Your information is safer than you think, although the cloud is not without risk.
This short question opens a veritable Pandora’s box of issues and considerations.
I believe there’s a lot of misunderstanding about just what information safety means and how secure your data is and is not when you use cloud-based services.
Of course, there’s also a lot of misunderstanding about what “cloud-based services” even means, so we’ll need to define that a little first.
Become a Patron of Ask Leo! and go ad-free!
Keeping things safe in the cloud
- The cloud is nothing more than the online services you’re using already.
- It’s your responsibility to secure your account with strong password hygiene, up-to-date account recovery information, and more.
- Choose reputable providers with a strong security track record. If you don’t trust them, don’t use them.
- Back up your data regardless. So many things can go wrong.
- Encrypt sensitive data you store online.
The Cloud
I’ve talked about cloud computing before, but as a reminder, my definition is really pretty simple:
The cloud is nothing more than the internet, and cloud services are nothing more than services you access over the internet.
Some examples:
- Outlook.com, Gmail, Yahoo mail, and the like. Particularly if you’re using their web interfaces, your email is in the cloud and has been for a very long time.
- Share your photos on Flickr, Google Photos, Instagram, or some other online photo sharing service? You’ve been putting your photos in the cloud.
- Your OneDrive and Google Drive/Docs documents are being stored for access and collaboration in the cloud.
- Services like RoboForm, LastPass, DropBox, Evernote, Notion, and others back up your data to their servers in the cloud, and they often allow you access to your data from just about anywhere you can connect to the internet.
You get the idea… “the cloud” isn’t really anything new. You’ve been using it for some time already.
As network speeds and capabilities have expanded, so has our use of helpful and powerful services out on the internet.
Calling it “the cloud” just sounds sexier.
Why cloud security matters
There are two types of information you care about keeping safe when using online services:
- Information about you, such as your email address, passwords, account numbers, and the like.
- Information that you’re using the service to manage, such as your email, address book, documents, photos, and more. While some of this might be public, such as photos you choose to share, much of it may be private information you wouldn’t want the world to see.
When using an internet-based service, you’re placing all of that information onto servers that by definition anyone on the internet can access. How much of your information they can access is a function of how secure the service is and what privacy choices you may have made within that service’s offering.
And it’s also a function of their technology.
Threat #1: Account hacks
The most common threat individuals face is the single account hack. Your account is somehow compromised, and someone other than you gains access to your information when they shouldn’t.
While the most common or obvious example currently is an email account being hacked to send spam, your use of any online service is at risk if you don’t take appropriate measures.
When you place information in a location like a server on the internet that anyone could reach, it’s fairly clear that you need to protect the access to it.
- Pick a strong password.
- Set up and maintain recovery information.
- Enable two-factor authentication, when available.
- Access your account only from computers you know are secure.
- Don’t share your login information with anyone.
- Avoid scenarios where your login information might be captured, such as unencrypted connections on free open Wi-Fi.
- Take the time to understand the service’s privacy policy and account settings to ensure that you’re not publicly sharing something you mean to keep private.
Hopefully, that’s a boring list as these are all things that you should already know by now.
But the fact remains that when an individual account compromise happens, it can usually be traced back to an oversight or issue somehow caused by the account holder.
Protection from individual account compromise is your responsibility, but it’s also in your control.
Threat #2: System hacks
The scenario is simple: a hacker gains access to areas of the online service they’re not supposed to. Once in, they get access to private user data stored there, or worse, access to the accounts and login credentials for users.
This is not something you have control over. You rely on the service having appropriate security measures in place. Thus, you need to choose reputable services with good track records.
When you place information into an online service, you trust they know what they’re doing. You trust them to have security in place to prevent hacking and data or account theft, and you trust them to appropriately back up your information in case of assorted forms of legitimate failure.
If you don’t trust them, don’t use them. It’s as simple as that.
Threat #3: Data loss
If your data is in only one place, then it’s not backed up. You risk losing it, completely and permanently, should something ever happen to that one place.
