Ask The Cyber Security Expert: Is the cloud safe?
Cloud security has been big news again this week, with the online leaks of nude celebrity photos. We roused The Cyber Security Expert from deep contemplation of serious matters (arguing online about which would win in a fight – a Star Destroyer or the Enterprise D) to ask if we should trust the cloud or not.
Is the Cloud secure?
It’s my favourite thing to say about security matters, but as usual – it depends. Firstly ‘the cloud’ is actually a generic term for a whole range of online storage services. There are many options available – Dropbox, Google Drive, Microsoft Onedrive, Apple’s iCloud, some of which may suit your needs better than others. iCloud for instance is heavily orientated around Apple products, whereas Dropbox is platform neutral.
The second thing to consider is what you actually want to store in the cloud. If it is just family pictures, which you want to share anyway then your security considerations will be of less importance than if you’re storing the designs for your new secret fighter plane.
So what should I look for in a cloud?
A good starting point is to look and see if the provider you’re considering mention security anywhere in their service description. Dropbox for instance have this, which describes how your data is protected both in storage and in transit (i.e. when it crosses the internet between you and Dropbox). It also has section on how your data is handled, and compliance with relevant legislation, as well as guidance on how you, the user, can protect access to your data.
It is this final point that is perhaps the most crucial. All the encryption in the world will not help you if you insist on using a weak password. Equally, if it’s available, make sure you enable two factor authentication (read our description here). I’d argue two factor authentication is a must on anything more precious to you than information you would make public anyway. All of the example services above support two factor authentication in some way.
Is using the cloud less secure than just storing my data at home/at my office?
A good question. The cloud has advantages; the big providers will all encrypt your data when it’s stored. They take backups, and have (relatively) limited down time. Equally you can do all that with your data at home or at work. On balance, I suspect for most people, the big cloud services provide better security than you would typically find in a home or small office environment. And remember, when talking about security I mean the confidentiality (it’s kept private), integrity (it isn’t corrupted or modified in some way) and availability (you can get it when you need it) of your data.
The downside of cloud services is that because of all that juicy data stored in one place, they make an attractive target for hackers. Also your provider of choice may go out of business over night.
Can you sum it up for me?
Sure. I use cloud services. I have two factor authentication enabled, and use a password manager (we talked about these in this article) to ensure I have strong and unique passwords. I also ensure I have local, encrypted, backups of all my data. For small businesses in particular I think cloud services make a lot of sense – they give good protection for your data, act as an offsite data repository (if your office burns down your local encrypted backups aren’t going to be much use) and make mobile working, and working across multiple devices extremely easy.
So what about the celebrity nudes?
It’s not currently entirely clear. From the latest reporting it looks like the pictures came from a range of service providers, and may have been accumulated over an extended period before being leaked online. iCloud has been fingered because iPhones are very popular, and also because of the way Apple have chosen to implement two factor authentication. There are some details here but in summary two factor authentication only covers some aspects of the iCloud service. It is possible both to find an iPhone, and restore from iCloud (if you chose to back up to iCloud) just using a username and password. Apple presumably made this decision because their two factor authentication schemes hinges on sending messages to a trusted device (usually your iPhone), and if your phone has been stolen or lost (or been broken) that might cause you problems, locking you our of your account and preventing you disabling or restoring your iDevice.
Also, the celebrities may have been phished (tricked into entering a username and password into a fake website), or support staff might have been social engineered (tricked by an attacker into providing them access. Your typical secret questions – date of birth, mothers maiden name, are not so secret for celebrities.
All these services are only as secure as the end user. If you use weak password, or are careless clicking on links in emails, you may well find your accounts compromised (and that’s not meant as victim blaming – the fault for these leaks lies entirely with the hackers).
The Cyber Security Expert