Cloud vs. NAS: Where is my Data More Secure?
Today, we would like to conduct a speculative experiment by comparing data with money. In this scenario, the bank equals cloud storage. The money sock under the pillow will be the Network Attached Storage (NAS) in our example. Our aim is to make clear: It is decisive where (and how) data is stored. We answer the question: Which is better, cloud or NAS? And: Do you even need a cloud at home?
Data has become a universal good by now – just like a currency. For example, I can exchange data about my purchasing habits for a special discount in the supermarket. Or, I can only use a service for free that shows me personalized advertisement after a registration in return. This only works because I can be put into different categories due to the data collected about me.
In smaller amounts, I can definitely carry around my money. But as soon as it becomes more, I give it to an expert who will take care of it on my behalf. The bank manages it, deals with my cash flow and makes sure that my finances are regulated in accordance with the applicable legislation.
Data can be seen in the same way. In most cases, it is also better taken care of in the hands of experts. Not I myself but a cloud storage provider will take care of the up-to-dateness of the soft- and hardware as well as of the correct and safe configuration.
A Lot of Know-How Needed
Of course, it feels good to throw a bunch of 1,000€ notes into a corner and roll around in the pile of money. However, it is not safe. It should be obvious to anyone that this money should be brought to the bank as soon as possible.
Same goes for the data that individuals create, manage, and use as a basis of their daily lives. Of course, you can save your family pictures on your private computer (or NAS, or File Server) in the living room. However, in case of a burglary, fire, or hard disk error, the data will be irretrievably lost.
By the way, it does not necessarily have to be an external cause that destroys the data. Simple ignorance could have serious consequences, too. Whoever decides to setup an own network attached storage (NAS), should know exactly what he or she is doing. But at least, he or she should check if the network drive allows anonymous access. In our team, we still remember with horror the 190,000 open hard disks that a student could find and access with a simple crawler, in 2015.
Security risk at WesternDigital
A further example are network-drives from the WesternDigital "My Cloud" series. As recently emerged, this series is facing several security flaws, which enable a malicious attack from afar. The recommendation for "MyCloud" NAS devices is to immediately update the firmware to v.2.30.172 or to disconnect the storage from the internet. For a full reporting on the issue by Bleeping Computer, click here.
Attention: Also in 2022, everyone who stores data on WesternDigital has to deal with their NAS, because the support for devices with the operating system My Cloud OS 3 expires. An update to My Cloud OS 5 is recommended, which requires checking whether the devices support the new operating system. A corresponding list can be found here.
Security risk at QNAP
Certain NAS from the manufacturer QNAP were affected by a security vulnerability in 2022. Cybercriminals could compromise the system and execute malicious code as well as their commands. According to Bleeping Computer, QNAP has already issued an update which its NAS users should install as soon as possible to avoid further attacks.
Attention: In December 2021, QNAP announced that attackers have managed to hijack devices from the manufacturer to perform Bitcoin mining. You can check whether your own device is affected with the help of this guide from QNAP.
The Perceived Loss of Control
The bank for data is a safely encrypted cloud. This cloud is practically a virtual storage location managed physically by a highly specialized provider - teams of experts constantly deal with physical data protection, backups and availability. An individual, self-declared computer expert with a NAS cannot provide this (even when he puts all his efforts into it).
Yes, it feels great to sit on a mountain of banknotes. However, if you want to go the safe way, you should let an expert manage your data, instead of hoarding it locally.
In this case, the expert would be the provider of the servers that contain the cloud data. The most known cloud storage providers, for example, are Dropbox, Google Drive and OneDrive. These providers give their users information about data-backups and security:
Thus, you can make sure that your data is protected against any kind of physical accidents and attacks.
Upload Only Encrypted Data into the Cloud
It is crucial that the data is already encrypted when it enters the cloud. In this scenario, only the one who holds the keys can access the data and the data is unusable for outsiders. The character strings that are left after encryption do not have any informative value without the appropriate key. I tested this for you:
Screenshot of a Boxcryptor encrypted file, opened without the key.
Only with the appropriate key, or in our case, access to the appropriate Boxcryptor-account and -password, you can access, decrypt and use the data.
End-to-end Encryption with Zero Knowledge Standard
The storage of the idle data (equal to the cash stored in a safe or at home) is not the only factor that has to be considered when it comes to data security. The transfer from the computer to the cloud has to be protected and it should be ensured that the bank itself cannot access the data and use it for its own purposes.
To stay with the example of money and the bank: end-to-end encryption corresponds to a protected cash transport. You put your cash into a small safe and carry this safe to the bank. The bank puts the small safe into its big safe and thus, it does not have access to the banknotes and coins.
In the case of data, the end-to-end encryption refers to secure file transfer, meaning the trip of the data packages through the fibre optic cable. The data packages will be separated, encrypted and send out individually. Only at the destination the data will be made readable again – provided that the recipient posses the right key for decrypting the data.
Why „I have nothing to hide“ is not a logical Argument
So far so good. However, some readers will surely ask: Why it is so important to encrypt family pictures, job references and location data? Mainly people ask this, because they consider themselves as being “not that interesting”.
This is nonsense. Every real, existing person including his or her personal data is valuable. You do not have to be an opponent of a regime, a busty girl or a politician to be interesting. Your private data is valuable and could be used for fraud, identity theft, as well as for hackers who infect computers in order to run a damaged network.
Private pictures are not only interesting when showing the breasts of a celebrity. Photos of your children or nieces at the beach should neither fall into the wrong hands – for protecting their privacy. The same applies for the novel you are currently writing on, for your correspondence with opponents of the regime in countries with doubtful democratic standards, for the research results of your student groups, for your wedding guest list or for the testament.
The list of examples describing the abusive use of personal data is endless. Every individual should ensure that he or she will not become an example of data abuse. Encryption is important for everyone – even for "boring" private individuals.
