Risk of Cloud Services
Blog Post by Bryan Sampsel
Date: 15 December 2015
Over the last several years, many "cloud" services have sprung up. Some provide hosting for image repositories, while others provide the ability to easily backup one's computer. Of course, there's the biggest cloud service of them all: free email.
"Cloud" has become the market-speak for SaaS (Software as a Service, such as Gmail, Yahoo Mail, Office365, etc) as well as various hosted services, such as Dropbox, Box, Flickr, etc. To keep things simple, I'll stick with the vernacular of "Cloud Services."
Cloud Services are not inherently evil. For smaller businesses and regular individuals, Cloud Services can provide a necessary function that otherwise would be too cost prohibitive, such as email or computer backups.
However, there are risks. Knowing the risks can enable anyone to effectively leverage Cloud Services without blindly wandering into problems.
Let me give you an example. One of the earliest, best known Cloud Services, was image hosting. People were able to upload their personal photos and selectively share them out. I knew a guy who worked for one of the early image hosting companies. He and another co-worker would sit there on the late shift, monitoring the site, and sift through photos that people had uploaded. They were able to bypass all the "controls" that let people determine who would see what photo or whether that photo was private or not. Let's just say that some very sensitive and personal photos were viewed. It doesn't matter which company this was, it's a risk that you take when using any Cloud Service, especially a free one.
Why does a risk like this exist? To put it simply, few Cloud Services publish their security model. In plain English, this means that they do not share their general security practices, such as how your data is secured. When the service exists in a black-box, it might be as tight as Fort Knox or it might be simple for employees or badguys from around the world to get to data you think is private.
Many people use file backup sites. At least one of these sites publishes that it encrypts your files at rest and that an encrypted connection (SSL/TLS) is used for the file transfer. The first response is, "Awesome. They're encrypting my stuff. Nobody can access it but me." The reality is, your data must be accessible to a web-service in order for you to reach the data. The risk is that they can access it if they see fit.
The second risk for the file backup sites is that they're not necessarily broken out by virtual machine. What his means is that if you have Company A, they could set up a separate computer to house all interaction for Company A. And that computer could be protected from access from the server used by Company B. Such separation won't happen for regular people and small businesses as the math simply doesn't work out. Remember, this is a risk, not a definite show stopper.
How would you address these two concerns: access to your sensitive files from either the Cloud Service or from a compromised account within the Cloud Service? Simple. If you encrypt your files while they reside on your hard drive and only backup the encrypted versions. The "pre-encryption" can be handled by software such as GnuPG (free) or PGP (commercial). If you desire simplicity, Winzip or 7zip can be used, both offering well known, strong ciphers to encrypt with. Then, back up your zip-file to your Cloud backup service.
Some will say, "Who cares, I have nothing to hide" or "I have nothing worth stealing." These are ignorant statements. Every scrap of personal information that a badguy can get assists with efforts of Identity Theft. For those who make a living on intellectual property, such as authors, protecting your intellectual property should be the highest priority.
Email is another Cloud Service offered. Free email is probably the earliest Cloud Service and it provides both the service of email and limited storage of personal email messages. Over time, free email services (Gmail, Yahoo, etc) have evolved. User agreements can change at will, as there's no real contract for users to enforce. Worse, if a badguy compromises the Cloud Service or your account, your privacy and personal files can be compromised and stolen. Worse yet, your email account can be used to spread malware to infect everyone in your address book.
How to mitigate the risks with using free email Cloud Services. First, take advantage of more secure logins, like Google offers. Gmail has the ability to not only require your username and password, but also to text you a code to enter. This is an excellent practice, especially on the part of Google to minimize the risk of your account being compromised due to a lousy password. Second, consider getting a pay-service if you rely on email as part of your business, as that comes with a contract. Contracts give you better leverage when the failure is on the part of the company involved. And contracts (and the fact you pay a bill every month) means that when things go wrong, you'll likely get better support from the email Cloud Service. Contracts also mean that services do not automatically get changed on you without notice. Third, ensure that you're using a reasonably complex password/passphrase to ensure that someone isn't simply guessing your password. Adding to that, do not use the same password you use on all your other accounts.
Your takeway: Cloud Services are not necessarily evil. You need to take precautions to make sure that you do not lose your data because the Cloud Service isn't properly guarding it. These precautions may seem like a pain at first, but once you get used to doing them, they become second nature.