Remember back to when you were little, and you had just found out that Santa Claus wasn’t real, or the tooth fairy, or the Easter bunny (if you are only just learning this now, I apologise). Get ready to relive that experience today, because I am going to let you in on one of the tech. industry’s dirty secrets. Ready? Here goes: the Cloud doesn’t exist. I imagine I’ve just blown your socks off, so I’ll give you a moment to go pick them back up.
‘But of course the Cloud exists’, I hear you murmuring. ‘It’s where all my files live’, you add. Now, in a sense, you are right, but what exactly is ‘the Cloud’ in this case? I was exaggerating how ground-breaking this article’s claims will be, but hopefully we can cut through the marketing to explain just what something being ‘on the Cloud’ actually means, and what this may mean for your company’s security decision-making.
A common criticism made by opponents of so-called ‘Cloud’ services is that ‘the Cloud’ is ‘just someone else’s computer’. Fundamentally, this is accurate—when you save a file to a Cloud service (e.g., Dropbox, Box, Google Drive, etc.) rather than to your own device, you are only swapping out your device for one of the Cloud provider’s. Somewhere, whether it’s under your desk or in a mammoth Californian data centre, sits a physical device on which that file is now stored.
This has a number of security implications. Despite the negative connotation of saving your files on ‘someone else’s computer’, there is likely to be a huge disparity between the security of the average employee’s desktop computer and a multi-million pound multinational company’s data centre—for example, the staff at the latter have ‘…been through much more careful security screening than the people working with the computers you own, unless you’re in the habit of taking fingerprints at job interviews and running background checks.’
However, your files still have to get to the Cloud provider’s storage devices somehow, and you must be able to access them later—write-only storage is of very little use. This has to happen over an Internet connection, which introduces two security concerns. First, it introduces the risk that an attacker may be able to eavesdrop on an unencrypted channel and intercept files or credentials as they make their way between devices. This can be mitigated via ensuring secure Internet connections, using such tools as HTTPS and a VPN.
Secondly, it introduces the risk that an attacker who has got their hands on valid credentials can access your files from anywhere else in the world. Following advice on the creation of secure credentials can alleviate the risk of an attacker simply guessing their way on, but to hamper their ability to gain access and run riot in the event that they do find their way in you must look into multi-factor authentication and strict access controls.
In this article we have talked about some of the risks of Cloud storage. In the next part, we will continue the discussion and present a useful analogy for understanding the pros and cons of the Cloud.