Jump to content

How secure is the cloud?


Recommended Posts

Instead of lugging around a laptop, I’ve been considering using a tablet and keeping everything in the cloud (PC, not Apple). I realize the government can pretty much read whatever they want, but I don’t think Uncle Sam wants to steal my checking account.


Gov’t aside, how safe are personal / business / financial data from non-gov’t hackers?


I’d like the convenience but I’m afraid of hackers.


I’d appreciate your insight. Thanks.

Link to comment
Share on other sites

I hope this article would address some of your concerns ...


How Secure Is the Cloud, Really?

By Richard Adhikari



Cloud security skeptics were given yet another reason to doubt the fortitude of online storage when the strange tale of Mat Honan emerged earlier this month. Through the clever use of social engineering, a hacker was able to wreak havoc on the Wired journalist's digital life.


Apparently, the hacker talked Amazon tech support into providing the last four digits of Honan's credit card number. This information was then used to fool Apple into thinking the hacker was Honan and issuing a temporary password for Honan's email account.


The hacker used this information to ultimately delete Honan's Gmail account, permanently reset his AppleID and Twitter passwords, and remotely wipe his iPhone, iPad and MacBook.


Apple and Amazon closed the specific security holes that enabled this attack after news of Honan's problem hit the headlines. But the question remains: How secure is information in the cloud, really?



Hey! You! Come Onto the Cloud!


More than 80 percent of 4,000 business and IT managers worldwide surveyed by the Ponemon Institute on behalf of Thales E-Security are transferring, or plan to transfer, sensitive or confidential data into the cloud.


Nearly half of the respondents' organizations already do so, and another one-third of respondents' organizations are very likely to transfer sensitive or confidential data to the cloud within the next two years.


Meanwhile, in the United States, the federal government is implementing a strategy to move en masse to the cloud to cut costs and be more responsive. The strategy's author, then-federal CIO Vivek Kundra, aimed at moving about US$20 billion of the federal government's estimated $80 billion in IT expenditure to the cloud.



Evil Is Always Possible


Moving to the cloud has negatively affected the security of their organizations, 39 percent of the respondents to the Ponemon survey for Thales said.


About two thirds of organizations moving their sensitive data to the cloud believe their service providers are primarily responsible for protecting that data. Also, about two thirds of organizations moving data to the cloud, though not necessarily the same organizations, have little or no knowledge about what measures their providers have put in place to protect data, the survey found.


About half the respondents said their organization applies persistent encryption to data before transferring it to the cloud, and the other half rely on encryption applied within the cloud environment.


However, "Whether your data is on your own servers or in the cloud, it is still your data, and ensuring its security is ultimately your responsibility," Richard Wang, manager of Sophos Labs US, told TechNewsWorld.


"The first step is to realize that all the normal security steps are still necessary in the cloud," said Mario Santana, vice president of cloud security at Terremark.


Organizations moving to the cloud should continue to look at misconfigured systems, default passwords, shared accounts and other problems that have always plagued IT, Santana told TechNewsWorld. "It's surprising how many folks assume that all that stuff is handled as a default part of a cloud service."



The Symptom of a Vacuum


As the federal government moves more data online, social engineering attacks could become more of an issue, Sander Temme, a sales engineer at Thales E-Security, told TechNewsWorld.


"The larger the organization, the greater the attack surface," Temme said. "On the other hand, larger organizations may have the kind of processes and procedures in place that make it much harder to carry out a social engineering attack."


However, the size and technical expertise of Apple and Amazon didn't protect the journalist, Honan, from having his accounts hacked.


The U.S. federal government, with its drive to the cloud, may be particularly vulnerable. Cybersecurity in federal government agencies has been found to be well short of where it should be, audits by the Government Accountability Office (GAO) and some agencies' internal inspectors-general have repeatedly found.


For example, the National Aeronautics and Space Administration (NASA), which spends about $58 million a year for IT security, is still lacking in the information security area, the agency's Inspector-General, Paul Martin, told Congress in February.



Safety Is an Illusion


Several vendors offer security of one sort or another in the cloud. They include AppRiver, McAfee, Panda, Symantec and Safenet.


However, cloud security is "still in its infancy," Torsten George, a vice president at Agiliance, told TechNewsWorld. "The industry still has a ways to go before organizations understand and adopt methodologies and technology to secure data in the cloud."


