Newbie2Security: Is the Cloud Safe, Part I

0

Cloud Security 1725060A reader asked a particularly complex question recently: “Is the cloud safe to use?”

That’s one incredibly complex question. I’m going to to my best to answer it, but keep in mind that “the cloud” isn’t a single thing – it’s an interwoven set of services, platforms, and applications from multiple vendors and companies. The short answer to the question would be “Yes, so long as you’re secure when you use it,” but that’s hardly a good answer to give to someone looking for information. So, let’s break this down over the next few articles to give some advise on cloud security for the average user on the most common consumer cloud services: Cloud Backup, Syncing, and Storage, Cloud Software, The Internet of Things, and Cloud Desktops.

Part I: Cloud Storage, Syncing and Backup

Anyone with an Android or iOS phone, tablet, or other device knows about cloud storage, syncing, and backup. Your photos, application data, and other info are synced between your devices by means of cloud services provided by Google and Apple. Your data is backed up with automated backup tools from those companies, and you may even store data up in their cloud systems for sharing or use elsewhere. These same services can be used by other types of computers and devices with tools provided by DropBox, Carbonite, SpiderOak and more for your PC, Mac, and Linux desktops and laptops.

Security for these types of systems revolves around three concepts: Device security, platform security, and account security.

Device security is how you protect the devices that you control. That can be desktops, laptops, phones, tablets, set-top TV boxes (or SmartTV’s), etc. You do need to do your part to make sure the system as a whole remains secure – it’s not all the responsibility of the cloud provider in this case. The good news is that providing for device security isn’t overly complicated, and most devices walk you through the process automatically when you set them up.

Core concepts in device security are:
1 – Keep the device in your possession, and immediately notify the cloud provider if it’s lost or stolen. We all keep track of our – rather expensive – laptops, tablets, and phones, but this also extends to any device that holds personal or confidential information that can be stolen from you. If you lose any mobile device, or have a mobile or non-mobile device stolen, you must immediately notify the cloud provider to let them know it happened. This allows the cloud provider (Microsoft, Apple, Roku, Google, etc.) time to lock down your account to make sure whoever comes into possession of that device cannot get any of your information off of it.

2 – Lock devices down. Make sure you use passwords that aren’t simple 4 or 5 digit numbers (the usual default for these devices). iPhone, Android, and other types of devices will allow you to use fingerprints, facial recognition, and/or a complex password to gain access to their services; and you really should take advantage of these features. An attacker can quickly and easily figure out a 4-digit passcode, but will take much longer to figure out a complex password or passphrase. This means more time for you to realize the device isn’t in your possession anymore and alert the cloud provider that it is lost or stolen. It also means that visitors, kids, and others won’t gain access to things they shouldn’t – even when their intent isn’t malicious. This also counts for home assistants like Google Home, Apple HomePod, and Alexa. Set up purchasing passcodes so that people cannot accidentally or purposely place orders via these devices voice control systems.

3 – Don’t connect devices when you don’t have to – and limit what they can talk to. Not every device needs to talk to the internet 24/7. Make sure that, if you have the option, these devices are only allowed to go online when they need to. If a device must be online all the time, limit what it can do and who it can talk to. For example, most home routers have the ability to allow you to connect to your home network from anywhere. That means they continuously update the router vendor’s cloud services with your home IP address and other information. If you don’t have a need to access your home network from the outside world (and unless you have a specific reason to do that then you probably have no need), shut that feature off. Finally, be aware the convenience is often the enemy of security. I once had a CPAP machine (for sleep apnea) that offered to upload my sleep data to their cloud service so my doctor could get it. My doctor said I could just use the build-in memory card to get him that data – there was no need for the machine to be broadcasting that info – and so I shut it off. It would be more convenient to have the cloud handle that data, but much less secure with my medical details.

Platform security is all about the cloud vendor themselves, and what steps they take to make sure their own systems are secured. Most of this is far outside of your control, so you need to ask the vendors about their security practices and make a judgement call on if you trust them to hold your data or not.

For example, until relatively recently I had avoided using EverNote for note syncing. While they did encrypt data while it was being transmitted from my machine to their storage (known as encryption-in-flight), they did not store the data in an encrypted format when they were holding it (known as encryption-at-rest). That meant that if their systems got breached, all that data would be immediately visible to the attacker with no need to break an encryption algorithm to read it. Basically they had mined the front yard, but left the front door unlocked.

For the most part, cloud vendors will encrypt both in-flight and at-rest these days. As a matter of fact EverNote has indeed started encrypting at-rest over the past year or so in response to users demanding it. Apple, Microsoft, and Google all encrypt at rest for their sync and backup tools in iCloud, Office 365, and Google Apps as well.

You should be aware, however, that not all encryption-at-rest is created equal. Most vendors use shared-knowledge encryption, meaning that no other user of the service can see your data, but the service provider (Apple, Google, etc.) can see it whenever they need to. A famous case in recent history was when the US Government demanded Apple turn over all data from a suspect’s iPhone. While Apple could not read the data on the iPhone itself (as the phone’s encryption didn’t allow Apple to unlock it); Apple was able to – and did – hand over all data stored in iCloud, which uses shared-knowledge and allows Apple to unlock and read it.

While zero-knowledge vendors of cloud sync, backup, and storage exist (such as SpiderOak and CrashPlan Pro); their services are generally much more complex and expensive that shared-knowledge vendors like DropBox and iCloud. The reason is that zero-knowledge systems require dedicated storage and other technologies for each user, making those services cost the vendor more per-customer, which is passed on to the customers themselves. For most data, shared-knowledge is perfectly fine if the company in question – like DropBox or Apple – has a proven track record of securing their own access to your data. Apple has proven they will only turn over data with a valid warrant or other legal instrument; and DropBox did have some hiccups, but has worked very hard to close those security holes and ensure new ones do not crop up.

Account security is the third pillar of safe sync, backup, and storage online. This one is shared between you and the cloud vendor equally. You must use a secure password and only access the service from devices that you trust. They must ensure all employees follow security best-practices and no one gets unauthorized access to their systems. Working together, both of you ensure that your account information (passwords, application authorizations, etc.) stay assigned to you and you alone – keeping prying eyes from getting the chance to access your stuff on their servers.

Taken together; device security, platform security, and account security work to make sure that neither you or the cloud vendor do anything that could compromise either your data or their services. Controlling your devices allows you to make sure they don’t leak information or allow others to access it. By sticking with well-regarded and well-secured vendors who have a commitment to platform security you can make sure the platform itself will keep attackers out. Account security makes sure that it is as difficult as possible for an attacker to impersonate you or an employee of the cloud vendor and gain unauthorized access.

So, as you can see; using sync, backup, and storage in the cloud can be secure if both you and the cloud vendor take security seriously. Stay tuned for parts II and III for more information!