Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/9/2013
05:47 PM
50%
50%

Legal Fears Put Mobile Backups In Spotlight

Users regularly put their most important mobile data in the cloud via with file-sharing and backups, but that's risky to the business

A decade ago, almost no one used online backup services to store their data in the cloud. Yet, as smartphones become ubiquitous, the need to synchronize data among multiple devices has boosted the use of cloud backups and put more personal and business data onto third-party servers.

While centralized storage and administration of data in the cloud is beneficial for users, large stores of data attract unwanted attention as well, and not just from cybercriminals and hackers. With the June revelations of the extent to which the U.S. National Security Agency (NSA) is collecting data on users, more businesses and people are concerned that their data may be accessed by a subpoena or search warrant.

In fact, legal access to such detailed data may be a greater threat than hackers, says Lee Tien, senior staff attorney with the Electronic Frontier Foundation (EFF).

"Our feeling for the major smartphone OSes -- we don't think there is a great threat from the classic bad guys," Tiensays. The companies that maintain the largest collection of online backups, Google and Apple, "tend to have pretty good security practices, but obviously, given what we know about NSA PRISM, we think we have to say that is a completely different story," he adds.

Today, almost all companies -- 94 percent -- have worries about employees mixing personal and business data on their mobile devices, according to a survey published by online-backup provider EVault in January. The problem will only get larger, with seven out of every 10 companies expecting the amount of data they manage to increase, the report states.

[Microsoft, Google, Facebook, and other tech firms have downplayed their participation in government spying programs, but U.S. and international companies should worry about access to their data in the cloud. See NSA Data Collection Worrisome For Global Firms.]

At the same time, mobile devices are also more attractive targets because of the variety of data that applications gather and store, says Troy Vennon, director of network-technology provider Juniper. While data from PCs can reveal a user's online activities, mobile-device data also exposes location, additional images, potential voice recordings, and business files that have been synched with the device.

"A lot of personal data is being gathered into applications where it probably shouldn't be, and that has the potential to end up in the cloud," Vennon says.

A minority, but still a significant number, of companies do appear to be worried about the threat of legal access to their data, according to security firms. While the NSA's access to data may not be a significant issue for U.S. companies, multinational firms have to worry about similar agencies in other countries accessing their data as well.

The extent to which governments have access to online data has caused general unease, says Raghu Kulkarni, CEO of cloud backup service IDrive. The company offers both private-key encrypted backups, where the data is encrypted at the user's device before being sent to the cloud, and the more common data protection service, where the data is secured by the service's encryption solution.

Although IDrive has seen a 25 to 30 percent increase in interest since revelations about the data-collection activities of the NSA were published in June, only about one-third of users opt to use the private-key service.

"There is a trade-off between ease of use and privacy," Kulkarni says. "If you lose the key, then the data is gone forever. So it always depends on the users' requirements."

Companies that want greater control of their data need to either use a backup service that allows private keys or back up their data locally, he says.

Yet the trend in employee-owned devices is also a problem: Most businesses cannot know how much of their data has been backed up along with an employee's data in the cloud, says Juniper's Vennon. Companies that want to protect their data on mobile devices will need to gain more control over it using a secure container and mobile device management (MDM) software that can limit where the data can go, he says.

"Without some pretty intricate mobile device management systems -- which have only been tinkered with in the past but which will be used pretty extensively from now on -- can [companies] keep that data from comingling with user data," Vennon says. "Once you containerize the data, split it into a personal profile and a work profile, then they have the ability to focus on those backups."

Government access to personal data stored in the cloud may remain a digital-rights issues, but because employees continue to use business data on their mobile devices, it's an issue that businesses will need to watch.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16192
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...