The more popular and popular cloud storage gets, the more scrutiny it’s subject to. One of the most talked about topics of the year is data security. How can people be sure storing their information on the cloud is safe?
2 reasons to be wary of cloud storage
Shared access. Multitenancy is a growing trend but growing issue at the same time. Multitenancy is an environment that has multiple customers sharing the same computing resources: CPU, storage, memory. Sharing environments like this provides lower costs across the board for the provider, who can then pass those savings on to the consumer. A potential downside of multitenancy is these environments can be relatively vulnerable if not built correctly, which potentially puts anyone’s data on that space in jeopardy.
As an example, think about a software that lets you have a virtual apartment. You have your TV, fridge, couches - everything you’d have in a normal apartment but it’s all virtual. Sounds boring but stay with me. If this software company builds these environments with sketchy multitenancy (no pun intended), you would still have an apartment but your neighbors would have doors into your place and could walk through any time they want, touching all your virtual stuff.
Though multitenancy is secure enough for most companies, hypersensitive security industries (banking, government, healthcare) still prefer single-tenancy architecture. Single-tenancy provides a dedicated, more customizable environment for each individual client. Instead of sharing the same computing resources, they all have their own iteration of the software in a separate (or securely partitioned) environment.
Unknown unknowns. This industry is changing at lightning speed and a lot of the time these companies cannot keep up with potential attackers. A lot of companies learn new protection techniques after the fact, from breaches or attacks happening. Cyren, a cloud-based security company, wrote a great blog diving into what some companies are doing to find unknown unknown attacks before they happen. They go into how companies are starting to use Recurrent Pattern Detection to catch these attacks, which you can read more about here.
I'm sure you've read about the Sony cyber attacks by now. Attackers got past Sony's security and escaped with a lot of the company's secrets, embarrassing emails, employees personal information and more. Sony's system and response time to this attack were the triggers for Sony (and a lot of other companies) to beef up their security even more. That's not to say their security wasn't impenetrable prior, far from it, but they likely had no idea the holes the hackers got through even existed. It's like a game of virtual whack a mole. When the mole pops up you hit it as fast as possible but you never know where and when he's going to pop up next.
That's a lot of data.
3 reasons not to be scared of cloud storage
Competitive advantage. Cloud companies will do anything and everything they can to avoid customers questioning the strength of their security so building the most secure architecture for their customers is priority number one.
Remember that Target security breach? Where hackers installed malware on Target's mainframe days before Thanksgiving 2013 and escaped with 40 million credit cards and 70 million names, personal addresses, phone numbers, etc. All in all, the attack costed Target, and its shareholders, over $148 million. And that number is expected to keeping growing as Target continues to bolster its security. Their stock price plummeted after that, mainly attributed to consumer cautious spending.
Not only do they incur all of these fiscal costs, it took a chunk out of the trust their customers had in them. All that being said, now you can bet Target understands and prioritizes data security above all because the only thing worse than going through an attack of this scale, is going through it twice.
Encryption. Encryption has proven so effective that it’s synonymous with cloud security. You’re the only one that has the key to unlock the chest of your info. This concept gets pretty complicated but at its most basic it is:
- the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.
The language I made with my best friend in 5th grade had a key embedded in each message. The amount of letters in the first word of the message determined how far away each fake letter was away from the real one (alphabetically, of course). For example, if I wanted to say “what’s up”, it would read “bmfy’x zu” in our code.
That's basic encryption; data you send to the cloud is encrypted with a code that only you, and whoever you allow, can see.
Companies are catching up. The silver lining of these attacks is that companies learn from their mistakes, they know what happened, how it happened and how to prevent it. One of the hottest growing trends ‘client-side encryption’. This means that even before the data leaves your device it’s already encrypted and you’re the only person with the keys.
The bottom line is if you have a computer that’s connected to the internet, you’re a potential target, there’s no way around it. The good news is that cloud companies are making it harder and harder to penetrate their systems and even if someone gets through, modern security systems can recognize a breach quickly and limit the amount of damage the attacker can do.
4 ways to protect yourself
Even though companies are continuing to bolster up their defenses, end users can still make a huge difference in how secure they are by following these tips.
Keep important information on the ground. Don’t keep your super sensitive or personal material on cloud platforms (when possible) if you want to be absolutely certain it’s out of reach of attackers. If you have personal information that falls into that category, physical storage is the way to go. Plus physical storage options have the benefits of faster file transfer and a lower cost.
Strength training. Cloud companies can only do so much to protect you, some of the responsibility comes down on the end user. From making strong passwords to selectively storing sensitive data, users to need to make sure they doing everything they can on their end.
The more you understand how cloud infrastructure and security works, the more secure you’re going to be. A lot of cloud software companies provide password strength testing during their onboarding process and a quick google search will get you a multitude of awesome random strong password generators.
Use zero knowledge. This means all info is encrypted and only approved contacts have the keys to access the data. Zero knowledge ensures that even if your data is interrupted or the wrong person gets a hold of it, it’s essentially useless because they don’t have the code to read the information.
Do your research. Know the players, know their strengths and weaknesses and make the best decision for your storage needs. As this technology gets more and more complex/confusing, the best way to think about it is breaking it down to its most basic parts.
All companies using this kind of technology (SaaS, IaaS, PaaS) are just offering a safe. A safe has the capability to securely store everything you put into it but only if the person using it understands how to effectively use it. I could store all of my prized widgets in the best safe money can buy but if I leave it unlocked, don't use a great password, or use the proper security measures, I'm essentially putting it inside the world's largest paperweight.
There are a lot of reasons to have reservations, and not to have reservations, about how secure your data is in the cloud. But making sure you select the service that best fits your needs and understanding everything you can do on your end is the key to making sure you're as protected as possible.