The employee endpoint is "the Achilles heel [of cloud security]," George Tubin, senior security strategist at Trusteer, told TechNewsWorld. It "must be protected by automated methods that can actually prevent malware from compromising the device."


In the cloud, that end point would be the support representative. When users call in saying they forgot their password or don't remember the answers to their security questions, for example, the cloud service "is left with the options of either assisting the user or telling them that they can no longer access their data," Sophos Labs' Wang said.


"The latter option is rather unpopular with customers, so cloud services generally need to have some flexibility, which leaves the door open for social engineering," Wang continued.


source: http://www.technewsworld.com/story/How-Secure-Is-the-Cloud-Really-76019.html

Link to comment
Share on other sites

I just went through much of this with a stolen iphone that was not backed up. When I got the new iphone I now back up contact information (phone #'s only) and only those using a first name, and photos to icloud (not justcloud). For me there a peace of mind knowing that those things are backed up. Although Apple assures me that all the information on icloud is secure, there has to be dozens of people that can see my icloud account, therefore I never store anything there or anywhere that is ID sensitive...ie: personal financial/business/or banking information.



If someone wants to steal your ID, there going to find a way to do it, but for me I am uncomfortable with using an Internet site to store personal sensitive information.

Edited by bigvalboy

the greatest beauty is

Organic wholeness, the wholeness of life and things,

the divine beauty of the universe.

Love that, not man apart from that,

or else you will share man’s pitiful confusions,

or drown in despair when his days darken."


- Robinson Jeffers


B e l i e v e

Link to comment
Share on other sites

Most of us are already committed pretty heavily to 'the cloud' - email, smartphones, social media, e-commerce, etc.


In the article Steven shared, the hacking was apparently made possible by a person in tech support.


As far as cloud storage of personal documents goes - most of my documents are backed up in the cloud (automatically) but there are a handful (list of account numbers, banking info, etc.) that I back up to an external hard drive. (In the past, I also backed up to a flash drive).

Link to comment
Share on other sites

I don't use the cloud other than for my iTunes purchases because that's already sort of integrated into iTunes. I back up my computer and my phone to an external hard drive and keep a back up of the back up in a more secure place.


I don't trust the cloud for two main reasons. First, the data passes through too many unknown hands. Employees of cloud storage companies have access to the data. They may not have easy direct access to anything, but the convenience of the cloud isn't enough for me to willingly give my data to someone who just says, "Trust me, I'll keep it safe for you." Even the NSA couldn't keep its own data secure from its own employees and contractors.


And second, the nature of digital data lends itself to covert theft. There are the hackings that companies know about and know what's been taken, hackings that the companies know about but don't know what, if anything, was taken, and hackings that companies don't even know happened at all. And the sheer volume of hacking attempts is astounding. Earlier in the summer, the NY Times reported that at one university, they get 90,000 to 100,000 hacking attempts per day to get into their system. Of course those are merely attempts and its a university setting rather than a corporation, but I imagine that corporations face similarly large numbers of hacking attempts to gain access to intellectual property, customer payment information, and the private information consumers hand over to them.


Sure, someone could break into your home and steal my your computer or back up drive, but you're probably going to notice that a) there was a break in, and b) that your laptop/back up drive was stolen. And also there probably aren't thousands of people targeting you. A single person's private data is probably not all that valuable to hackers because it's a bit of a crapshoot whether any one person keeps sensitive personal or financial data on their computers. But a much larger pool of individuals, like the server of a cloud storage company might be a much more attractive option because there are surely some people who have accidentally uploaded sensitive information or simply were unaware of the risk of doing so.


As the end users of these services, most of us don't have the technical understanding to comprehend the nature of digital security breaches or even to understand the security measures that companies implement to protect our data. Without a background in IT security, most users probably have no idea what encryption or security tokens or even SSL is exactly, or how to verify that those security protocols are even being used. They have to blindly trust that companies are doing what they say. And frankly, I don't have that much faith in most of these companies.


Of course, none of these issues are really new or unique to the cloud. I'm sure we've all read the stories about unencrypted laptops with sensitive information about patients or employees being lost or stolen. Just last week, my bank sent me a brand new debit card, not because the old one had expired (I had actually just received that one a few months ago), but because they were recently notified that "information from some debit cards may have been compromised at a merchant or service provider" and that my card "may have been affected."


Digital information is just easier to steal undetected and easier to grab large amounts of it, whether it's on the cloud, using debit/credit cards, or just using the internet. We have to make lots of tradeoffs. That's just the reality of living in a digital world.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...