This feature first appeared in the Fall 2014 issue of Certification Magazine. Click here to get your own print or digital copy.
Nude photos of well-known actresses certainly garner attention on their own, but this summer they drew attention to an unlikely subject: cloud security. Private photographs of Jennifer Lawrence, Kate Upton and other celebrities posted by hackers on Reddit and other Internet sites brought the security of cloud storage services into the public spotlight. These photographs were allegedly stolen from Apple iCloud accounts that were used to backup iOS device photos automatically. In the wake of the incident, consumers and businesses find themselves asking the same question: Is the cloud as secure as we think it is?
Security Risks in the Cloud
Cloud data storage services provide a way for users to store information online without concerning themselves with the technical details of how and where the data is actually stored. Simply upload data to a trusted service, such as Box, Google Drive, Dropbox or iCloud, and cloud sync software takes care of the rest. The promise made by the provider is that your data will be securely stored across multiple locations and synced to all of your devices. That’s a compelling business case, especially when you take into account that such services are often either inexpensive or completely free.
The benefits of cloud services over local storage are clear — the ability to access data anytime, anywhere and from any device. So what are the security risks? Moving data to a cloud storage solution introduces security concerns that may not exist in a local storage environment. Organizations making the move to cloud storage should understand these risks and take action to mitigate them as much as possible.
First, cloud data storage solutions may be more susceptible to hacking attacks. The open nature of the service means not only that users can access their data from anywhere, but also that attackers have greater opportunity to attempt that same access. In the case of the iCloud celebrity photo disclosures, hackers allegedly used phishing messages to fool victims into revealing their passwords and/or the answers to their security questions. That information was then used to access photos stored in their online accounts. Apple claims that iCloud itself was never breached — the hackers merely entered through normal channels using stolen info — but the open nature of the service facilitated the attack.
In some cases, the provider itself may experience security issues. The web applications and syncing tools used to store and access files in cloud services can have security vulnerabilities, just like any other piece of software. For example, during a four-hour period in June 2011, Dropbox inadvertently allowed access to any account without requiring the correct password. Although Dropbox techs quickly corrected the flaw, it highlighted the fact that the privacy of our information is dependent upon the implementation of strong security controls by cloud providers.
Start with Policy
Every business needs to consider the impact of cloud data storage options on the security of their data. Even if you have no plans to intentionally place your data in the cloud, employees may discover the convenience of consumer cloud services and place corporate data there for easy access. (For example, does anyone at the office use Google Drive to share work documents?) The cloud security journey should begin with a solid set of policies.
The first policy every organization should consider implementing is a Bring Your Own Device (BYOD) policy. This policy should clearly state whether, and to what extent, employees may use personally owned devices on corporate networks and with business information. The permissiveness of this policy will vary with an organization’s risk tolerance, but the bottom line is that it should clearly answer questions such as:
- What types of devices may be used?
- Must employees register BYOD devices with the company?
- What data may be stored, processed and transmitted on the device?
- What security controls are required before a device is used for business purposes?
- Does the organization retain the right to remove data from personally owned devices? Through what mechanism?
Organizations should also address the growing trend of consumerization of technology by adopting a Bring Your Own Cloud (BYOC) policy. Similar to the BYOD policy, the BYOC policy should clearly outline whether employees may use personal cloud accounts to store business information. If this is allowed, then the policy should clearly state the conditions of use.
The final policy element that should be in place for secure use of the cloud is a data classification policy. This policy should outline the different categories of business information and clearly describe what information fits into each category. For example, a company might adopt a classification policy that places all information into categories labeled Highly Sensitive, Sensitive and Public. The Highly Sensitive category might include Social Security Numbers, credit card numbers and similarly restricted data elements. The Public category might include only information explicitly approved for public release, while all remaining information fits into the Sensitive category.
Data classification efforts should directly support the BYOD and BYOC policies. If an organization clearly classifies its data, those classifications may then be used to describe the appropriate use of personally owned devices and personal cloud accounts. For example, a BYOD policy might explicitly state that approved personally owned devices may be used to process Sensitive information but may not store, process or transmit Highly Sensitive information under any circumstances.
Secure Account Access
Organizations choosing to adopt cloud data storage solutions should implement strong security controls to protect access to stored data. This begins, of course, with using strong passwords to protect accounts. The easiest way to do this is integrating the cloud service with your existing authentication system using the Security Assertion Markup Language (SAML). Major cloud providers typically offer SAML integration as an added feature on their enterprise accounts.
Enterprises may also strengthen authentication by adopting multifactor authentication, particularly for those accounts storing sensitive information. In a multifactor authentication approach, the user first provides a password and is then prompted to input a one-time code. That code is provided by a smartphone app, text message, or special keyfob. By providing this code, the user not only proves that he or she has knowledge of the account password but also has possession of a trusted device.
IT administrators should pay careful attention to access controls, just as they would for local storage. Groups and roles should be curated carefully to ensure that membership is appropriate and that users only have access to the information they need to perform their jobs. One particular concern with cloud storage services is their ability to create public file sharing URLs that may allow unauthenticated access to a file or directory. Administrators should ensure that users receive training on the various access controls supported by the cloud storage service and conduct periodic audits to verify the appropriateness of permission settings.
Encrypt Sensitive Information
Encryption is the gold standard for data protection. By using specialized mathematical algorithms to encrypt information, users can be certain that anyone lacking access to the decryption key is unable to decipher the data, even if they somehow gain access to it in encrypted form. When it comes to cloud storage services, there are two ways enterprises may leverage encryption to protect information: encryption in transit and encryption at rest.
Encrypting data in transit protects the contents of files as they travel across the internet from the cloud provider to the end user (or vice versa). Strong encryption is easy to implement and uses protocols known as the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The most common implementation of SSL/TLS is the secure HTTP (HTTPS) protocol used to encrypt web communications. When selecting a cloud storage provider, enterprise should ensure that all communications between end users and the provider are secured with SSL/TLS.
Encryption may also be used to protect data at rest, while it is stored on the servers of the cloud provider. This protects information from prying eyes if an unauthorized individual gains access to the cloud servers. It’s important, however, to verify where the encryption keys are stored and who has access to them. In many cloud storage solutions, the architecture requires that the cloud provider have access to the encryption keys. In this case, employees of the provider would theoretically have the ability to decrypt your information. If a solution provides enterprises with the ability to manage their own keys, this problem is solved, but the ability of users to access data may be more limited.
Encryption is a tricky topic and security professionals should scrutinize the technical details of any potential vendor’s implementation. Watch for the use of industry standard encryption protocols (such as SSL/TLS and HTTPS) and algorithms (such as AES and RSA). Pay careful attention to how keys are stored and managed. If a vendor refuses to disclose the details of their encryption implementation, claiming that they are proprietary, consider it a red flag.
Cloud data storage solutions provide tremendous benefits to end users and enterprises. They offer flexible access to information in a cost effective manner. Organizations considering the implementation of cloud storage, however, must ensure that they have appropriate policies and controls in place. These measures should aim to implement the same level of protection expected from local solutions in the cloud.