The 3 – 2 – 1 Principle for keeping your data safe

Memory Stick Collection

I was cleaning out a drawer in my home office this morning and found this collection of old USB memory sticks dating back quite a few years. Remember those days when you thought you were so cool because you had this little storage drive full of all your stuff in your pocket? I recall working in a school back in those days where we actually mandated that every student had to have a “USB”, such was the apparent importance of these things. The intention was for students to keep their personal data safe and secure, but we used to constantly find them left behind in the USB ports of the classroom computers after a lesson. Or they would sometimes mysteriously just stop working. Or the kids would lose them. USBs may have been cool, portable and handy, but they were about the most insecure method for managing data I can think of.

(Side note: I’ve never quite known what to call these things. Calling them simply a “USB” seems stupid to me, because USB – or Universal Serial Bus – is a data interface standard, not a name for a device. Lots of devices might use a USB plug as the connection interface but that’s not the name of the actual device. I’ve owned microphones and printers and cameras and all kinds of things that connect using a USB interface, but we don’t call all these devices “USBs”. That would be silly. If you must use the term USB for these portable memory devices, at least call them a USB memory stick)

Some people seem to feel like their data is perfectly safe and secure if they have it stored on one of these little memory sticks. Let me tell you, for the vast, vast majority of people, letting them manage their own data storage is a really bad idea. The only real explanation I hear for why people feel memory sticks are a secure way to store data is that they “know where their data is”. People actually say that they won’t put their data anywhere that they don’t know where it stored. It might sound good to say that your data is safe as long as you know where your data is stored, but trust me, just knowing where your data is stored has nothing to do with it actually being secure.

As for relying on memory sticks, those things are the least secure way to store your data I can think of. They can get lost, fall out of your pocket, go through the wash, get eaten by the dog, or you leave them in the back of another computer and forget about them, or they simply just stop working for no apparent reason. If you have a few of them it is near impossible to keep track of what’s stored on them. Other than for absolute emergencies or moving a file as a last resort, USB memory sticks, or whatever you want to call them, are probably a really bad idea.

So when it comes to storing data, what IS a good idea then? For most people who never really think much about boring things like secure data storage, the answer is the cloud. Whether it’s Google Drive, DropBox, OneDrive or some other cloud service, it will be infinitely more secure than any storage “system” you could come up with by yourself. Once your data is in the cloud it gets securely stored, safely backed up and is accessible from anywhere, on any device.

I know what you’re thinking. “Yes, but I don’t trust the cloud, I don’t know where my data is stored.” Well, you probably have a bank account but you don’t know where your money is stored either, so I’m not sure what your point is. Claiming your data is more secure on a memory stick would be like putting your money in a shoebox under your bed and claiming it is more secure than the bank. Just like money, data is secured by the processes and infrastructure that store it, not from simply knowing where it is. I’ll say it again. For the average person – yes, you – the safest place to store your data, by far, is in the cloud.

But what if the internet goes away? But what if the cloud loses it? But what if the data centre burns down? Or what if I do store it in the cloud, and that free storage they give me now becomes something I have to pay for one day? (How terrible that you might one day get asked to pay for a service you’re using!)

If you really don’t trust the cloud, then at least get a portable hard drive, so you’re not dealing with these dinky little memory stick things. In fact, while you’re at it, buy a second portable hard drive, because you’re going to need to make a backup of the backup, because what if you lose the first one?

Which brings me to my main point. Data security – or keeping your important data safe – is a big deal. The truth is most people wouldn’t really care if they lost that Word file of a resume for a job they applied for 10 years ago. But losing your entire photo collection? Or all your music? Or videos of the kids when they were little? Or letters from your deceased parents? This is the stuff that’s a big deal. This is the stuff that you don’t want to put at risk. This is the stuff that you don’t ever, ever, ever want to have just stored on a memory stick.

So how should you store it? There’s a general principle of keeping data safe. The 3-2-1 rule. Three copies of the data. Stored in at least two different mediums. One of which is in a different physical location. Let me elaborate…

Three – you need to have three copies of important data. One is clearly not enough because if you lose it or it gets destroyed, that’s it. It’s gone for good. A second copy – a backup – is important. But if the data is really critical, the I-really-cannot-lose-this kind of stuff, then a third copy gives you peace of mind.

Two – you need to store the data in at least two mediums. There would be no sense having three copies of your data if each copy was on floppy disks. I don’t know about you, but it’s been a while since I’ve seen a floppy disk reader, so having everything stored in one now-obsolete format means you can’t read any of the copies. You might think floppy disks are a silly example. Well how about this? I own a number of computers – mostly Macs and Chromebooks – and not one of them has a port that can read those USB memory sticks in my drawer. Those old memory sticks use a standard called USB-A, but all modern computers use the newer USB-C format, rendering all those old memory sticks now obsolete. Sure I could use an adapter, but the fact is those old memory sticks are yesterday’s technology. You should keep the three copies of your data in at least two different formats because you never know how technology will change and you want to make sure that you’re always using formats that will still be readable.

One – you need at least one of those copies to be stored offsite. There’s no sense having your three copies in two different formats if they are all stored in your house and the house burns down. At least one of them needs to be kept in a completely different physical location. Offsite. Your parents’ house. A friends’ place. Or in the cloud. Somewhere. Just not in the same place as the others.

As it turns out, having your important stuff stored in the cloud addresses every one of these requirements – it’s another copy, it’s in a different format, and it’s offsite. And regardless of how well you think you can manage your own data on those portable drives, putting your data in the cloud puts it into a real data centre which stores it in real time, with real backup processes, real biometric security, real disaster management plans, and real data management processes. I don’t care how well you think you can manage your own data, you’re an amateur compared to the way the data centre looks after it.

