Skip to main content
passtsuku.com

Cloud Storage - Storing Data Online Securely

About 2 min read

Cloud storage is a general term for services that allow data to be stored, managed, and shared over the internet. Without preparing their own hard disks or NAS, users can leverage the storage infrastructure of data centers operated by service providers. Thanks to its convenience, it has rapidly spread for both personal and corporate use, but because of its essential characteristic that the data does not reside in your own hands, using it without properly understanding encryption and access management carries the risk of leading to serious data leaks.

Historical Background - From "Owning" to "Using" Storage

The history of cloud storage begins in 2006 when Amazon released S3 (Simple Storage Service). At the time it was API-based object storage for developers, but the model of "unlimited capacity, pay-as-you-go" overturned the conventional wisdom of storage procurement. The following year, in 2007, Dropbox appeared, and through the intuitive operation of folder syncing, cloud storage spread to general users as well. In 2012 Google Drive was released, and in 2014 iCloud Drive, advancing cloud integration at the OS level. For enterprises, Box and OneDrive for Business were adopted as replacements for file servers, and in the 2020s, alongside the rapid expansion of remote work, cloud storage has become the core of business infrastructure.

How Encryption Works - Server-Side vs Client-Side

Server-Side Encryption (SSE)
  • Data is encrypted after it arrives at the server
  • Key management is handled by the service provider
  • Highly convenient (operates transparently)
  • Vulnerable to insider misconduct on the provider side
Client-Side Encryption (CSE)
  • Encrypted on the user side before uploading
  • Only the user holds the key
  • Not even the provider can view the contents
  • Data cannot be recovered if the key is lost

Many major services (Google Drive, OneDrive, iCloud) apply server-side encryption by default. While this is effective against disk theft as encryption at rest, you need to understand that the data may be disclosed to the service provider itself or in response to requests from law enforcement. When higher confidentiality is required, you should adopt client-side encryption or consider the zero-knowledge encryption services discussed below.

The Risks of Shared Links

Cloud storage's sharing feature, where "anyone who knows the link can access it," harbors serious risks behind its convenience. The URL of a shared link is made up of a random string, but cases where links pasted into chats or emails are forwarded to unintended recipients are endless. Furthermore, for some services, URL patterns are guessable, or misconfigurations that get them indexed by search engines have been reported. There are actual cases where confidential corporate documents were discovered via Google search. From the perspective of access control, it is essential to set an expiration date and a password on shared links and to promptly invalidate them once they are no longer needed.

The Rise of Zero-Knowledge Encryption

Zero-Knowledge Encryption refers to a design in which the service provider cannot know any of the contents of the user's data. Services such as Tresorit, Proton Drive, and Cryptomator adopt this approach; the encryption key is derived from the user's password, and only encrypted data is stored on the server. Even if the provider's servers are seized or it receives a legal request, it cannot disclose the contents of the data. However, since the data is permanently lost if you forget your password, we recommend studying the basics of key management with resources such as cloud encryption guides on Amazon beforehand.

Cloud Storage ≠ Backup

One of the most common misconceptions is the belief that "backup is unnecessary because I store everything in cloud storage." The sync feature of cloud storage also deletes files on the cloud side when you delete them locally. If you are infected by ransomware and your local files are encrypted, those encrypted files get synced to the cloud as well. In some cases you can restore them with the version history feature, but there are limits on the retention period and number of versions. For reliable data protection, it is important to take an independent backup separate from cloud storage and to practice the 3-2-1 rule (three copies, two types of media, one off-site). For details, please also refer to the beginner's guide to backup.

Data Location and Legal Jurisdiction

Something often overlooked when using cloud storage is the issue of where data is physically stored and which legal jurisdiction applies. Data stored on a U.S. service may be accessible to the U.S. government without a warrant under the CLOUD Act (2018). When storing data within the EU that is subject to GDPR on a U.S. service, you need to carefully examine the legality of the data transfer. Organizations that handle highly confidential data are required to choose services that allow them to specify the storage region and to adopt a strategy of keeping data within their own legal jurisdiction.

For more details on cloud storage security settings, please see Security Measures for Cloud Storage and the Ransomware Protection Guide. By combining this with encryption in transit, you can protect the entire data lifecycle.

Related Articles

Related Terms

Was this article helpful?

Back to Glossary
XHatena