I was hoping someone could add some clarifty to the security of ReadyCLOUD as I had a question from a customer.
If I understand it correctly, you create a ReadyCLOUD user account - which the credentials are stored on Netgears ReadyCLOUD servers.
You then 'link' your device to this ReadyCLOUD account which looks to me as if a trust relationship is setup and you are escentually giving ReadyCLOUD full access to your device.
I know from a front end perspective a user needs those credentials to access data on the ReasdyNAS, however surely it still means that Netgear have full access to the NAS also from a backend perspective?
Additionally to this, when using the Desktop Client - is everything transmitted in SSL and are any parts of the documents store temprarily on this netgear server which I see as a bit like a proxy?
There is an old (and in my opinion incomplete) KB article on security. I think it needs updating. IT departments need a lot more complete disclosure on this stuff than they used to, plus there are some special cases where regulatory requirements need to be met (for instance HIPPA in the US). As I recall, the article didn't clearly say if the forwarding servers had access to the session encryption key.
Normally a hash of the passwords would be stored in the servers - hopefully Netgear is not storing the passwords themselves (even encrypted that is a bad idea). But that hardly matters if the forwarding servers are compromised.
I agree there is a trust relationship formed with Netgear - even if ReadyCloud servers don't decrypt your data, they certainly could. They are perfectly placed for a man-in-the-middle attack.
There are some other options btw - OwnCloud and OpenVPN in particular. (Note I'm not claiming that they are more secure, I'm just pointing out they are available. The customer should do his/her own risk assessment).
Due to the lack of disclosure and information regarding ReadyCloud security by Netgear the only thing a reasonable client could conclude is that the ReadyCLOUD connection is not secure, and ReadyCLOUD should not be used under circumstances that require secure access.
