Security researcher Christopher Soghoian recently published a blog post about another security flaw by the popular consumer cloud service Dropbox. (See: How Dropbox sacrifices user privacy for cost savings). The article highlights the fact that Dropbox uses deduplication across all of its user’s data to avoid storing duplicate files in their servers. The ability for Dropbox to read user files and compare them to others, he states, introduces a security hole and contradicts with the company’s security and privacy statements.
“If the encryption is done correctly, it should not be possible to detect what files a user has stored (or even if they have stored the same file as someone else), and so deduplication will not be possible.
Dropbox is likely calculating hashes of users’ files before they are transmitted to the company’s servers. While it is not clear if the company is using a single encryption key for all of the files users’ have stored with the service, or multiple encryption keys, it doesn’t really matter (from a privacy and security standpoint), because Dropbox knows the keys. If the company didn’t have access to the encryption keys, it wouldn’t be able to detect duplicate files.
While the decision to deduplicate data has probably saved the company quite a bit of storage space and bandwidth, it has significant flaws which are particularly troubling given the statements made by the company on its security and privacy page.”
So… we don’t do that.
With all the recent posts exposing the security flaws of popular consumer cloud services, it is important to point out that security is inherently not in those products’ DNA. A free consumer storage service will place convenience and cost savings over security and privacy concerns.
This is where we take pride for baking security measures into all aspects of Oxygen. As a solution for businesses and enterprise, we want to make it clear to our users that we DO NOT deduplicate your data against everyone elses’ data under the sun. We will only use deduplication when our customers specifically requested it. We will implement it within the specific account only. We will never deduplicate your company’s data with everyone’s data that is stored on our platform. Data will always be segregated by accounts – so your private information won’t be mixed with others, therefore reducing the chance for potential collision and data lost.
Oxygen also automatically encrypts all your data in transit, in the cloud and even locally on all your devices. The details of how we authenticate user access is outlined in further details in my previous blog post.
Oxygen generates a unique encryption key for each file, and we take the extra step to separate where the content is stored away from where the encryption keys are in the cloud. So in the exception that if a server is actually compromised, the data would all be encrypted and unintelligible without the keys.
SAS 70 Certification
In addition, we have policies in the company that restricts employee access to our user’s data. Oxygen Cloud is SAS 70 certified, we have been audited and verified by a 3rd party to ensure compliance with all established guidelines.
Security is not just a statement to claim. Sometimes between all the marketing fluff, it is hard to differentiate who is or who isn’t without in depth understanding of the technologies. However, remember this – when security is not the end goal for some consumer services, it will always be an afterthought in their development efforts. The lack of security will be reflected in the product features, leaving your private data exposed and unprotected.
But for Oxygen, security is in our DNA. The security of you and your company’s data will always be our priority.
Tweet me – @JuliaMak