Your information is safer than you think, although the cloud is not without risk.
This short question opens a veritable Pandora’s box of issues and considerations.
I believe there’s a lot of misunderstanding about just what information safety means and how secure your data is and is not when you use cloud-based services.
Of course, there’s also a lot of misunderstanding about what “cloud-based services” even means, so we’ll need to define that a little first.
Become a Patron of Ask Leo! and go ad-free!
Keeping things safe in the cloud
- The cloud is nothing more than the online services you’re using already.
- It’s your responsibility to secure your account with strong password hygiene, up-to-date account recovery information, and more.
- Choose reputable providers with a strong security track record. If you don’t trust them, don’t use them.
- Back up your data regardless. So many things can go wrong.
- Encrypt sensitive data you store online.
I’ve talked about cloud computing before, but as a reminder, my definition is really pretty simple:
The cloud is nothing more than the internet, and cloud services are nothing more than services you access over the internet.
- Outlook.com, Gmail, Yahoo mail, and the like. Particularly if you’re using their web interfaces, your email is in the cloud and has been for a very long time.
- Share your photos on Flickr, Google Photos, Instagram, or some other online photo sharing service? You’ve been putting your photos in the cloud.
- Your OneDrive and Google Drive/Docs documents are being stored for access and collaboration in the cloud.
- Services like RoboForm, LastPass, DropBox, Evernote, Notion, and others back up your data to their servers in the cloud, and they often allow you access to your data from just about anywhere you can connect to the internet.
You get the idea… “the cloud” isn’t really anything new. You’ve been using it for some time already.
As network speeds and capabilities have expanded, so has our use of helpful and powerful services out on the internet.
Calling it “the cloud” just sounds sexier.
Why cloud security matters
There are two types of information you care about keeping safe when using online services:
- Information about you, such as your email address, passwords, account numbers, and the like.
- Information that you’re using the service to manage, such as your email, address book, documents, photos, and more. While some of this might be public, such as photos you choose to share, much of it may be private information you wouldn’t want the world to see.
When using an internet-based service, you’re placing all of that information onto servers that by definition anyone on the internet can access. How much of your information they can access is a function of how secure the service is and what privacy choices you may have made within that service’s offering.
And it’s also a function of their technology.
Threat #1: Account hacks
The most common threat individuals face is the single account hack. Your account is somehow compromised, and someone other than you gains access to your information when they shouldn’t.
While the most common or obvious example currently is an email account being hacked to send spam, your use of any online service is at risk if you don’t take appropriate measures.
When you place information in a location like a server on the internet that anyone could reach, it’s fairly clear that you need to protect the access to it.
- Pick a strong password.
- Set up and maintain recovery information.
- Enable two-factor authentication, when available.
- Access your account only from computers you know are secure.
- Don’t share your login information with anyone.
- Avoid scenarios where your login information might be captured, such as unencrypted connections on free open Wi-Fi.
Hopefully, that’s a boring list as these are all things that you should already know by now.
But the fact remains that when an individual account compromise happens, it can usually be traced back to an oversight or issue somehow caused by the account holder.
Protection from individual account compromise is your responsibility, but it’s also in your control.
Threat #2: System hacks
The scenario is simple: a hacker gains access to areas of the online service they’re not supposed to. Once in, they get access to private user data stored there, or worse, access to the accounts and login credentials for users.
This is not something you have control over. You rely on the service having appropriate security measures in place. Thus, you need to choose reputable services with good track records.
When you place information into an online service, you trust they know what they’re doing. You trust them to have security in place to prevent hacking and data or account theft, and you trust them to appropriately back up your information in case of assorted forms of legitimate failure.
If you don’t trust them, don’t use them. It’s as simple as that.
Threat #3: Data loss
If your data is in only one place, then it’s not backed up. You risk losing it, completely and permanently, should something ever happen to that one place.
An online service — any online service — is “only one place”. The fact that they probably back up has absolutely no bearing on it. If you lose access to your online service for any reason, you’ll lose everything you’ve put into that one place.
It’s heartbreaking, but I’ve had messages from people who’ve lost years of work, such as their master’s thesis or multiple years worth of writing or blogging, because they kept it in exactly one place: an online service they subsequently lost access to. It’s happened more than once, and the net result is the same: everything is gone. Forever.
Back up what you save in the cloud somehow. Back it up on your computer(s), to a different online service, or anything guaranteeing you have at least two (ideally three) copies of everything you care about.
Threat #4: Legal access
I hesitate to call this a “threat”, but depending on what you use the cloud for, or depending on your trust in the legal system, this can be an important consideration.
Is it possible for a technician or other individual authorized by the service to examine the data you have stored within the service?
In most cases, the answer is yes. Your email can almost certainly be read by technicians at your ISP. Your notes and documents may well be similarly accessible to the staff of the online service where you store them.
We typically rely on two things when it comes to this type of security:
- You and I are just not that interesting. Seriously, a mail service’s technician would have to be pretty bored to spend time reading random emails from random people they don’t know or care about.
- The service restricts that kind of access to only trusted staff members. The receptionist at the service’s front desk probably can’t get at your files; that access is probably restricted to only a handful of senior and highly trusted technicians.
The only real exception to this scenario is when you become interesting to law enforcement. This also varies depending on the laws in your area, but typically, law enforcement can compel the service to hand over your information with appropriate court orders.
The only solution is strong encryption. You must encrypt your sensitive data prior to placing it on the service.
The service claiming they encrypt it for you is nice, and protects you from some threats, but if they can encrypt it, they can decrypt it. Law enforcement could compel them to do so.
Online services “in the cloud” offer a wide variety of features and convenience, but not without risk and potential cost. The more sensitive the data, the more careful you need to be about keeping it in the cloud.
Carefully consider which services you trust with keeping your data and just what data you’re going to keep there. And, of course, make sure you’re doing all the right things to keep your access safe and secure.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.