How to secure data in the cloud

The surge to cloud technology is rapidly gathering pace. In the space of just a few years it has moved from a technology that many people were unsure about, though they recognised its potential, to a technology that is being adopted by the largest of blue chip global organisations and the smallest of small businesses.

The cloud has been around a long time. Web-based email services such as Gmail and Hotmail are cloud services. By using one of these services, users are plugging into a server housed in a data centre that is sitting somewhere on the internet.

Internet-based services, or the cloud, solve a pressing problem; a means to store the explosive growth in digital data. And it’s certainly explosive. A few years back a number of technology companies reckoned that the amount of digital data zipping around the internet was set to exceed a zettabyte.

A zettabyte isn’t an alien life form from a science fiction movie. It’s a staggeringly mountainous amount of data. To make sense of what a zettabyte is, it roughly equates to the storage capacity of 75 billion16GB iPads. Or to put it another way, it would take every single person on the planet, all 7 billion of them, tweeting non-stop for 100 years to generate a zettabyte. Who knows how long it will be before a zettabyte becomes a yottabyte the next unit of digital data measurement? Probably not that long.

The point is that the cloud is rapidly becoming the default platform for storing data and launching services. For small companies it’s far more cost effective to rent a web server and launch their services from it rather than spend a lot of ‘overhead’ money on hardware and professional services for an in-house platform.

And because money makes the world goes round and cloud providers proudly and with some truth, declare that the cloud is far more cost effective than masses of IT equipment in-house, we’re all going to be gradually swamped with cloud services.

>See also: UK attitudes toward cloud security are changing, survey reveals

Hackers love lots of data on one server

But the question on everyone’s lips, even those monster-sized companies with in-house technology expertise, is how secure is the cloud? Well, at a personal level some cloud services encrypt data while it’s travelling between your computer and the data centre. So even if someone captures the files as they’re zipping across the internet, there’s not much they can do with them.

That said, hackers tend to focus on where the data is stored rather than targeting individuals. Put simply, they generally want the most amount of information for the least amount of effort. 

Amazon Web Services rent out servers to companies who want to launch cloud services and to say these servers aren’t hackable is a bit like saying that the NSA doesn’t spy on people’s communications unless it’s really necessary.

Novice hacker scoops the prize

Interestingly, late last year a competition was held to see how secure cloud servers are. The prize was $5,000. Six servers were set up, two running Microsoft software and four running open source Linux, a competitor to Microsoft and well loved by many software developers who bridle at the hegemony of the boys and girls from Redmond.

The hack was completed within four hours. Alarmingly, the winner wasn’t even an expert. He reportedly said: “I just thought I’d spend two or three hours poking around and see what I could learn, and it would make for an interesting evening.”

The security settings for the servers mimicked the set up often seen in servers used to launch cloud servers. The problem is that the appeal of cloud services is that they can be set up cheaply and quickly.

Imagine Company X is set to launch a new range of low cost sportswear that it’s sourcing from China. Why should it spend money on its own servers along with the cost of professional services to keep everything running when it can get the same set up by renting out a server much more cheaply? Unfortunately, beyond the default security settings, no one gives much thought to security. There’s an assumption that the default settings are enough.

>See also: Keys to the castle: Encryption in the cloud

The scent of money

This is redolent of the early days of ecommerce, when a raft of electronic adventurers lured by the scent of green backs rushed towards the internet with recklessness. There was a fever in the air, some great ecommerce sites went up offering all manner of goods, analysts were predicting the death of street shopping and financial analysts were trying to value these new online operations – and often failed hopelessly.

The lack of security on many of these sites was soon exposed. There’s a similar, if not quite the same intensity, atmosphere around cloud services. And similarly, security is taking a back seat.

Most of the growth in cloud services is happening in small businesses, precisely because it’s cost effective. And it has been proven that hackers can dig into the internet and identify servers which are running on cloud servers. Cloud is cheap because the services are shared.

So for example, a server processor could be shared by a number of users, whether it’s a book seller, a shoe shop or a fashion retailer. But because these services are shared data could leak. There’s also the fact that the concentration of users and data on just a few locations is also attractive for hackers.

The largest hack in history

Perhaps the most infamous cloud hack was the Sony data breach that compromised the personal data of more than 70 million customers a few years ago. It’s gone down as the largest hack in history to date, with users of the company’s PlayStation streamed games affected. Users could still play their games offline but couldn’t get online for near to three weeks, though how many wanted to after having their data was compromised is a moot point.

The alarming thing about this breach is if a mega corporation like Sony couldn’t protect its cloud service by running up-to-date, patched software and an appropriate firewall how many others are in the same position.

The fallout from this hack is not so great today given that it happened in 2011 but at the time it certainly had an impact on the cloud industry with many companies in the area taking a hit on their share prices. If there are any positives, it’s the hope that others would have learnt and as a result put good security practice in place.

>See also: Transforming IT into a cloud service broker

How to protect

Thankfully, there haven’t been any cloud hacks on a similar scale since then but that’s not to say there won’t be anymore. That said, there are some simple steps you can take to protect yourself. 

Cloud storage services for example, often offer the ability to control who can access your files.  There is ‘private’ where only the users can view the files, ‘public’ where everyone can view the files, or ‘shared’ where only selected people can view the files. Businesses should select the one that is most appropriate for them.

Another obvious point is to choose a strong password. Most cloud services will be controlled by your username and password, so make sure you use a strong password that combines upper and lower case letters and numbers.

Good cloud storage providers will have clear and transparent information on their website about how they will secure personal information and what they will or will not do with it. If a user can’t find this information or feel the terms are unfair or laced with confusing jargon, it might be a good idea to give the service a swerve and look elsewhere.

A cloud storage provider might also store data in an encrypted form and keep the key in a safe and secure location. When logging into the service with a username and password, they will decrypt the files so they can be used. This is good practise.

So in summary, if a business is about to use a cloud service and wants to know how secure the data is, follow these simple steps: check the company’s security provisions and find out whether your data is encrypted, use a strong password, and control who can access the data.

But nothing is foolproof and if a hacker gains access to data via a company server, the onus is on the provider to protect the business. So it’s worth investigating what provisions they have in place should this happen.

 

Sourced from BullGuard blogger, Steve Bell

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Cloud Security