Most of us have been using cloud storage services for years, whether or not that’s what we call them. Dropbox. Google Drive. Microsoft Onedrive. These are just a few of the cloud storage providers that are in common use. They are flexible and versatile, not to mention inexpensive. Once you’ve got one of them set up, you can access your files from anywhere, as well as feel safe that if something happens to your computer, you will quickly be able to recover all your important files.
For some, choosing the best cloud storage service comes down to how much free storage space they offer, or how well it works with their existing software and services. But for those of us who put top priority on privacy, the most important thing is the security of our private data.
…What the world needs now is a cloud storage service that is not subject to uncontrolled access by intelligence agencies. —Mikko Hypponen
Why use secure cloud storage?
While many popular cloud storage services are convenient, they all have one fatal flaw for anyone who values their privacy. Third parties can access your files and data.
That may sound like a crazy statement. After all, they all use strong encryption algorithms to encrypt your data right on your computer or mobile device. Then they apply another layer of encryption to protect the files as they travel from your devices to their servers. Even while it rests on their servers your data remains encrypted. So how can these services not be secure?
The encryption that these services apply to your data does indeed keep it secure against outsiders. Even if some hacker were to be monitoring your Internet traffic, they wouldn’t be able to read your data. But what about the cloud storage provider itself?
Most cloud storage services take care of the encryption for you. That means they control the encryption keys and know how to both encrypt and decrypt your data. You need to trust them not to snoop. You also need to trust them to protect your keys against hackers breaking into their servers. And you have to trust them not to decrypt your data and turn it over when required to by whatever local laws apply.
The only way to keep your data truly safe and still take advantage of the benefits of cloud storage is to use a secure cloud storage provider.
What makes secure cloud storage services secure?
The secret to making a cloud storage service truly secure is in the encryption. More specifically, who controls the encryption keys used to encrypt and decrypt your data. In the examples above, the cloud storage provider is responsible for encrypting and decrypting your data. To do that, they have to control the encryption keys.
Secure cloud storage services use a variety of techniques to protect your data. From storing your data in secure facilities with armed guards and biometric locks like something out of a spy movie, to using the latest and greatest encryption algorithms, they offer enhanced security over the big names in the cloud storage space.
Here at Restore Privacy, we’ve been busy reviewing secure cloud storage services to see which ones do the best job or protecting your precious data. This is what we’ve found:
The best cloud storage services
Here are our recommended cloud storage services that do well in the areas of privacy and security. You’ll find a short summary of each service below, along with links to our in-depth reviews of them.
1. Tresorit – Best secure cloud storage solution
|Price||$10.42/mo; 200 GB|
Tresorit is arguably the best secure cloud storage service on the market today, based in Switzerland. It utilizes end-to-end (zero knowledge) encryption and offers a full set of features for businesses, teams, and individuals. If you need to protect your organization’s precious data from outsider attackers, comply with industry regulations, and maintain organizational control, this could be the service for you.
Tresorit’s business-oriented plans help you to manage and analyze how your employees use the service. It is compliant with HIPAA, GDPR, FedRAMP, and numerous other data protection regulations, making it suitable for a wide range of corporate applications.
They also give corporate users the ability to specify data residency (where in the world data will be stored) providing crucial flexibility for multinationals. Tresorit combines all these capabilities with third-party audited penetration testing, plus source code and cryptographic reviews, making it appealing for multinationals and other organizations that can justify the price.
While Tresorit is a great choice for business users, it may not be the best cloud storage solution for individuals on a budget. Even though Tresorit does offer a limited free version, there are better free plans available elsewhere. For individuals, the paid plans may be overkill, leaving you paying for features you don’t need. However, for businesses, teams, or anyone looking for a secure cloud storage service with some of the best features you will find, Tresorit is tough to beat.
Check out our complete Tresorit review.
