2015 Data Storage: Defining Security

Cloud storage gets cheaper by the day, but in terms of security, you get what you pay for.

May 1, 2015

Before you check out our list of cloud storage providers and what you get for your money, you need to take a close look at the technology and figure out if it’s right for your business.

Is the Cloud Safe?

Are your documents as secure in the cloud as they are in a locked, fireproof safe? Matt Cohen, chief technologist at real estate consulting firm Clareity Consulting, says that while the technology is no longer in its infancy, he still considers cloud storage to be in its early childhood — especially in terms of intrusion detection and prevention systems.

“Firewalling in the cloud is extremely primitive,” he says. “The cloud is the way of things, but it is a bit of a security compromise at this point.”

He notes that many companies, both inside and outside the real estate industry, use the cloud for some purposes but not others. Cloud CMA — a popular real estate software that allows agents to create comparative market analyses, property tours, and marketing materials by connecting remotely with MLSs through the cloud — doesn’t use the cloud for everything.

“When you go to purchase Cloud CMA, it’s not done in the cloud,” he says. “They use the cloud for the stuff that doesn’t need the same kind of security.”

Cohen advises each person to evaluate how comfortable they are with the cloud and balance their comfort level with the convenience provided by such services. Katie Johnson, general counsel for the National Association of REALTORS®, is cautiously optimistic about the future of secure storage in the cloud and says that it can be used safely in a business context.

“I’m not scared of it,” she says. “Members are going to use it, and we use it. … It’s the way of the world, and so to discourage it entirely is not realistic.”

Understanding the Importance of Encryption

Encryption is a way to make your documents and data indecipherable to outsiders. It’s required by many state privacy laws when transmitting and storing personally identifiable information (names, e-mails, social security numbers, bank accounts, and more). Encryption can take many forms, but basically, it is the practice of transforming data in a way that its meaning cannot be understood without the use of a confidential process or key to decode it.

There are several different kinds of keys, sometimes known as ciphers, that computer programs use to encrypt data. Right now, Advanced Encryption Standard 256 is a high standard, one used by the federal government to protect top-secret files. The government and many companies also use the less complex AES 192 and AES 128 to encrypt data. For the transport of secure information, usually during the upload/download processes, many sites simply use Transport Layer Security or its predecessor, Secure Sockets Layer, to protect data from being compromised by outsiders while in transit.

With cloud storage, users have basically three levels of security. Some file-upload services don’t secure data at all; think of this as posting something publicly to Facebook. Most offer a secure connection during the upload process, usually using TLS, SSL, or AES encryption to obscure your file while it is being uploaded. A few services offer “client-side encryption,” where you can encrypt files locally on your device of choice before uploading them to the cloud. Client-side encryption is the best way to protect your data, and is required for the storage of personally-identifiable information by many data security laws. Keep in mind, though, that as such encryption makes it harder for thieves to compromise data, it also makes documents harder to share openly because viewers need to be able to decrypt the document before it becomes readable.

Even if you are using a cloud storage service that does not offer client-side encryption (such as Dropbox or Google Drive), you can add this on using separate encryption services. Such services are often free or very cheap, and they usually are tailored to a specific cloud technology that you may already be using (For example, BitLocker comes free with Windows; Disk Utility is part of the Mac operating system; and BoxCryptor is one of the many encryption services that works with Google Drive, Dropbox, and other cloud storage systems).

How Much Do They See?

One of the benefits to client-side encryption is that you control who has access to the data. Many of these storage companies state that they restrict access to customers’ files to the employees who need to see them (usually for customer service queries). But these promises don’t mean much. Ultimately, if you don’t encrypt your data before uploading it to the service, anyone at the company could have unfettered access to your content.

Some companies tout their “zero-knowledge” software setup, which means their employees don’t have access to your file contents or metadata (file names, folder names, and organizational tags). Often this goes hand-in-hand with a zero-knowledge password policy, which means that if you forget your password, you’re out of luck and may lose access to your data.

Free cloud storage accounts often allow users to earn more space when they refer other customers. But the free versions often don’t include the security features offered in paid versions and may also have restrictions on customer support or document sharing.

Get What You Need Through Negotiation

The first step in choosing a document storage service is researching the company. Type the company name along with the word “hacked” in Google’s search bar to try to find out if the company has had any past security problems that should give you pause. Cohen says it’s always best to look for a company with a long history.

“Assessing the security, that can be a very tricky thing,” Cohen says. “You have to be very careful about any startup.”

If you want a product that will keep your data safe, you may have to negotiate. Cohen recommends contacting data storage companies and asking about individually-tailored solutions.

“The consumer-grade products on the market don’t really assert that they are providing good security at all,” Cohen says. “I like to say you get what you contract for. If there is no contractual obligation for security, you won’t get a secure product.”

As part of his position with Clareity, Cohen works with brokers, associations, and MLSs to help them negotiate contracts with data-storage firms that give them what they need to comply with the various security laws impacting real estate. There are certain questions to ask vendors, but Cohen cautions against being too focused on one feature. 

“It’s not just about security but availability as well. If your real estate commission comes knocking, will you be prepared?” Cohen says. “If people are told, ‘You have to keep these files for seven years,’ you better have the means for doing that built into your storage system.”

Meg White

Meg White is the former managing editor of REALTOR® Magazine.