Guest post written by Dave W, Network Security Analyst.
Whether we like it or not, nearly every online service we consume uses or is moving to “The Cloud”. This is particularly true of mobile devices. This can be quite convenient and you might not be aware that you are even using it. But for businesses and people who are concerned about their data it can be difficult to sort the hype from the reality for these cloud services.
To begin with these terms “The Cloud”, “Cloud Computing” or “Cloud Services” are not generally well defined and have become seriously overused buzz words. I will attempt to disambiguate this for you now because it really is not as complicated as marketing departments seem to want it to be. Cloud Services refers to any computer resources, be they data storage, data backup, data sharing or other computing resources that are provided to you over the internet, on demand as a service. These services differ from traditional non-Cloud services only in that you are not providing the computers, software, hard drive space or other resources yourself at your home or office. This has existed under other names for some time, so if it all sounds familiar it probably is.
Some common examples of these would be Dropbox, probably the most well known “Cloud Storage” provider. IOS device users who use iCloud to backup their photos and other data or Android users who backup their data to Google drive are using “The Cloud” all the time.
I will interject a brief technical point here for those at care about such fine details. These are all examples of public cloud infrastructure. There are private and hybrid cloud infrastructures as well but unless you’re in a corporate IT department you will not need to worry about that. And if you are, as much as that topic is near and dear to my heart professionally, sorry but I won’t be getting into that here.
Again all this should sound familiar. These services are becoming ubiquitous. If you are looking for a to-do list, a notebook or a photo organizer that can be shared between people or between your devices, all this data is being transmitted to and stored on a cloud storage service somewhere on the internet. It is this ubiquitous and nearly invisible use of cloud services that is beginning to give some people pause.
This is especially true for small or home businesses. These are businesses that can make use of these sorts of services but who do not have full-time IT staff to sort out the details and keep things from running away on them.
This is not to say that these services are dangerous or should not be used. Like anything else, they are tools and when used appropriately they are very useful but also need to be understood and respected to avoid certain dangers.
So the first question, though there will be others, is about security. Are these services safe, should I use them, can I trust them for business or personal use? And of course the answer is “It depends!” The most accurate and simultaneously annoying answer I could give you.
What we always need to look at first when assessing the security of any computing resource it to identify what is being secured and what are the risks to the security of that object. In this case we are securing your data. If I upload my document to Dropbox I want to know that it is safe. And this is of course of great concern. What is as important and often forgotten however is the rest of the information that goes with that. Namely your Personally Identifiable Information (PII), which could be used to gain access to other data or to impersonate you.
What, then, are the risks to your two kinds of data when using Cloud services? This is not going to be a deep technical in-depth list as there are many attack vectors and more are being found every day. What we are going to look at are the primary high level risks.
The first thing we need to understand is who is getting this data. If I am handing them my documents, photos, birthdays, email etc., I want to know who these people are. This can be a huge chore to do exhaustively and most of us are content to go with a name we recognize at least for our personal lives. For business this becomes a more important task. At bare minimum this means you want to watch out for downloading random cloud-based apps from the web or an app store, filling in a host of personal information and then uploading your life’s secrets onto the app. Take some time to do some research. How big is the company, are there forums or comments online either complaining or praising it, what is its reputation? This is not a fool proof mechanism in and of itself but it is a good start and will weed out the most obvious scams. Take a look at the website of the service or company involved. Look for a privacy or security section on their website and see what they do to keep your data safe. If you are a business or especially if your are paying for the service, it can be worthwhile to contact them and ask questions that you do not find answers to on the website. Again these things cannot guarantee your data is in safe hands but it will be safer than not checking them out.
If you are reasonably happy that this is a legitimate service the question becomes, how safe is my data in their hands? Even a well-meaning company can have a data breach if they are not careful (and to be honest even if they are careful, but more on that later).
Particularly for cloud storage or backup providers it is important to make sure they are taking the appropriate security measures to safeguard your data. Most will have information on their websites about their secure facilities, never underestimating physical threats, about the way they encrypt or secure their data on disk or about their policies with authentication and access. These are all-important factors. Once again, contact the company and ask if you are not sure or have further questions. It pays to do some searching on the web here too. It can be hard to sift through but again it should help eliminate some services that have clear problems.
Of particular concern here is to look at encryption. Data at rest on any good service should be encrypted either by their service or whereever possible with your own application where you and you alone hold the key and or password. A little research into the service and some playing around with software like TrueCrypt can make a real difference to the security of your data. Look into encryption in the application, on the service provider’s website or check about the compatibility of their service with your own third party encryption application.
A further factor that is often overlooked is what is called “Data in Flight”. If you are using any of these services then at some point your data from your device and is copied to the service provider’s location over the public internet. No matter how secure the data is, once it gets there if it is picked out of the air, literally in the case of WIFI, on its way from you to them then the end security does not mean much. Fortunately this has a fairly simple fix and is the easiest issue to resolve. A good cloud-backed application should be communicating with the server over an encrypted protocol. Most of these services will provide either mandatory or optional SSL communication between you and the service provider. While this is simple and easy enough to implement, it is difficult especially on mobile devices to verify for yourself. My suggestion again is to hit up the website for the service, do some web searching or possibly contact the provider and ask. And even if you find that the application does or can make use of secure communication check the settings carefully. Some applications will require you to turn this on as an option after it is installed.
The idea behind all this data security checkup I am proposing is not to dive into the low level details as these can get overwhelming quite quickly unless you have the security background. The idea is to ensure that the service provider is concerned about the security of your data and is doing what they can to protect it. Any provider can have a data leak. No matter how hard the target, against a sustained, persistent attack even the best security can be breached. But it is how proactive the provider is in assessing and reacting to these situations that you want to look for.
It is here that most people start getting concerned. Time and again people have told me that they do not put any of their data online because they are afraid that it will “get hacked” and that anything outside their own desktop or laptop is not secure enough.
While there are aspects of this that could be argued, a simple point that I return to time and again is this. I am not an information security expert. I am storage systems engineer. While I understand a fair bit of the security game it is certainly not my area of expertise. A good cloud service provider will have a team of trained experienced professionals that do this all day every day and are better equipped than I am fight off an attack. The technology used by the good service providers is much better than the security that secures my home network. And in a world of laptops, USB keys, super phones and tablets, data is more mobile and less physically secure than ever before.
This is not to say that you should trust blindly that every Cloud provider’s security is up to snuff. But is is also important not be overly confident that your home router/firewall will protect your personal data either. There are many aspects of their security that you need to review and scrutinize before you hand them your data. But if you are vigilant and do the homework a mixture of well researched cloud services and good home data security measures should provide you with a good balance of security and functionality.
Take a look at your mobile devices and the websites you frequent most and take a look at how the data is being used and do some homework. You might be surprised how much of your data is out there and how little you know about where it is and how it is being stored.