2. Sync.com – Zero-knowledge cloud storage based in Canada
The next secure cloud storage service we will examine is Sync.com. While Sync.com offers plans for every type of user (individual to enterprise), it is probably best suited for individual users. Their zero-knowledge infrastructure looks to be as secure as you can get, although they haven’t published any third-party test results or audits (yet). If you can get by with 5 GB of storage, and don’t mind the lack of a Linux sync client, you should definitely check out their free plan.
Things are a little more complicated if you are a corporate user. Sync.com’s unlimited storage plans and bandwidth, along with their team-oriented capabilities, could be quite appealing. HIPAA, GDPR, and PIPEDA compliance are also benefits to consider.
However, the requirement to store all your data in Sync.com’s Sync folder could conflict with other crucial apps and services. The lack of published third-party penetration testing and certifications may be a concern in certain corporate environments.
To learn more, see our Sync.com review.
3. NordLocker – Versatile encryption and cloud storage system
|Price||$3.99/mo; 500 GB|
Services like Tresorit and Sync.com are cloud storage products that are secure. NordLocker is an encryption service with cloud storage capabilities. This distinction is important if you want the maximum security possible. Here’s why…
Other secure cloud storage services encrypt your data whenever it is off your computer. No one, not even the service provider, can decrypt your data. But what happens if someone gains access to your computer? In that case, you are in trouble. While your files are encrypted in transit and at rest on the cloud storage service’s servers, they are unencrypted on your device. Someone with access to your device will have full access to your files as well.
NordLocker adds an additional layer of protection. With NordLocker, you move the files and folders you want to protect into a special folder called a locker. Files are encrypted when you store them in a locker, and are only accessible when NordLocker is unlocked. This approach has big advantages.
The files and folders you put in a locker are encrypted before they enter the locker. And the locker itself is compatible with virtually any cloud storage service. NordLocker offers their own cloud storage, but this design means that you can securely use NordLocker with any cloud storage service, even if that service is not secure, or located in a country with privacy-unfriendly laws.
In addition, NordLocker protects your files and folders, even from someone with access to your computer. Unless you log into NordLocker, even someone physically controlling your computer can’t decrypt the contents of a locker.
If this versatile tool sounds good to you, here’s a link to our complete NordLocker review.
4. Nextcloud – The best cloud storage for self-hosting
Nextcloud is different than the other services we’ve covered so far.
First, it is a FOSS (Free and Open Source Software) system. This means that you can take it and use it however you want, wherever you want, free of charge. In addition, because the system is open source, anyone can inspect the code to make sure there are no secret backdoors or other code that could jeopardize the safety of your data.
Nextcloud is also designed to allow you to store your data on your own secure servers. By hosting on your own servers, you can ensure that outsiders can’t get at your data while still having complete access to it inside the firewall.
One example of the benefits this approach can bring is Nextcloud Hub. This allows you (and your team) to:
Share and collaborate on documents, send and receive email, manage your calendar and have video chats without data leaks
As a fully on-premises solution, Nextcloud Hub provides the benefits of online collaboration without the compliance and security risks.
The ability to host Nextcloud on your own hardware is important, since Nextcloud does not yet offer end-to-end (E2E) encryption.
However, Nextcloud is a powerful, flexible, and free cloud storage solution. Between the core product and the 100+ apps you can add to it, you can create anything from basic cloud storage to a complete environment for home or business use.
By self-hosting on secure servers, you can build a free (or low cost) secure cloud storage system that rivals anything out there. And once end-to-end encryption is available, you will be able to do the same, even without hosting everything yourself.
Here’s our full review of Nextcloud.
5. MEGA.nz – Consumer-oriented, zero-knowledge cloud storage
|Based in||New Zealand|
|Price||$5.45/mo; 400 GB|
MEGA is one of the best-known secure cloud storage services, originally started by Kim Dotcom in 2013. It offers zero-knowledge, end-to-end encryption, along with desktop clients and mobile apps for every major operating system and device. Their free plan includes 15 GB of storage, with the ability to boost that all the way up to 50 GB by completing certain activities. On the downside, the service imposes daily transfer limits that can cause delays if you need to move lots of data. Nonetheless, MEGA remains a strong choice for individual users.
