8

A friend asked about putting some of his data on Microsoft's OneDrive.

I did some research, and what I learned seems very surprising.

It appears that all the user data on MS OneDrive is store completely unencrypted (it is only temporarily encrypted during transfer). The only "security" is trusting that whomever they hire to work at their datacenters, along with all of their subcontractors, are not looking at or copying any of the data (which would be trivially easy since it is unencrypted).

Is this an accurate understanding?

What's surprising is the number of people and businesses who apparently keep their data on OneDrive. I'm guessing my understanding is incorrect, or most people are ignorant of how their data is stored.

Improve this question
2
  • Looks like MS heard this concern (:-)) as I see this recent blog post: blogs.office.com/2015/01/30/…
    – BlueSky2010
    Commented Apr 8, 2016 at 13:29
  • @BlueSky2010 Thanks for the link. It's interesting that the article specifically states they (now) encrypt "OneDrive for Business". Since they specifically added "for Business" in that blog post, it's very possible that nothing is encrypted for everyone using their their more popular OneDrive service.
    – End Antisemitic Hate
    Commented Apr 8, 2016 at 19:14

2 Answers 2

Reset to default
6

It is not unusual for cloud providers to have a system in place where they can access their customer's data, because there are all sorts of useful things they can't do without looking at the data. They can't index it, they can't de-duplicate it, they can't compress it, they can't scan it for illegal content, and most important of all, they can't restore it to the user when they forget their password.

That last option is most likely enough on it's own to make encryption a bad security choice for a consumer cloud system.

Note also that there are plenty of security controls that Microsoft can implement to stop some random contractor poking through the data.

Lastly, since Microsoft wrote the client software for the service (and most likely wrote the operating system your friend is using!) then if they are malicious they've already won.

There are alternatives if your friend is still concerned. There are small, specialist cloud providers who do encrypt the data at rest and cannot see it. It is also quite possible to build your own private cloud system. However, both these approaches raise additional questions and issues of their own.

What I would recommend, and what I use myself, is to encrypt any sensitive data locally before uploading it to the cloud.

Improve this answer
2

While Dropbox and Box do encrypt "data at rest", I couldn't find anywhere where it says that OneDrive does so too--this part is surprising. However, it's not surprising that most cloud providers (e.g. Dropbox, Box, OneDrive, Copy.com) don't provide client side security. OneDrive does scan your files--in order to be able to do so, your files cannot be under client-side encryption.

As for client-side security, solutions such as Wuala or SpiderOak are available. An alternative to this is to encrypt your files manually using something like TrueCrypt. For example, a OneDrive+TrueCrypt combo could be an option.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .