Using Online Backup Services, Secure?
Posted by JamesB in Business News, Technology, tags: Carbonite, Data Backup, eSecureBackups, securityAs we all know Carbonite is dirt cheap and although I have issues with it nor would I recommend it there are clearly a large number of people that do. Recently however there has been a growing voice of concern with statements in Carbonite’s Terms of Service and Privacy Policy which has reached the general masses.
“Carbonite may disclose your Personal Information to third parties if we believe that such action is necessary to (1) comply with a law, regulation, or governmental or judicial warrant, rule, or order; (2) protect and defend the rights or property of Carbonite; (3) enforce the Carbonite Terms and Conditions of Use and/or this Privacy Policy. Carbonite may also provide access to your Backup Data to government authorities if Carbonite suspects or believes that the data contain child pornography or other prohibited data, or that the data or the Carbonite Products or Services are being used for illegal purposes. Carbonite will provide access to your Backup Data to your surviving spouse and/or your executor upon presentation of a death certificate and identification which Carbonite reasonably believes to be valid and sufficient, or in response to a court order, warrant, subpoena or other judicial or administrative legal process.”
The above statement that Carbonite can and will provide access to stored, encrypted, data is an obvious concern but could also violate Federal regulations on data security. For example the only way I can see how a medical office can store data to an online service is if they can show there is no possible path to that data becoming compromised. With eSecureBackups we are secure in the belief that all data is encrypted locally with a key only the local computer (keyfile) or user knows.
Your pass phrase is encrypted twice before it is stored on the server to prevent anyone but you from recovering the stored pass phrase. The system is designed so that recovering a pass phrase requires action from two people: the person that created the key and a senior level server technician. Neither person can recover the pass phrase without the cooperation of the other person. The system is also designed so that only the creator of the pass phrase can view the pass phrase once it is recovered. Data blocks are compressed, encrypted with AES-256-bit and your private pass phrase, digitally signed for integrity verification upon restore, and tagged with multiple strong checksums to provide data integrity assurance. The encrypted data is then encrypted again as it enters the Internet, until it reaches one of the secure data centers.
Per the Carbonite paragraph they are clearly saying they have the ability to bypass encryption. If data can be accessed by a third party either through legal warrant or nefarious act then the requirements of HIPAA or PCI would prevent use of such services by most businesses. With eSecureBackups the Pass Phrase is wrapped twice using only data known to the end user as one of those protections. With the use of specific questions and answers known only to the end user the Pass Phrase cannot be recovered and without the Pass Phrase the data cannot be decrypted.
Bottom line just because a service says your data is secure or encrypted it is still up to the end user to do some basic checking to see how the process is designed to work, does work and how any potential regulatory needs may apply. Also for the true security geek or totally paranoid there is nothing preventing you from encrypting your data manually by way of a third party application such as TrueCypt prior to using an online service.