Are Your Files Safe in the Cloud?

September 2011

Among the many kind comments (thank you) that I received regarding my July column on Carbonite was one from (can you believe it) the CEO. Thanks, Dave.

And if there was a common thread to the comments (other than what a great column I write), it was: "Jim, I like the idea of Carbonite, but are my files safe? Can't the hackers get at them?"

Seeing as how I had heard from CEO David Friend, so I asked him that very question. And the answer is: Blowfish encryption.

Carbonite encrypts your files before they leave your computer, using Blowfish, which, Dave says, is as good as it gets. "I don't know of any cases where Blowfish has been cracked." It's the strongest encryption you can use without a special export license from the government.

I'm sure you're curious how Blowfish works, right? Here's what Wikipedia says: "Blowfish has a 64-bit block size and a variable key length from 1 bit up to 448 bits. It is a 16-round Feistel cipher and uses large key-dependent S-boxes. It is similar in structure to CAST-128, which uses fixed S-boxes." Is that clear?

In addition, once Blowfish has done it's magic to the files on your computer, those encrypted files are then encrypted again for transmission using standard https protocol. Note the "s" at the end of https, which stands for "secure." You should always look to see that the "s" is present whenever you make an online purchase. This encryption is typically used by websites when you're doing online banking or other secure transactions.

So your files are doubly encrypted — first on your computer, and then again in transmission. If someone somehow captured them as they moved through the ether, they'd never be able to read them.

But what about at the data center? Somebody has the encryption keys, right? (Otherwise, if your computer goes bonkers, and you need to download your files stored on Carbonite's servers, your computer will need the key to decode them.) Carbonite also takes great care with the keys.

First, they limit physical access to the encryption key database to only a few trusted employees. Further, they isolate it from the Internet, they encrypt the key database itself, and more. But Dave wouldn't tell me more because they don't, for obvious reasons, reveal anything about the encryption key database architecture. "Of all the things we do, it's the most like rocket science," he says.

And my readers asked me another question: "If it's possible for my computer to go bonkers, couldn't it also happen to Carbonite's servers? I might think my files were safely stored online, only to find that their computers had crashed." (And Armageddon is right around the corner, too. What do we do then?)

Of course, I asked Dave. He said, "You mean like a 747 crashing into the data center? Could happen, but not worth worrying about because if it actually did happen you would still have all your files on your computer."

Okay, that could happen. But he points out that Carbonite offers backup, not archiving. Your files are both places: on your computer and on Carbonite's servers. "Chances of a 747 crash AND your computer crashing at the same moment in time are pretty slim," he says.

It's possible that they could offer geographic redundancy, he said, but that would make their service cost a lot more.

Their servers themselves are highly redundant. So even if one of their hard drives fails, they still have 100% of your data on other drives. "We've never lost data due to a hard drive failure, and mathematically it is highly improbable that it would happen in any of our lifetimes," Dave says. I believe him.

Nervous Nellie again: Could someone hack into their system? Carbonite, like other data centers, uses an array of hacker defenses. And they actually hire ethical hackers to try to break into Carbonite, which has resulted in very strong defenses. "I doubt that our smaller competitors can afford to do this," Dave says. "We have a Chief Security Officer who makes it a point to be the best in the business."

So thank you, readers, for your questions. These are serious issues. The world is different today, and as we become more connected, we are utterly dependent on data security. And clearly Carbonite and other services are doing everything they can.

This month's hot tips:

The music streaming service Spotify is now available in the U.S. They offer millions tracks for free for up to 10 hours per month. For $4.99/month you get unlimited, ad-free listening. Since they're in rollout phase, you'll need to request an invitation.

© 2011 by Jim Karpen, Ph.D.

E-mail Jim Karpen