I’m less sanguine about using MEGA for secure business storage. Business plans with unlimited storage and transfer capacity could be just what you need. Built-in chat, contacts, and file preview capabilities give some basic team capabilities. But other services, such as Tresorit and pCloud, have stronger corporate offerings. And thanks to New Zealand law, MEGA’s ToS has some potentially troubling clauses I would review before choosing this as my corporate cloud storage service.
Here’s our MEGA review.
Secure cloud storage FAQ
When looking for the best cloud storage that is private and secure, you may have some questions. So let’s cover the basics.
Does the country where the company is located matter?
The country a cloud storage service is located in can matter a lot. Different countries have different laws governing the storage and transmission of online data. Some countries respect your online privacy more than others. Countries like Switzerland have strong data protection laws in place. Others, like the United States and the UK, have a bad record for protecting your privacy.
Surprisingly, the country a secure cloud storage service is located in matters less then it does for a regular service. That’s because a secure cloud storage service can’t decrypt your data. You control the encryption keys, not them. Even if they are ordered to hand over your data to the police, or are hacked by some third party, none of them can read your data.
Now, this doesn’t necessarily mean that the service knows nothing about your data. Depending on how a secure cloud storage service works, they may still have access to:
- Billing information (name and anything else you provide when registering)
- Metadata like when you log on or off the system, your IP address, and other personally identifiable information
- Who you share encrypted files with
- The names of files or folders containing your encrypted data
This means you need to think carefully about the threats you want to protect your data against and how the country it is located in affects those threats (your threat model) before choosing a service.
Does the country where my data is stored matter?
The country your data is stored in is not always the same as the country your cloud storage service is located in. For example, Sync.com is both based in Canada and stores your data there. On the other hand, MEGA may store your data in their home country, New Zealand, or in unspecified European countries that “have an adequate level of protection under Article 45 of the GDPR,” with the decision which location to use based on your physical location.
The country your data is stored in matters. At a minimum, local laws govern the servers your data is on. So imagine that some (incredibly stupidly designed) hypothetical secure cloud service was headquartered in Switzerland, but they stored your data in China (perhaps the least privacy-friendly country in the world). China’s horrible privacy laws would apply to the servers containing your data, despite the company being under the privacy-friendly Swiss laws.
What is the best approach to data security for cloud storage?
Let’s talk about different approaches to ensuring your data is secure in a cloud storage situation. There are three states we need to consider: data in transit and data at rest in the cloud, and data at rest on your device. Data in transit is data that is moving between you (your computer, smartphone, or web browser) and the servers where it is stored. Data at rest is data physically stored somewhere.
Data in transit
If a system is to be secure, data in transit needs to be protected by some kind of communication security so no one who intercepts it can read it. TLS/SSL encryption is typically used to provide this security for data transmitted over the Internet. It gets applied before your data begins to transit the Internet and is removed when your data arrives at the cloud storage service (or vice versa).
While TLS/SSL provides good communication security while your data is in transit, it says nothing about the security of your data once it arrives at its destination. Unless the data you are sending to the cloud service is encrypted before the TLS/SSL is applied, once TLS/SSL is removed at the destination, the cloud service will be able to read your data.
Note: Data can be in transit in two different environments: in public networks like the Internet, or in private networks like your LAN or your company’s private network. Ideally, a private network will be a more secure environment than the public Internet. Some secure cloud services allow you to host your data on your own hardware within your own private network, potentially boosting security still further.
Data at rest
Data that is at rest is data that is being stored somewhere. When you store your data with a cloud storage service, your data will be at rest in the service’s servers. For that data to be secure, it must be protected from unauthorized access. This protection can be physical and procedural: the servers are in a secure location, with no unauthorized persons allowed access to it. Many cloud storage services offer this type of security.
The problem with this type of security is that you need to trust the cloud service to keep your data secure. If their security procedures fail, or if someone breaks into their secure location, your data could be exposed.
A more secure solution to the data at rest situation is to encrypt the data before storing it on the cloud servers. That way, the only people who can read the data are the ones that know how to decrypt the data sitting on the server. This is typically done using AES-256 or some similarly powerful encryption algorithm.
