that nothing gets stolen. )
  • We are using our own proprietary software that no third party has audited. (Without the benefit of a third party code review, it is impossible to know whether the software is actually doing what the marketing speak tells you on their site.)
  • All data is encrypted but you can access it via any web browser with a user name and password. (If I can access the data through a web browser then are we really sure my data is safe?)
  • We recommend you encrypt your data with our default key. (Some providers want you to use a generic key to store your data, well there is no real point to the encryption.)
What you should be looking for;
  • The key that encrypts the data should be in your possession and controlled by you and only you. (This means no one except you can view your data.)
  • Ideally, authentication should only be possible using Public Key Infrastructure. (Using PKI ensures that you are the only remote user who can access your data.)
  • The authenticity of the server you connect to should also be checked using PKI. (If your provider does not perform this step then you may be open to a man-in-the-middle attack.)
  • The transport layer should also be encrypted. (If the transport layer is not encrypted, your data can be read in transit.)
Ben Summers is the orginal author of Box Backup which is an open source, completely automatic on-line backup system for Linux and BSD with client side support for other operating systems. Box Backup has solved the above issues in a way that does not impact the user. Transport Layer Security is used to encrypt connections, and more importantly, to authenticate servers and clients with both server and client side certificates. Your data's security is guaranteed by the raw key that is created on your machine. Stored files are encrypted using AES for file data and Blowfish for metadata. There is a down side to this approach inasmuch you must backup the raw key. This down side is easily fixed with removable media like USB sticks or cd-rom which should be stored somewhere off site. You could even use something like GPG or Password Safe to keep your key encrypted. When assessing an online backup provider, it may be helpful to use Box Backup's approach to security as a guide to how well your chosen provider is securing your data.
There are secure free alternatives to Box Backup, such as Encrypted Backups For Paranoiacs which may also serve to guide you in your assessment of commercial backup providers.
Further warnings from the SANS Institute on why you should care about your backup security;
Sally Keeper is helping to promote http://www.remotebackupzone.com who offer a secure cost effective backup solution for Linux and BSD, based on Box Backup.