Thanks to INTECO-CERT, we have analyzed the document published by Fraunhofer Institute for Secure Information Technology regarding security in cloud storage services (link).

Basically, the document is a basic analysis of security characteristics of a sample of this kind of services (specifically, CloudMe, CrashPlan, Dropbox, Mozy, TeamDrive, Ubuntu One y Wuala). We consider it a basic analysis because it only analyze aspects related with the registration process,  information transport and encryption, sharing mechanisms, deduplication, legal considerations, and only from the client perspective (without analyzing server security).

Main conclusions of the report are that:

  1. Client encryption mechanisms improve, significantly, confidentiality levels.
  2. It is worth to consider using more than one service to reduce downtimes.
  3. To reduce vendor dependency, users could have a vendor change plan.

Regardless of these conclusions we would like to analyze the document from its methodological perspective:

  • Service specific. The evaluation has been carried on for each identified service, not for the vendor in general, but in concrete for the service
  • Security Standards. Standards used have been limited, since only SAS70, ISO27001 and EuroCloud Germany_eco e.V. (a German initiative) have been used.
  • Security requirements classification. The approach is very basic, since it only distinguishes between mandatory and optional requirements, and also at the discretion of the investigators (who may or may not been ours requirements).
  • Graduation of measures. This aspect was interesting because it is one of the closest approximations to the use of a rating we've seen, since the analysis classify security measures in: Very good - Good - With weaknesses - Bad - Very bad. That is, it uses also five levels, except that Leet system does not have any positive nor negative connotation, leet levels simply mean a greater or lesser degree of implementation of security measures, which is not neither good nor bad, or rather, can be both (good if our aversion to risk is high or inefficiency if reduced).
We thought very interesting to discuss this report because we could see that using a rating system, such as we propose from leet, can provides more information to potential users of cloud services:
  1. Considers multiple security standards (internationally recognized).
  2. Provides higher granularity due to the use of five rating levels in three security dimensions (confidentiality, integrity and availability).
  3. Gives higher flexibility to users thanks to the possibility of establish what security measures are needed for every service based on the use they plan for the service.
  4. Provides information about general issues of vendor (like stability, maturity, etc.).

You can follow us on twitter.com/leet_security

18 de junio de 2012