How to Tell If Your Cloud Vendor is Bull*#$!-ing You About Security: Can They Access My Data?

March 07, 2014
Kevin Lam

Moving data to the cloud can be scary, especially if the data is sensitive or regulated in any way. I am willing to bet the number one question concerned organizations (and their auditors) wonder is this: Are they (cloud vendors) accessing our data?  

Some cloud vendors will swear up and down that they can’t or don’t access your data. Some are, some aren’t. Here are some easy ways to tell.

Dead Give Away #1: If Your Data Contents Can Be Searched, It Can Be Accessed

The search feature (if your cloud vendor has one) is a great way to check if a cloud vendor is accessing or can access your data.  The idea here is if a cloud vendor can search the contents of your data, then they can access that data.  Here’s what I did with my Google Drive account as an example:

  1. Create a test document called Test.txt and inside that document I put the keyword “ironbox123” that I knew didn’t appear in any document I had stored.
  2. Uploaded that file to Google Drive
  3. Went into Google drive via the Web and in the search box I typed “ironbox123” and Test.txt came up.

Google drive searching

If I were you: Take a look at the cloud vendors that you and see if the contents of your data is searchable. If it is, then it is possible for your data to be accessed by that cloud vendor. For non-sensitive data, this is no big deal, but for sensitive data this will be something you definitely want to know about.

Dead Give Away #2: Encrypted Doesn’t Mean They Can’t Access Your Data

It’s common practice for cloud vendors today to encrypt your data with an algorithm like Advanced Encryption Standard (AES) 128 or 256 bit keys to give you a level of assurance that your data is protected.

But, that doesn’t mean your cloud vendor can’t access your data.  The simplified reason why is because when you encrypt data a key, or sometimes set of keys, is used to protect access to that data. Anyone with access to those keys can access that encrypted data. So who’s managing the key?  Whoops … the cloud vendor.

If I were you: I would ask your cloud vendor if your data is encrypted and who has access to those keys. If the answer is them … they can probably access your data.  Now there are ways to use encryption so that cloud vendors don’t have access to your data even though they mange the keys (like we do at IronBox), but you need to ask your cloud vendors.

Dead Give Away #3: If Your Data Can Be Previewed, It Can Be Accessed

The last give-away that a cloud vendor can or is accessing your data are previews. If the contents of your data can be previewed, then it can be accessed. Here’s an easy test that I did:

  1. Uploaded a photo of my dog to one of the cloud services I use.
  2. Accessed the cloud service I used from the Web.
  3. Search for that file and found this preview waiting for me.

cloud preview

If I were you: Ask your cloud vendors if your data is indexed, thumb-nailed or scanned in any way. If they are then your data can be accessed by that cloud vendor.

An important point to make before we wrap up is this: previews are an easy way to tell if a cloud vendor can or is accessing your data, but only if they are generating previews. The absence of previews doesn’t mean that your data isn’t being accessed; however the presence of previews is evidence that your data can be accessed.

Alright, as always I hope you learned something new today about data protection and feel free to email us with any questions, or topics you want to see covered.  We would love to hear from you, so until next Friday,

–Kevin