In today’s interconnected world, we at Keyqo Security see a lot of benefit of third-party cloud-based storage. Easy accessibility, convenience, data integrity – why would you want to take care of that yourself, especially as a smaller practice?
And who do you think of when you think “cloud storage”? Google Drive? Dropbox? Something else? All the classics, right? Unfortunately, they all fail in security and privacy. Google got caught reading your private emails. Dropbox had 68 million user account credentials stolen in 2016, giving hackers access to the private data in those accounts. This is why it’s important for every digital IT company (no matter how they are involved in IT) should require penetration testing services on a short schedule to always make sure their security cannot be compromised.
I don’t know about you, but that doesn’t sound like security to me! I want to work with a company that will protect my data and won’t read it “just because”. I’m not going to pretend that my account could never be hacked, but I want a service that will protect my data even if attackers steal my credentials from the company. Thankfully, in our investigations, we’ve discovered we have a few options. In this guide to the best secure cloud storage providers for physicians (in 2019), we’ll summarize our findings and provide you with a few expert-vetted top picks.
Note: Keyqo Security has no professional relationship with any listed cloud storage provider. We do use Gsuite for emails, but not any storage capabilities. Keyqo Security staff may use some of these providers for personal data only.
When we examined our playing field, we settled on several criteria we considered critical to quality security. We preferred options that:
- Are based in locales with laws that respect privacy. That means we avoid companies that store data in countries that we know will regularly try to snoop in your data. That means we prefer companies with storage facilities in Switzerland, Ireland, Iceland, and others, and we avoid companies based in the US, the UK, New Zealand, and China. We understand that real-world requirements may make this impossible to have, but we view it positively regardless.
- Have some form of zero-knowledge encryption. In a very short nutshell, this means that only you will know what data you’re storing in the cloud. Encryption takes place on your local computer, and only encrypted data gets sent over the Internet. Even if the cloud storage provider somehow “goes rogue” and starts snooping through your data, they can’t tell anything about the data you store besides the fact that you store it.
- Haven’t been significantly compromised in any manner.
- Include some form of access on multiple platforms, like Android, iOS, Windows, Mac, and Linux.
The Best Secure Cloud Storage Providers for Physicians in 2019
Tresorit is a provider of secure storage solutions for personal and enterprise users. With headquarters in Switzerland and an R&D center in Hungary, we know that Tresorit must comply with some of the strictest privacy laws in the world. Tresorit states that they store user data in Ireland and the Netherlands, also under strict privacy regulations. Tresorit offers certified HIPAA, GDPR, and ISO27001 compliance, great for our use cases.
Security benefits include full end-to-end AES256 asymmetric encryption, which I consider industry standard. Keys get shared via RSA-4096 with OAEP padding, phenomenal. Tresorit also guarantees the integrity of each file via the HMAC-SHA512 cipher, which has no known weaknesses.
In terms of usability, Tresorit uses what it calls “tresors” (German for “vaults”). Each of these get protected with unique encryption keys for added security. More importantly, these security measures don’t impact the user experience in any way. Each tresor works exactly like a shared network drive. No buttons to push, no extra steps to follow – just click-and-drag your files over to your tresor, and the software handles the rest. If you can use a shared drive, you can use Tresorit. However, due to the encryption happening behind the scenes, you can expect minor delays (1-5 seconds in my experience) in uploading files.
For practices with less than 10 users, you’ll pay $20 per user per month. For smaller businesses (10-100 users), you’ll pay $12 per user per month. For large enterprises, the costs increase to $24 per user per month.
I use it myself (with some custom security measures) because they really did a great job improving the user experience without sacrificing their core security principles. I can’t give a higher recommendation than that!
For more information, please see https://tresorit.com/ .
Like Tresorit, SpiderOak is a provider of secure storage solutions for personal and enterprise users. SpiderOak has offices in both Chicago and Kansas City. SpiderOak has similar security features to Tresorit and works much in the same way, so I won’t bother re-hashing the benefits. SpiderOak only uses HMAC-SHA256, which cryptographers consider weaker than Tresorit’s protection, but not by much. SpiderOak runs $14 monthly for 2 TB of storage, on par with Tresorit. Larger enterprises with 500+ users must contact Sales for pricing, so they don’t have the same committment to openness as Tresorit.
I also do have some concerns about SpiderOak’s location. Last year, SpiderOak’s “warrant canary” disappeared from the site. This hints that SpiderOak may have to comply with a US National Security Letter or other legal order. While warrant canaries are outside the scope of this article, Bruce Schneier’s post gives some reasons why we may not want to use SpiderOak going forward.
For more information, please see https://spideroak.com/ .
Google Drive (Yes, Really)
Yes, despite all the above, we do recommend Google Drive. However, we do not recommend using Google Drive as-is. We can protect our data with a couple of workarounds and mitigate most of the issues we have with Google.
Essentially, our primary workaround is to encrypt the data locally, and only upload encrypted data to the actual cloud. Many programs offer this service, including the free and open-source apps Veracrypt and Cryptomator.
By using those kinds of tools on our data, we can verify the security works before letting a potentially-compromised company know the data even exists. So if you carefully chose a local encryption program, you can use it to protect your data. Then you can upload that data to Google Drive like normal. No matter how hard Google tries, they can’t read your data without your decryption password. That’ll avoid most of our security and privacy concerns without sacrificing the ease-of-use and convenience of a well-known service provider.
Most free cloud storage providers don’t exactly prioritize your security and privacy. Even if you have to pay for it, your practice should definitely consider migrating to a secure cloud storage provider like Tresorit or SpiderOak. I’d recommend Tresorit over SpiderOak in all instances, except if you have to store data in the US.
If you can’t or won’t switch providers, you can still protect yourself by taking security into your own hands. Encrypt your files yourself, then upload them. Just because a cloud provider offers its services for free doesn’t mean you need to sacrifice your practice’s security and privacy to them. And honestly, being aware of that fact is half the battle!
Want to migrate your data to Tresorit or another secure storage provider? Want to evaluate the security of data you already have in the cloud? We offer consulting, architecture, and implementation services for all secure storage concerns, so get in touch!