CloudU Notebooks is a weekly blog series that explores topics from the CloudU certificate program in bite sized chunks, written by me, Ben Kepes, curator of CloudU. How-tos, interviews with industry giants and the occasional opinion piece are what you can expect to find. If that’s your cup of tea, you can subscribe here.
The last few weeks have seen a seeming storm of examples of security breaches of cloud services. As is often the case when people have vested interests in a particular technology, many naysayers have pronounced that these security breaches spell the end of the cloud. Heck, even Apple co-founder Steve Wozniak went on record saying:
“With the cloud, you don’t own anything. You already signed it away through the legalistic terms of service with a cloud provider that computer users must agree to. I want to feel that I own things … A lot of people feel, ‘Oh, everything is really on my computer,’ but I say the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”
Some might suggest a degree of self-interest in that case, Wozniak is actually chief scientist for a storage company, but beyond that, there seems to be a lot of hand wringing and naysaying about the cloud.
First up was Dropbox, which reported a breach of its systems that could have compromised users passwords. As I said in a post reflecting on the Dropbox issue:
“…amazing functionality doesn’t mean that the product is robust or secure, and the issues that Dropbox seems to be facing over time indicate a corporate culture that has, at least in part, stemmed from an immature approach towards building a product and building a company. It’s a subject I’ve opined on previously when it comes to Dropbox and one which would appear is shared by others.”
The key differentiator here is consumer as opposed to business-ready tools. Now, I’ve stood up and complained about vendors who simply stick a “trusted provider” label on their products in a bid to heap fear, uncertainty and doubt upon competitor services, but there is clearly a difference between a tool designed for consumers to share music and photos, and a true enterprise-level service.
In another example, Wired magazine writer Mat Honan had a nightmare when his iCloud account was attacked – not by brute force, but by a quick spot of social engineering with the Apple support team. Honan had linked his Google and Twitter accounts with iCloud, along with enabling the remote wipe feature that Apple products come with. The hackers managed to infiltrate his twitter, change his Google passwords and remotely wipe all of his Apple devices – a nightmare indeed.
So with all these horror stories about services ostensibly run on the cloud, will the world return to having a NAS under the desk or burning DVDs to back up their data? Clearly not, but it is worth reiterating the hard truths of cloud computing as Derrick Harris over on GigaOm wrote about – the fact that, at least to an extent, cloud users may have to accept some loss of control over their data when they sign up to a cloud service. That’s not necessarily a bad thing – but it is something they need to be mindful of. The other thing that Harris points out is that people are generally the problem. In the Honan example, hackers simply called Apple support and, using some social engineering, managed to have Honan’s password reset.
Having said that, there are some key things that cloud users need to think about to ensure security of their data. We went into these in detail in the security chapter of the CloudU certificate, but Harris has written a post detailing the six ways to ensure your data has the best chance of staying safe in the cloud. Harris’ top six tips are:
- Be smart about passwords and security questions. There is much more about this in the CloudU paper, but keep them complex, change them regularly and don’t duplicate passwords
- When possible, encrypt. If at all possible, make your data unreadable by others with encryption
- Use two-factor authentication, because two passwords are better than one
- If you need it, back it up – duplicate your data wherever possible
- Delete it when it’s done – don’t have sensitive information sitting around in the Cloud when you’re done with it
- Don’t be a dummy – use an anti virus, lock down your wifi and be careful with those dodgy .ru sites
I’m keen to hear your top tips for security in the cloud – comment below.