SSL is Not Enough Security for Online Backup

Almost all online backup service providers use security terms like, SSL and encryption. They boast of "military grade security", "128-bit SSL", "256-bit encryption", "448-bit encryption" and more. Some will use terms like "double encryption", "blowfish", "triple DES", "AES", and even "twofish". Online backup services providers know that they need to convince potential customers that it is safe to backup their data over the Internet. With all of the fraud, hacking, and security problems on the Internet, even the novice computer user is concerned about security issues when considering online backup services.

Don't be fooled by all of the high-tech terminology. Just because an online backup service provider uses great technology such as Secure Socket Layer (SSL) or Hyper Text Transmission Protocol Secured (HTTPS), doesn't mean that your data will be secure when stored at their online backup facility on the Internet. SSL is an excellent technology for authenticating a website and encrypting data during transmission. When an HTTP connection is established to an online backup server and the data is secured with SSL, then wire tappers, snoopers, and Internet service providers are unable to see your data. While these technologies are effective for their intended purposes they offer no protection against common attacks against servers, human error, and unethical behavior.

SSL encrypts data during transmission, but once the data arrives at the destination it is immediately decrypted before it is stored or processed. This is the way SSL works every time. Even though the online backup service provider may use SSL, your data is likely to be stored in unencrypted form. Your data was secure during transmission, but it is stored in a format that can be accessed by unauthorized people or hackers. There are numerous cases of hackers exploiting security holes in servers and operating systems that cause data to be exposed and stolen. In addition to the exposures relating to malicious code and trojan horses, there are also issues with the physical access and handling of hard drives. Suppose the offsite storage operator upgrades some disk drives and sells the old ones on the used equipment market. Might your data be found on a used drive bought at an auction?

The better online backup services store your data in encrypted form. If the server is compromised, then all the criminal can get is scrambled data. Your data is also protected from the issues surrounding the disposition of old equipment and unauthorized access to the equipment. If the online backup service provider upgrades equipment and doesn't properly wipe the data off of the old equipment, the data is useless to anyone who gets their hands on the old equipment. The data must be stored in encrypted form to provide any acceptable level of security for your data.

While storing the data in encrypted form offers superior protection, there is one additional level of security that is needed to properly secure offsite data. The data must be encrypted with an encryption key that is not known or available to the offsite storage provider or anyone else. This is accomplished when the data is encrypted on your local computer using a key that is never sent to the offsite backup server. The truly professional grade online backup services operate with this level of security. The software provided by the backup service encrypts your data before it is sent offsite and it is never decrypted until you restore it back to your computer. All of the encryption and decryption takes place on your computer only and there is no need for anyone other than you to have the encryption keys. With this level of security, even employees, technicians and engineers at the backup service can't even access your data.

I don't want my tax records, social security number, letters, pictures and documents to be visible to a curious technician or night operator at the offsite data center. I only recommend the professional grade services that store my data using strong encryption, and I am the only person with the key. There are numerous online backup service providers to choose from. Sometimes it can be difficult to determine if the provider uses security procedures that are up to standards. Websites throw around all kinds of terminology, but details are often unavailable. Before you sign up for an online backup service, make sure you are comfortable with their security features. You may need to call the provider and pry for answers to find out how secure they really are. If they can't answer quickly, then they probably are not very secure. The really secure backup services make data security a top priority. Below is a list of six providers that meet my requirements.

Secure Site Backups

Backup-Connect

Backup Guard

Secure Online Backup

Global Data Vault

DataTrust

11 comments:

Anonymous said...

I have been reading about the online backup and storage industry for a while now. It is becoming a commonly accepted technology these days.

For online backup news, information and articles, there is an excellent website:

http://www.BackupReview.info

This site lists more than 400 online backup companies and ranks the top 25 on a monthly basis.

It also features a CEO Spotlight page, where senior management from the industry are interviewed.

Damien Stevens said...

FYI - We provide these layers of security including private key encryption. One layer is not enough.

It's good to see you bringing this to people's attention!

Damien Stevens
800-429-0500
Servosity On Demand Backup
www.servosity.com

Anonymous said...

Hey BackupReview guy, stop spaming!

Anonymous said...

Take a look at http://www.vembu.com/
I have tried the free edition. I know of an ISP that is using this to offer online backup.

Anonymous said...

GeekSquad has an online data backup service. I am curious how secure it is.

Anonymous said...

I'd be weary of anything Geek Squad!

Anonymous said...

I agree, Geek Squad is probably not very trustworthy. Their technicians are lightweights. It looks like they hire people who can't get real jobs as systems or network administrators. I don't trust them with my computer or my data.

Unknown said...

Mozy is cheap but they have serious problems. I searched and found more like this: Poor customer service from Mozy

Anonymous said...

Jason is right. Mozy sux! There are numerous cases of Mozy users not being able to restore their data and they get no help from customer service. Here is an interesting thread from Mozy users who found out that the private encryption key wouldn't allow them to restore their data.

Don Moore said...

Your comments are on target. It is essential that data stored in an online backup service is encrypted end to end with a unique encryption/decryption key. WebSafe (www.websafe.com) does just this. Data is optionally encrypted by the user before transmission, but is automatically encrypted via 128bit SSL during transmission and AES-256 bit while at rest. Other considerations include multi-browser/platform access and WebDAV support. WebSafe offers both plus the convenience of secure collaboration.

Unknown said...

These guys do a good job of helping seniors with data backups: http://modernseniortech.com/computerservices/backupservices.html