February 28, 2012
I’ve had it.
Today, I went to search for some cloud-enabled task management software. My needs were simple: It had to be able to run on OS X, and it had to be able to sync with iDevices that weren’t on the same network as the Mac. There are lots of tools out there that can do this.
Then I read the fine print.
Either they sync via Bonjour – and therefore only work if you’re in the room with your Mac – or they use a cloud provider to host the data being synced. Sounds reasonable, right?
Only one tool I found allowed for non-Bonjour sync and protected my data from being stolen at the Cloud.
Here’s what happens. When you’re doing a non-Bonjour sync, you need to send the data from your desktop to a cloud provider (typically the vendor’s own servers somewhere out on the Internet). That’s all good, and all of the vendors I looked at used https (SSL) connections to get the data to and from the servers. The problem was that the server data was not encrypted.
That’s right, vendors are making a HUGE deal of encrypting the data in-flight, but then storing the data in plain-text on their servers. Granted, they have good physical and at least good-looking digital security, but that didn’t stop anyone in the past from stealing data like credit card info from similarly shielded servers. Data thieves find a way around physical and digital security easily, and a good, encrypted data format is often the only thing that stands between a vendor and a total PR nightmare.
Before I get flamed to death in the comments section, I also realize that encryption can be broken if the thieves are dedicated enough to getting the job done. But that’s no excuse to not even TRY to keep them from reading the data if they get in.
When I went to find a syncing note-taking application, I found the same thing. The leading vendors store the note data in plain-text on their servers, easily accessible to anyone who gets past their firewall. The claim is that they cannot encrypt or else searching wouldn’t be as in-depth as it is now – but again, not offering it at all isn’t acceptable. I – and many other users – don’t use the web interfaces for these things except in dire emergencies. The whole point is that these solutions sync with desktops and smartphones, which can index locally. So web-site-based searching isn’t the biggest thing we’re looking for anyway. We’d gladly exchange a limited amount of lost functionality that we barely use, for better security overall.
Platform as a Service vendors need to wise up and start storing data in an encrypted format. I realize this means that some things like universal server-side search might suffer, but that’s better than having a data thief get their hands on everything as soon as they make it past the security by guessing some server tech’s woefully easy password.
These vendors are sitting on a time-bomb. Sooner or later some high-profile target will use their service. Thieves and hackers will go after that unencrypted data and take everyone else’s they get their hands on in the process.
So, take a few minutes and check that your PaaS vendor is keeping your data safe in the cloud. You might just be surprised to learn that their idea of “data protection” is encryption of the transmission method, but they’ve left the lock off the data sitting on their servers. Telling me that you’ve mined the road doesn’t help me when the thieves find a way through or around it, and proceed to steal all the valuables inside because the front door is made of tissue paper.
By the way, the tools I found were:
Note taking with Notational Velocity on the Mac and Notesy on the iDevices (with thanks to @BMKatz on Twitter) fits my needs. These tools sync via DropBox. While not incredibly well known for data security, DropBox does at least attempt to keep data safe on their servers. If they manage not to have any more “oops, we forgot to turn on password validation for a few hours” moments, they’re going to be doing just fine.
For task management, I use ToDo with DropBox syncing. It is available on multiple platforms and does a great job of showing what tasks I need to do now, and later.
Both sets of tools store local copies of the data too, so if I’m not connected to the net for some reason, I can still work. I can also search quite quickly and easily because they index the data locally too.
Stay safe out there.