Security is a very important factor in my choice of distributions and software solutions, and I tend to hold a very strict view of what it means from a modern computing standpoint. In one sentence, my stance on security is this: A sound and complete security posture has to take both physical and network security into account.
Anything less will not fly. So when I came across an article that attempts to sell that view short for the sole purpose of promoting a product, it didn’t sit well with me. The offending article was written by Frank Karlitschek, founder and CTO of Owncloud, a cloud storage service and solution.
In More to Security than Encryption, he takes this skewed stance that it is (somewhat) ok to say something is secure even though it lacks encryption. He then makes several points to support that stance.
Here’s what he wrote about availability and security:
Availability as security — If you own your data it can’t be lost because someone is shutting the cloud service down, or if AWS/Dropbox goes down.
Sure, but what good is not losing your data if an unauthorized party can access it just as easily and readily as you can. There’s no debating the benefits that cloud storage services bring to the table, but there’s an ongoing discussion about the security implications of dumping all your digital assets somewhere out there. I will not take a cloud service or solution that touts “availability as security” seriously. Your data is either secure or it’s not. Just being able to access it wherever and whenever does not count as security. Lost data can still be secure, if nobody else can access it. That’s one of the benefits of encryption.
The other points he made in that article are valid, though a few are debatable, but “availability as security” is dangerous and misleading.