Johns Hopkins University researchers recently revealed a design flaw that could allow secure cloud providers to access users’ private files by performing a man-in-the-middle attack when users share files with another party.
Even more recently, file-sharing company Intralinks uncovered a vulnerability in Dropbox’s and Box’s shared links to users’ files. If a user clicked on a link within a document stored in the cloud, the administrators of the third-party site would be able to see the link to the file.
These risks don’t mean that you shouldn’t use cloud storage, but you should educate yourself about the risks involved so you can do it as safely as possible.
If you decide to move your data to the cloud, here’s what you need to do:
1. Accept the Cost of Convenience
Cloud security was a hot topic at April’s SecureCloud 2014, the Cloud Security Alliance conference in Amsterdam.
Governments, consumer advocates, security professionals, and enterprises were politely at each other’s throats, arguing for more transparency in operations and laws that have some level of understanding about how the Internet works. At the center of much of this debate was a general distrust of any government’s intelligence programs.
The clear point to be taken from the debate is that the second you share data in the cloud, you are exposing it to potentially uncontrolled access. The proverbial cat is out of the bag, and the challenge to keep it private becomes significantly harder.
There’s arguably a lack of transparency from cloud service companies like Google and Amazon, such as the issue of governments being able to subpoena data without your knowledge. Even worse, a security breach from a malicious hacker can occur, and you have no awareness that this breach has happened and are at the mercy of the provider you’re storing data with.
2. Encrypt Your Own Information
Your cloud service provider has security protocols in place, but adding another layer of encryption can save your data. By not encrypting your own data, you’re giving the cloud provider (and anyone else who has access to its servers) full access to your files. Think of it as using a public storage space: The company provides security for the property, but you’re responsible for locking your personal unit.
If you’ve seen “Storage Wars” or “Pawn Stars,” you’ve seen how valuable the random contents of a storage unit can be. Your data may seem inconsequential to you, but all data is valuable to someone. Outlying information or documents (like your personal digital calendar) can be prime targets if not secured.
At the very least, understand that your data is synonymous with your customers’ privacy. Encryption is key to protecting that privacy, particularly if you’re storing corporate PII data.
If there’s a breach at the cloud service provider, your company is still liable for any personally identifiable data that you store there. Realize that this could be as simple as an exported Excel file that one of your executives has pulled for reporting purposes. If that file is not properly encrypted or shared, it can put your company at significant financial risk.
3. Sign and Verify All Data
Data integrity is the single most overlooked component to cloud data security. Everyone seems to be focused on encryption, but encryption is only half the equation.
The only thing worse than an outside party viewing your data is an outside party manipulating (or deleting) it. Without a process in place to track changes to information, you may not notice something’s wrong. From a technological standpoint, it could be a PDF that was opened and infected by someone else’s computer and then shared with others. You wouldn’t notice that the data has changed, but when you open it — because it came from a trusted source — you get in trouble. If you’d signed the data before, you would have realized that it had been altered.
Using technologies, such as KSI or PKI, can help build a layer of trust around your data. Estonia, for example, uses KSI to protect all of its citizens’ data and has some of the most modern policies for data security around personal information.
4. Research Your Cloud Vendor
Not all cloud storage vendors are created equal. Each has advantages, disadvantages, and different ways of protecting your data.
Larger providers such as Amazon (the cloud service of choice for services like Netflix) are larger targets, but they have better security. Smaller companies tend to have lower budgets to secure data, which makes them more vulnerable.
Joyent Manta Storage Service is easily the most transparent cloud provider, offering a variety of data-intensive analytics and computations that can be run within its servers. When it comes to cloud security, Joyent is a surgical blade in a world of steak knives.
5. Understand That the Internet Is Never Safe
No matter how well you protect your data, it’s important to understand that any device or data connected to the Internet is vulnerable.
While many users feel comforted by Apple’s Find My iPhone service, this feature has been used by hackers to lock phones remotely and demand ransoms from Australian iPhone owners. The compromise of these users’ iCloud accounts is made more frightening by the fact that no one’s entirely sure how the hackers accessed them — theories about phishing, password database hacking, and server hacking abound, but none have been proven. Because the breach didn’t occur on Apple’s side, the end users are responsible for shoring up their security.
Hacking isn’t the only way to access your data. The U.S. government is notorious for subpoenaing information from company servers and forcing them into a gag order, which means you may not even realize that your data has been accessed. Companies like Lavabit and Silent Circle have already shut down their email services to avoid government intrusion.
While the government’s power can be intimidating, the armies of organized criminals that could be attacking your infrastructure daily are downright scary. Whether state-sponsored or independent, these organizations are smart, resourceful, and patient. Disconnecting from the Internet is the only way to fully protect your data, but that’s becoming simply unrealistic as every aspect of business goes digital.
The move to the cloud is bringing efficient data access and systems integration to the masses, but with this ease of use comes a variety of security issues. Whether the rewards outweigh the risks depends on your company and the resources you can afford to dedicate to security.
About the Author: Daniel Riedel is the CEO of New Context, a systems architecture firm founded to optimize, secure, and scale enterprises. New Context provides systems automation, cloud orchestration, and data assurance through software solutions and consulting. Daniel has experience in engineering, operations, analytics, and product development. Previously, he founded a variety of ventures that worked with companies such as Disney, AT&T, and the National Science Foundation.
- Design flaw in ‘secure’ cloud storage puts privacy at risk, JHU researchers say: http://hub.jhu.edu/2014/04/16/cloud-storage-security-flaw
- How Documents Stored On Box And Dropbox Could End Up On Google: http://readwrite.com/2014/05/07/shared-links-dropbox-box-security-risks#awesm=~oDMbzwupLcNHSZ
- Silent Circle Preemptively Shuts Down Encrypted Email Service To Prevent NSA Spying: http://techcrunch.com/2013/08/08/silent-circle-preemptively-shuts-down-encrypted-email-service-to-prevent-nsa-spying/
- Your iPhone has been taken hostage. Pay $100 ransom to get it back: http://arstechnica.com/security/2014/05/your-iphone-has-been-taken-hostage-pay-100-ransom-to-get-it-back/