If you’re still not sure convinced that the cloud is a safer alternative than that old SCSI Zip drive you can’t seem to find right now, take a look at this video tour of a Google data center.

Should you have all your data only in the cloud? Of course not! 3-2-1! Weren’t you paying attention? Go get yourself a couple of hard drives and set up Time Machine or SuperDuper with a regular scheduled backup. Then after you’ve done that, go upload everything to a reputable cloud service.

But stop relying on those stupid USB memory sticks!

Should I Trust The Cloud?

https://www.flickr.com/photos/dherholz/450303689/

I received an email recently from a colleague asking about data sovereignty, and in particular asking about how schools deal with the  need to store all personal data on Australian servers to be compliant with the law. This was my reply…

When deciding whether to do a thing – any thing – you need to assess the relative risk. There is NOTHING that can have it’s risk mitigated to zero. So while we can have debates about the security of the cloud, the fact is that ANY service is generally only as safe as the password that protects it. It’s far simpler to socially engineer your way into a system than to hack it, and it’s easier to follow someone through an open doorway before the door shuts than to crack the lock. There are security risks involved with every system.

What makes you think that data saved on a server that happens to be geographically located on Australian soil is any safer than data on a server located on the other side of some imaginary geographical dividing line? What policies make Australian servers impervious to security issues?  What is it about Australian passwords that are safer than non-Australian passwords?

It’s interesting that whenever I hear the security argument from someone, I ask them whether they use 2-factor authentication on their online accounts. The answer is almost invariably never. I find it hard to take someone seriously when they bleat about security and yet do nothing to secure their own stuff using the safest and simplest technology we have available; 2 factor authentication.

I also find it amusing that these same people who bang on about not trusting the cloud, also almost always have a bank account. When I ask them where their money is stored, they say “in the bank”. When I ask where is it actually stored, they have no idea. They don’t know where their money – or the digital records that define the concept of money – is actually stored. They never stop to consider than when they go to an ATM and withdraw $50, it’s not the same $50 note that they actually put into the bank. There is no magical shoebox under the bank’s bed that stores their actual money… it’s all just computer records, kept on a server, somewhere, and I guarantee that they have no idea where that somewhere is.

That’s why the debate about whether we should be allowing our data to be stored offshore is such a laughable concept. It shows a real lack of understanding about the way the Internet actually works.

The truth is, it doesn’t matter WHERE your data is stored. What matters is WHO is storing it, and whether you trust them with it. I’d rather trust my data to major cloud provider offshore who offer privacy policies that I trust, along with strongly encrypted and sharded data storage techniques, virtual and physical security over their datacentres, and a proven track record of doing the cloud right, than to some minor player in the cloud storage space just because they happen to have servers in Australia.

I’m also not a lawyer.  However, I’ve done enough research into the Australian data sovereignty laws to feel satisfied that I’m interpreting them the right way. And contrary to all the Fear, Uncertainty and Doubt being spread around regarding these laws, they do NOT say that cloud services cannot be used unless the servers are in Australia. What they say is that the cloud service USER – that’s you – needs to feel satisfied that the cloud service PROVIDER is offering a service that meets your expectations of safety, security, privacy and redundancy.  If you do your due diligence, and come to the conclusion that you’re satisfied with your cloud service provider is giving you a level of service you can trust, then you are free to use it and in turn offer it to your users. If you don’t believe they are offering this level of service, then don’t use them. It’s as simple as that.

Your choice will never be able to come with a 100% guarantee. Nothing does. But if you do your research carefully and make your choices well, the chances are as good as they will ever be that you have made the right decision. The cloud offers amazing possibilities, and I’m completely convinced it IS the future of computing. I’m all in on the cloud as the platform.

To me, there is really only one obvious choice in picking a cloud provider. You want someone whose entire infrastructure is built for the cloud, whose entire business model is built on doing it right, managing data with security and integrity and maintaining the trust of their users. I’m not mentioning names because I’m sure you can make your own decisions about who you trust and how well they do this cloud thing.

What I don’t want to do is to place my data with a cloud provider who is still playing catchup, whose cloud infrastructure run on legacy platforms that were never built for the cloud, and whose business practices in slagging their competition I find completely distasteful.

I don’t care where their servers are located.

Header image by Dave Herholz – CC BY-SA

The Cloud

He rolled his eyes and tried not to look distrustful. “I’m not sure about all this ‘cloud computing’ nonsense. It seems to me it’s just a passing fad and a huge security risk.  I’d never trust my important stuff there. I’d only put my files on my own computer. I like to know where they are so I can get to them when I need them.”

His friend responded with a wry grin. “Do you have a bank account?”, he asked.

The cloud sceptic replied, “Yes, of course I do.”

“Well… what do you think that is?   Do you think your pile of money is sitting in your very own little personal vault somewhere with your name on it?”, he smiled.

“No”, he continued, “your money is nothing more than a record in a computer database, a series of 0s and 1s kept on a server somewhere as a series of magnetic codes. You don’t know where your money is kept or what sort of machine it’s kept on, or who maintains it, or how often it’s backed up. You don’t know what operating system it uses or what type of database it is. You just know that when you go to the ATM, money comes out the slot. That’s all that matters. You don’t need to go to the same bank that you deposited at, and you don’t get back the exact same pieces of paper that you put into the account. All you know is that you put your stuff somewhere, and then you can access it from anywhere.”

That’s what the cloud is.