An online service — any online service — is “only one place”. The fact that they probably back up has absolutely no bearing on it. If you lose access to your online service for any reason, you’ll lose everything you’ve put into that one place.
It’s heartbreaking, but I’ve had messages from people who’ve lost years of work, such as their master’s thesis or multiple years worth of writing or blogging, because they kept it in exactly one place: an online service they subsequently lost access to. It’s happened more than once, and the net result is the same: everything is gone. Forever.
Back up what you save in the cloud somehow. Back it up on your computer(s), to a different online service, or anything guaranteeing you have at least two (ideally three) copies of everything you care about.
Threat #4: Legal access
I hesitate to call this a “threat”, but depending on what you use the cloud for, or depending on your trust in the legal system, this can be an important consideration.
Is it possible for a technician or other individual authorized by the service to examine the data you have stored within the service?
In most cases, the answer is yes. Your email can almost certainly be read by technicians at your ISP. Your notes and documents may well be similarly accessible to the staff of the online service where you store them.
We typically rely on two things when it comes to this type of security:
- You and I are just not that interesting. Seriously, a mail service’s technician would have to be pretty bored to spend time reading random emails from random people they don’t know or care about.
- The service restricts that kind of access to only trusted staff members. The receptionist at the service’s front desk probably can’t get at your files; that access is probably restricted to only a handful of senior and highly trusted technicians.
The only real exception to this scenario is when you become interesting to law enforcement. This also varies depending on the laws in your area, but typically, law enforcement can compel the service to hand over your information with appropriate court orders.
The only solution is strong encryption. You must encrypt your sensitive data prior to placing it on the service.
The service claiming they encrypt it for you is nice, and protects you from some threats, but if they can encrypt it, they can decrypt it. Law enforcement could compel them to do so.
Do this
Online services “in the cloud” offer a wide variety of features and convenience, but not without risk and potential cost. The more sensitive the data, the more careful you need to be about keeping it in the cloud.
Carefully consider which services you trust with keeping your data and just what data you’re going to keep there. And, of course, make sure you’re doing all the right things to keep your access safe and secure.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
One thing that can be added to the legal access scenario. Suspicion of crimes is not the only case where the court may order an ISP or Cloud provider to hand over information. It’s possible for anyone to be vulnerable in the case of a lawsuit. So don’t neglect precautions just because you think you’re not interesting or not doing anything wrong. You never know when this may eventually happen.
On the question of security, for cloud/internet services the only safe assumption you can make is that your files are totally available to anyone on the internet. The article has mentioned most of the ways that your information can be exposed. One way not mentioned is not knowing exactly where your information is stored. For example, if you live outside of the US you may assume that your data is safe from US government/legal system prying (or it could be any other nation). But there are many ways that your data may become exposed to them without your knowledge. One way is that although the TLD is your national one, ie Google.UK, the server is actually hosted elsewhere. Another way is even if your server is hosted locally, it’s disaster failover site may be in another country. Finally, their offsite backups may be stored in another country. If any form of your data resides in some other country, their legal system can grab it.
So, if you have any sensitive information, personal or corporate data stored on the net it is not secure unless you apply encryption to the file yourself, BEFORE it is uploaded to the internet. All unecrypted data, regardless of what legal (contract or local legislation) or technical (ie HTTPS) protection you may think you have, you DON’T!
I have seen some articles that indicate they are enthralled with the cloud. I am more than skeptical about the cloud just as the reasons stated here. Why should I entrust my information to a cloud. It is no more safe there than on my own PC. In spite of what some believe the internet is not perfect and doesn’t always work. Especially for people like me who live in the boondocks. Plus I don’t want Big Brother controlling my information.
Those problems are solved by encryption and backups. Strong encryption makes the data impossible to read by hackers and multiple backups make it impossible to lose data. When I say impossible, it’s really an infinitesimal chance of failure.
“Cloud” storage/computing is a fad, folks, pure & simple. *Sigh.*
It has a huge bunch of unwelcome shortcomings, not the least of which include (among many others!) —
…and so on and so forth. Need I go on? It is, I suppose, a feasible option for small amounts of data that is carefully encrypted first, not vitally essential, and will not be urgently needed. But I sure wouldn’t advise using it on any other terms! Local storage, on a USB drive, is in my opinion a vastly better alternative in most cases.
