Is My Information Safe in the Cloud?

This is a short question that opens up a veritable Pandora’s box of issues and considerations.

I believe that there’s a lot of misunderstanding about just what information safety means and how secure your data is and is not when you use cloud-based services.

Of course, there’s also a lot of misunderstanding about just what “cloud-based services” even means, so we’ll need to define that a little first.

Become a Patron of Ask Leo! and go ad-free!

The Cloud

I’ve talked about cloud computing before, but as a reminder, my definition is really pretty simple:

The cloud is nothing more than the internet and cloud services are nothing more than services that you can access over the internet.

Some examples:

  • Hotmail, Gmail, Yahoo mail, and the like – If you’re using their web interfaces, your email is in “the cloud” and has been for a very long time.
  • Share your photos on Flickr, Picasa, Photobucket, or some other online photo sharing service? You’ve been putting your photos in “the cloud”.
  • Google Docs stores documents of various sorts for access and collaboration in “the cloud”.
  • Services like Roboform, Lastpass, DropBox, Evernote, and others back up your data to their servers in “the cloud” and they often allow you access to your data from just about anywhere that you can connect to the internet.

You get the idea … “the cloud” isn’t really anything all that new; in fact, you’ve probably been using it for some time already. As network speeds and capabilities have expanded, so too has our use of helpful and powerful services out on the internet.

Calling it “the cloud” just sounds a lot sexier.

Cloud ComputingWhy cloud security matters

There are two basic types of information that you care about keeping safe when you use online services:

  • Information about you, such as your email address, passwords, account numbers, and the like.
  • Information that you’re using the service to manage, such as your email, address book, documents, photos, and more. While some of this might be public – such as photos which you choose to share – much of it may be private information that you wouldn’t want the world to see.

When using an internet-based service, you’re placing all of that information onto servers that by definition anyone on the internet can access. How much of your information that they can access is a function of how secure the service is and what privacy choices that you may have made within that service’s offering.

And it’s also a function of their technology.

Threat #1: Account hacks

The most common threat that individuals face is simply the single account hack. Your account is somehow compromised and someone other than you (someone who shouldn’t) gains access to your information.

While the most common or obvious example currently is an email account being hacked to send spam, your use of any online service is at risk if you don’t take appropriate measures.

When you place information in a location like a server on the internet that anyone could reach, it’s fairly clear that you need to protect the access to it.

  • Pick a strong password.
  • Access your account only from computers that you know are secure.
  • Don’t share your login information with anyone.
  • Avoid scenarios where your login information might be captured, such as unencrypted connections on free open-WiFi.
  • Take the time to understand the service’s privacy policy and account settings to ensure that you’re not publicly sharing something that you meant to keep private.

Hopefully, that’s a boring list as these are all things that you should already know by now.

But the fact remains that when individual account compromise typically happens, it can usually be traced back to an oversight or issue somehow caused by the account holder.

Protection from individual account compromise is in your control.

Threat #2: System hacks

We hear of this occasionally, but in recent weeks, there does seem to have been an increase in the number of reported system hacks.

The scenario is conceptually simple: a hacker gains access to areas of the online service that he’s not supposed to. Once in, he gets access to the private user data stored there, or worse, access to the accounts and login credentials for users.

This is typically not something that you have control over, but you do rely on the service to prevent this by having appropriate security measures in place. As a result, you also need to make sure to choose reputable services with good security track records.

When you place information into an online service, you are fundamentally trusting that they know what they’re doing. You trust them to have appropriate security in place to prevent hacking and data or account theft, and you trust them to appropriately back up your information in case of assorted forms of legitimate failure.

If you don’t trust them, then don’t use the service, and don’t put your data there. It’s as simple as that.

Threat #3: Data loss

If your data is in only one place, then it’s not backed up. You risk losing it, completely and permanently, should something ever happen to that one place.

An online service – any online service – should be considered “only one place”. The fact that they probably back up has absolutely no bearing on it. If you lose access to your online service for any reason, everything that you’ve put into that one place will be lost. Period.

It’s heartbreaking, but I’ve had messages from people who’ve lost years of work, such as their master’s thesis or multiple years worth of writing or blogging because they kept it in exactly one place: an online service that they subsequently lost access to. It’s happened more than once, and the net result is the same: everything is gone. Forever.

Back up what you save in the cloud somehow – on your computer(s), on a different online service, on anything that guarantees you have at least two (ideally three) copies of everything you care about.

Threat #4: Legal access

I hesitate to call this a “threat”, but depending on what you use the cloud for, or depending on your trust of the legal system, this can be an important consideration.

Can the service examine your data?

By that, I mean is it possible for a technician or other individual authorized by the service to examine the data that you have stored within the service?

In most cases, the answer is yes. Your email can almost certainly be read by technicians at your ISP. Your notes and documents may well be similarly accessible to the staff of the online service where you store them.

We typically rely on two things when it comes to this type of security:

  • We’re not that interesting. Seriously, a mail service’s technician would have to be pretty bored to spend time reading random emails from random people they don’t know or care about.
  • The service restricts that kind of access to only trusted staff members. The receptionist at the service’s front desk probably doesn’t have the ability to get at your files; that’s probably restricted to only a handful of senior level – and therefore highly trusted – technicians.

