Up in the air about cloud computing?
Cloud services are an increasingly popular, powerful technology that many individuals and organisations are adopting. Cloud computing is really nothing more than using a service provider to store and manage your data for you. The reason we call this service the cloud is that you never know precisely where your data is physically stored; it is being served by the cloud. Examples of cloud computing include creating documents on Google Docs, sharing files via Dropbox, setting up your own server on Amazon Elastic Compute Cloud, or storing your music or pictures on Apple’s iCloud. These online services have the potential to make you more productive. However, with these capabilities come risks.
In this article we will assume that “cloud” means a file sharing / storage service like iCloud, OneDrive or Google Docs. We will examine some of the issues and risks and give you some tips on how you can protect your information.
Selecting a Cloud Provider
The cloud is neither good nor evil; it is simply a tool for getting things done. Remember, though – you’re putting your valuable data on someone else’s computer so, since you are handing over the availability and security of your private data to strangers, you must ensure they meet your requirements. Consider the following questions when researching cloud providers.
- Support. If you have a problem, how responsive is the company in providing support? If your data is critical, you may require phone or e-mail support. If the company does not provide such support, does their website have public forums or an FAQ (Frequently Asked Questions) section?
- Backups. Does the company back up your data? If so, exactly what gets backed up, how frequently and for how long are the backups maintained? If you unintentionally delete files, can you recover them, and if so, how?
- Privacy. Who does your cloud provider allow to access your data? Do only you have access, or do the provider’s employees or third-party partners have access?
- Security. How will your data get from your computer or device to the cloud? Is the connection secured by encryption? How is your data stored in the cloud, and once again, is it encrypted? Who can decrypt your data? What is the cloud provider’s security record? DropBox, for example, has had some security issues in the past. Before selecting them as your cloud provider you might want to look into those issues and be sure you’re comfortable with how they were resolved.
- Reliability. How long has the cloud provider been in business? How stable are they? Are they operating within all legal requirements? You don’t want to be in a situation where the cloud provider you’ve selected gets shut down because of bankruptcy, storing / streaming illegal content, etc. That’s exactly what happened with a service called Mega Upload and it seriously inconvenienced a lot of users.
Once you have selected a company (or companies) to store your data in the cloud, the next step is to make sure you use their services properly. How you access and share your data can often have a far greater impact on its security than anything else. Some key steps you can take to protect your information include:
- Authentication: Use strong, long passphrases to authenticate to your cloud provider. This protects against cyber attackers simply guessing your password. This happened recently when several celebrities had their Apple iCloud accounts compromised resulting in sensitive photos being accessed. If your provider offers two-factor authentication (sometimes called two-step verification), we recommend that you use it.
- Sharing: Cloud services make it very easy to share data, so be careful that you do not accidentally share too much data with others. In a worst case scenario you may unintentionally make your data available to the public. The best way to protect yourself is to start by not sharing any of your data with anyone. Then only allow specific people (or groups of people) access to specific files or folders on a need-to-know basis. If you’re a business or other organisation, make sure you have someone in charge of controlling access to the files and folders who can grant / remove access permissions as required. You wouldn’t want to leave a disgruntled former employee with full access to your data simply because nobody was in charge of turning off their access.
- Settings: Learn and understand the security settings offered by your cloud provider. If you grant full control to4 someone else, can they in turn share your data with third parties without your knowledge and consent? Can you purge your data from the cloud provider’s systems once you no longer need the service?
- Antivirus: Make sure the latest version of antivirus software is installed on your computer and on any other computer used to share your data. If a file you are sharing gets infected, other computers accessing that same file could also get infected.
- Encryption: How does your provider encrypt your data? Do they control the keys or do you? A better security option is to encrypt your private data locally before storing it in the cloud. This extra step protects your data even if your cloud provider is compromised; those sensitive photos pulled from iCloud would have been unreadable and therefore useless if they had been encrypted prior to uploading.
- Backup: Even if your cloud provider is backing up your data, you should still be making regularly scheduled local backups of your own. Not only does this protect your data should your cloud provider go out of business or be shut down, but it may also be easier to recover large amounts of data from your local backup rather pulling it down from the cloud.
- Terms of Service: Read the Service Level Agreement (SLA) or End User License Agreement (EULA) before you sign up for a service. Consider other providers if there are terms in the contract that you don’t understand or that concern you.
- Organisation Data: Do not store your organisation’s data in the cloud without prior permission from a supervisor. Storing your organisation’s data in the cloud may not only violate your organisation policies, but could violate the law, exposing you and your organisation to legal repercussions. For example, as a “public body” under “FOIPPA” (Freedom of Information and Privacy Protection Act), Royal Roads University “must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada.” Since most cloud providers store data in data centres outside Canada using them to store RRU-related personal information could be illegal. Similar provisions exist for other organisations as well so before you put personal information on a cloud service you really need to make sure it’s legal to do so.
The cloud is neither good nor evil; it is simply a tool that you can use. The key steps to protecting yourself are choosing a cloud provider that meets your requirements and accessing and sharing your data in a secure manner.