No! The article gives a solution to all of those points.
1. Multiple backups will protect against this.
2. Multiple backups will protect against this.
3. Multiple backups will protect against this.
4. Multiple backups will protect against this.
5. Encryption will protect against this.
6. This has improved greatly since that comment was posted. I back up 10 GB VeraCrypt volumes to OneDrive
7. Multiple backups will protect against this.
(this is a response to an old comment, and I doubt the OP will see this, but it might benefit somebody)
Perhaps no direct connection with Cloud,I wonder if, when any online purchasing where Bank Card details are conditional and also Card idents, is there any protection that same recipient can’t access your account without further authority from the Card Holder? Or should one demand Direct Deposit to their BSB and A/c number?
@Keith
This is a risk whenever you use your credit card, whether online or in a shop. If the people you are dealing with are unscrupulous they can retain your information and use it later without authorization. I once had my credit card number stolen in a restaurant where they take your card away to process it.
The risk of using a credit card online is no higher online than it is in a shop. In some cases, it’s even safer
A few safeguards. 1. Only use your credit card with companies you trust. 2. Use PayPal or a similar service when purchasing online. 3. Some credit cards give 100% protection against fraudulent use.
I’ve been leery of the cloud before it started being called that. I’ve used services like the now defunct XDrive, and I use MS’s Skydrive, but not for anything personal or significant. When USB drives came down in price, I bought many and used them in different places to back up different things. Now that portable HDs are so reasonably priced, I have two, and my important files are on my PC (which has two HDs in a RAID1 config) and back them up to two portable HDs, giving me multiple-failure, secure protection. Someone stated that the cloud is a fad, well yes is certainly is; Microsoft tried to make is sound sexy for their Win7 commercials, but anybody who knows anything about computing knows that is a simple file holder and not a place for sensitive or personal data (Right Sony & Sega?).
Never log in at computer were you can not check if they have password automatically remember checked.
“Avoid scenarios where your login information might be captured, such as unencrypted connections on free open Wi-Fi.”
One way to avoid those scenarios is to use a VPN whenever using your laptop on a public network.
Never use a public computer to log into important accounts. This includes almost all of your accounts. This probably means never using public computers. Using the onscreen keyboard will mitigate this as it circumvents hardware keyloggers plugged in between the keyboard and the computer, but it won’t protect against a software keylogger. Libraries aren’t necessarily the best at security. One time, I logged into my Gmail account in a library and while logged in, my time ran out and the session was ended. I asked the guy at the desk to log me back on to the system so I could log out of GMail. Their security was so poor, the next user can get access to any logged in accounts. To be secure, the system should have included a process that deleted all cookies when the session timed out.
That was many years ago.
Use your phone, tablet, or computer in a library or public WAP and use a VPN.
I NEVER log into ANY account using a public computer (such as at my local library). The most important thing to understand is that anyone who provides computer access to the public will have their own protection as their first consideration when setting up Network/computer security, and my safety will be (at best) a secondary consideration, if it is considered at all. The ONLY reason I have ever used a public computer has been to look up some information I need at the time. I find what I need and copy it into a document, then print it (NO USB sticks, ever!). This way, there is no possibility of some malware getting to any of my home computers or my phone.
I avoid public Wi-Fi like the plague. My phone is set to use my home Wi-Fi, but not public hot spots. My laptop PC is configured with very adequate security measures when on my home (private) Network, and with significantly heightened security measures when connected to any other (public) Network. I avoid using any public Internet connection if at all possible. I think I have used public hot spots two times in my life, then when I got home, I performed a full system scan using two different scanners (Microsoft/Windows Defender and Malwarebytes) to insure than I brought nothing home with me before I allowed my laptop PC to connect to my home Network again (I disabled the Wi-Fi adapter in my laptop before returning home).
Call me a bit paranoid, but I’d rather be safe than sorry,
Ernie