The only real exception to this scenario is when you do become interesting to law enforcement. This also varies depending on the laws in your area, but typically, law enforcement can compel the service to hand over your information with appropriate court orders.

The only solution to that scenario is strong encryption.

Either you must encrypt your data prior to placing it on the service or you need to take the extra step to ensure that the service itself encrypts the data in such a way that even they cannot access it. Typically, that means that the data is encrypted by the service on your machine as part of uploading (it’s never not encrypted, except on your machine) and that your data cannot be recovered if you lose your password. Data recovery in the face of a lost password implies that the data can be accessed somehow without it, even if only by the service.

Choices

Online services or services in “the cloud” offer a wide variety of features and convenience, but not without risk and potential cost.

The more sensitive the data, the more careful that you need to be about keeping it in the cloud.

That means carefully considering which services you might trust with keeping your data and just what data you’re going to keep there.

And, of course, making sure that you’re doing all the right things to keep your access safe and secure.

9 comments on “Is My Information Safe in the Cloud?”

  1. One thing that can be added to the legal access scenario. Suspicion of crimes is not the only case where the court may order an ISP or Cloud provider to hand over information. It’s possible for anyone to be vulnerable in the case of a lawsuit. So don’t neglect precautions just because you think you’re not interesting or not doing anything wrong. You never know when this may eventually happen.

  2. In addition to the security aspects mentioned in the article is something a little more mundane to consider. How much is your time and money worth to you?

    By that I mean how long would it take you to upload a 1GB file if your ISP provides a 768 Kbps upload speed under ideal conditions? By my calculations it would take almost 3 1/2 hours. If your ISP caps your total downloads will you exceed that cap and get hit with exorbitant overage fees?

    I don’t think current technology, or the limitations imposed by ISPs, make cloud computing very appealing except for very small files. Just my opinion. 🙂

  3. On the question of security, for cloud/internet services the only safe assumption you can make is that your files are totally available to anyone on the internet. The article has mentioned most of the ways that your information can be exposed. One way not mentioned is not knowing exactly where your information is stored. For example, if you live outside of the US you may assume that your data is safe from US government/legal system prying (or it could be any other nation). But there are many ways that your data may become exposed to them without your knowledge. One way is that although the TLD is your national one, ie Google.UK, the server is actually hosted elsewhere. Another way is even if your server is hosted locally, it’s disaster failover site may be in another country. Finally, their offsite backups may be stored in another country. If any form of your data resides in some other country, their legal system can grab it.

    So, if you have any sensitive information, personal or corporate data stored on the net it is not secure unless you apply encryption to the file yourself, BEFORE it is uploaded to the internet. All unecrypted data, regardless of what legal (contract or local legislation) or technical (ie HTTPS) protection you may think you have, you DON’T!

  4. I have seen some articles that indicate they are enthralled with the cloud. I am more than skeptical about the cloud just as the reasons stated here. Why should I entrust my information to a cloud. It is no more safe there than on my own PC. In spite of what some believe the internet is not perfect and doesn’t always work. Especially for people like me who live in the boondocks. Plus I don’t want Big Brother controlling my information.

  5. “Cloud” storage/computing is a fad, folks, pure & simple. *Sigh.*

    It has a huge bunch  of unwelcome shortcomings, not the least of which include (among many others!) —

    1. Your data can simply vanish into the ether without any warning;
    2. Your provider may be unreliable (see the above item);
    3. Your provider can go bankrupt (see first item, above);
    4. You can fail to pay your bill (again, see first item, above);
    5. Your data can be hacked or subpoenaed;
    6. Data transfer rates may be abysmal;
    7. Will your data be maintained uncorrupted?

    …and so on and so forth. Need I go on? It is, I suppose, a feasible option for small amounts of data that is carefully encrypted first, not vitally essential, and will not be urgently needed. But I sure wouldn’t advise using it on any other  terms! Local  storage, on a USB drive, is in my opinion a vastly  better alternative in most cases.

  6. Perhaps no direct connection with Cloud,I wonder if, when any online purchasing where Bank Card details are conditional and also Card idents, is there any protection that same recipient can’t access your account without further authority from the Card Holder? Or should one demand Direct Deposit to their BSB and A/c number?

  7. @Keith
    This is a risk whenever you use your credit card, whether online or in a shop. If the people you are dealing with are unscrupulous they can retain your information and use it later without authorization. I once had my credit card number stolen in a restaurant where they take your card away to process it.
    I read an article which said that the risk of using a credit card online is no higher online than it is in a shop.
    A few safeguards. 1. Only use your credit card with companies you trust. 2. Use PayPal or a similar service when purchasing online. 3. Some credit cards give 100% protection against fraudulent use.

  8. I’ve been leery of the cloud before it started being called that. I’ve used services like the now defunct XDrive, and I use MS’s Skydrive, but not for anything personal or significant. When USB drives came down in price, I bought many and used them in different places to back up different things. Now that portable HDs are so reasonably priced, I have two, and my important files are on my PC (which has two HDs in a RAID1 config) and back them up to two portable HDs, giving me multiple-failure, secure protection. Someone stated that the cloud is a fad, well yes is certainly is; Microsoft tried to make is sound sexy for their Win7 commercials, but anybody who knows anything about computing knows that is a simple file holder and not a place for sensitive or personal data (Right Sony & Sega?).

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.