This looks good. Combine TLS/SSL encryption for data in transit, with AES-256 or similar encryption of the data at rest, and you have a complete encryption solution. Or do you?
Who holds the keys to your data?
Only those who have the encryption keys can encrypt and decrypt your data. In many cases, the cloud service holds the encryption keys and encrypts/decrypts your data for you. They use TLS/SSL to provide security for your data while in transit, then apply encryption to the data before storing it on their servers. That’s very convenient, but once again leaves you having to trust the service to protect the security of your data.
The most secure approach is for you to hold the encryption keys for your data. The most secure systems never know your encryption keys. The app on your device uses the keys you supply to encrypt your data before it ever leaves your device and decrypts it once it returns, without letting the service itself know what those keys are.
That way, you don’t have to trust anyone else to take proper care of your keys. You just need to be able to trust the service’s client not to share your keys with the service itself. And if the service uses open source clients and is reasonably popular, you can feel reasonably confident that any hanky-panky carried on by the client app will have been exposed by someone who decided to investigate the code.
We can also consider the security of data stored on your device. Most cloud storage services, even the secure ones, only protect your data when it leaves your device. If someone gets access to your device, they get access to your data too, since it isn’t encrypted while at rest on your device.
With NordLocker, the data you store in the cloud gets encrypted by NordLocker, even on your own device. The only way to decrypt the data is to log into NordLocker. This technique of encrypting data even at rest on your device, provides an extra layer of security.
A system like this, where only you can encrypt/decrypt your data, is called end-to-end encryption. Unless you are considering a service where you can host your own data on your own secure private network, you need some form of end-to-end encryption for the best security.
Why should I pay when I can get a free account?
Especially when money is tight, using a free account for your secure cloud storage needs, is almost irresistible. As tempting as it might be, here are several good reasons to pay for your secure cloud storage, rather than use a free account.
- Functional limitations – There are always some sort of limits on free accounts. You are often limited to storing a few GB of data, while paid plans often offer thousands of times as much. A few even offer unlimited storage. Or they may limit the size of the files you can store, or the amount of data you can transfer in a month. Others may give you full access to the service for only a set time.
- Support limitations – Providing customer support is expensive. While paid accounts often provide email support or even live chats, most free accounts force you to rely on FAQ’s or discussion forums where free users try to help each other.
- Limited features – Most services offer additional features to paid accounts. File version tracking (or tracking for longer periods of time), enhanced security features like 2FA, and business-oriented features like onboarding and collaboration tools, centralized user management, and enhanced reporting.
While I urge you to test a service using a free account whenever possible, if your data is important enough to need secure cloud storage, it is worth investing in a paid plan.
Should I use a VPN with my secure cloud storage service?
While secure cloud storage services are in the business of protecting your data, that doesn’t mean they won’t collect some personal data on you the user. Many cloud storage services log information about your activities on their system. Things like when you log on, how long you stay logged on, along with your IP address.
Gathering your personal data and tying it to your IP address can be useful for them. But it offers zero benefits and some potential risks for you. Happily, you can protect yourself by using a VPN to connect to a secure cloud storage service. If you do, the service will be recording the IP address of the VPN instead of yours. Since each VPN IP address is typically shared by tens or hundreds of users, it will go a long way toward protecting your privacy as you use the storage service.
See our list of the best VPNs here.
Wrapping up the best cloud storage services
This concludes our roundup of the best cloud storage services that do well with both privacy and security.
They may not be as popular or flexible as Google Drive, or sync with third-party services like Office 365. Still, the secure cloud storage providers we recommend in this guide offer enhanced security in this world where your data may be the most valuable commodity you own. I recommend you read through the short summaries of the top-notch services we’ve listed here. When you find one you like, follow the link to our full review, then sign up and give it a good workout for a few weeks. Securing your data while still taking advantage of the best cloud storage for your needs is only a few steps away.
Other roundup guides on Restore Privacy: