Whether or not you realise it, we all use the cloud for something in our daily lives. In this blog I want to explain in simple terms what ‘The Cloud’ is and how you can apply some simple safeguards to secure your use of it.
What is the Cloud – a History Lesson?
Lets go back a bit to the early days of computing for a moment. By early days, I really mean the 1960’s/70’s and maybe even the early 1980’s. In the 1960’s computers were large machines that needed extensive cooling and power supply and typically resided in air-conditioned rooms. These computers, by modern standards, had less compute power than a typical smart watch of today. Access was restricted to academic institutions and businesses and the main access was through teletype terminals. These teletype terminals were largely character based and used dial-up phone lines and slow modems to communicate with the host computer.
An example of a teletype terminal is below.
Wind this forward to the late 70’s and early 80’s these machines are getting more powerful and were commonly called mainframes, but typically still accessed via these type of devices. Around this time we start seeing more distributed computing using Unix workstations and servers as well as the IBM PC and other personal computers. In this time the focus was on local computing power and generally capable of being run outside of data centres and without extensive air-conditioning. This was typically called the client-server era.
Wind this forward to the modern day and the focus now is more on mobile computing where the horse power required to run some applications just isn’t available on the device you are using. As a result we have gone full circle to having ‘big-iron’ servers hosted in air-conditioned data centres providing services via the internet. Data Centres are largely buildings covering thousands of square feet of floor space and typically in large population centres but can also be in remote locations. They are also hyper secure locations.
We typically communicate with these servers/data centres via the public internet, but in some cases for security reasons these can also be communicated through tied lines that have no public access.
Below is an interesting video I found on YouTube showing how Google manage their data centres:
What does Cloud Computing provide us today?
Typically Cloud Computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by end users. You can classify cloud computing against a few very broad service categories:
- Infrastructure as a service
- Software as a Service
- Platform as a Service
- IoT and Edge Computing.
Infrastructure as a Service is all about providing actual servers that you can, as a developer, configure yourself but today this extends to:
- Physical and virtualised servers.
Software as a service is typically an application, or suite of applications, that provide functionality to business and consumers. Examples are:
- Microsoft Office 365
- Amazon shopping website.
Typically this is the most used cloud service used by consumers since all media content is provided through some application.
Platform as a Service is more for developers, where instead of hiring physical servers and configuring them themselves, they hire the resources and host their applications in a shared environment. Microsoft’s Azure environment is such a service. Using software you can assemble components such as storage, compute power, telephony, etc. into a packaged solution that provides the service you want to provide to your end users. At no time do you as the developer have to manage the physical resources that make up these services.
IoT and Edge Computing is all about providing the services that power our Internet of Things experiences and in some cases extending the cloud to the device itself to provide some of the compute capability. You can read more about IoT in my guidance on the subject.
Cloud services power a whole host of applications these days, and I challenge anyone to say they don’t use at least one. This website is hosted by WordPress, which is a content management system that allows people like me to publish websites and blogs without actually writing any code or maintaining the website infrastructure. If you are reading this blog, you are using a cloud service. At no time do I have to configure the databases, software and physical sources to publish my content.
What are the dangers of using Cloud Services?
The primary dangers are that you are using a resource that you don’t manage. You are abdicating that responsibility to a third party for a fee. As a result you have to trust that this third party maintains:
- the availability of the service
- a secure environment, resilient to cyber attack
- secures any personal and/or confidential information behind suitable security firewalls and encryption.
Every day we are hearing about data breaches where some hacker has managed to gain access to a database that is exposed to the internet without the required security. There are a lot of databases, or storage systems, that are exposed to the internet that don’t have the required password protection. I could fill a blog with links to data breaches that have happened this year alone and I have to admit I am tiring of hearing about these data breaches that could so easily be avoided.
When you are using cloud storage, it is your responsibility to ensure it is secured. A lot of these databases come with a default account password that invariably does not get reset. Some don’t even have a password and that in my mind is unforgivable.
In a recent data breach where private information was disclosed covering the whole population of Ecuador, as a result of this a director of the company hosting this data was arrested and hopefully will suffer jail time as a result. My personal opinion is that CIO’s responsible for these incidents should be prosecuted and certainly the GDPR in Europe is imposing very high fines for such data breaches where EU nationals are impacted by the incident.
What can I do to Secure My Cloud Usage?
This can be broken down into a few sub-categories:
- Enterprise, big businesses
- Small/medium size businesses and startups
If you are a business, you need to get professional help in configuring your use of the cloud as part of your business. There are thousands of such companies in every country and I urge you to reach out to the reputable ones to help you. I also suggest you take a look at the UK National Cyber Security Centre (NCSC), which is a UK government department looking to advise UK companies and influence international adoption of cybersecurity standards. They also have an extensive guidance section, which is one of the many resources I use to compile my blogs.
The rest of this blog will be focusing on advice and tips for consumers, since these are the people who are most vulnerable through ignorance of the actual risks.
What Cloud services do consumers use?
I am betting you all use at least one of the following services, and more than likely multiple services:
- Messaging (e.g. Facebook Messenger, WhatsApp, Skype, Instagram, SnapChat)
- Steaming Media (e.g. Netflix, Amazon Prime Video, CBS All Access, YouTube, Apple TV)
- Storage (e.g. OneDrive, DropBox, Google, iCloud)
- Shopping (e.g. Amazon)
- Online news outlets (e.g. FT, Guardian, BBC News, Sky)
- Websites and blogs
- Authentication (e.g. using your Google, Microsoft/Outlook, Twitter or Apple Ids/accounts to get access to services)
- Online Banking
- Media Storage (e.g. your photos and videos).
The list could go on for several pages, but it is likely that you will tick something from each of the above.
How do I secure my Cloud Services?
Here are a few tips that will hopefully provide you with some pointers to use the cloud safely.
TIP 1 – Secure the Service
For consumer services like those above, they are typically secured behind some form of authentication using either an email address/password, or some other form of secure authentication scheme.
When signing up for these services, especially those you do for yourself, you need to secure the account you are creating using:
- A unique Id where possible, but often this is an email address
- Apply a unique and complex password (minimum of 25 alphanumeric characters that are not easy to guess)
- Use 2-factor authentication where available.
This is all covered in my guidance on Authentication Best Practice.
The best practice is to not repeat passwords on services you use otherwise you will be vulnerable to Credential Stuffing style attacks.
The second bit of advice I will give you is never to tell anyone your credentials. With cloud storage you can often share a specific directory or file without giving away any credentials.
You can also use Password Managers to help you manage the resulting list of usernames and passwords like LastPass and 1Password. In these services you can share specific credentials without giving away the password to people who need access. However, once in they can change anything including your password, so best to only share with people you trust.
Unsurprisingly, the advice above for consumers is largely applicable to businesses. You need to secure your use of API’s and services in a similar fashion.
TIP 2 – Encrypt Everything
If you are storing files on a cloud storage service (e.g. Google Cloud, Overdrive, DropBox), this should be archived into a ZIP file and encrypted. There are various ways of creating archives that are encrypted but I recommend using WinZip which provides some decent encryption standards. Recovering the passwords from simple password protected documents and archives is trivial with todays hacking tools, so this does not provide any protection.
If you are using a messaging service, then make sure it is end-to-end encrypted and the decryption keys are not stored by the provider.
Email is totally insecure in its native form. It was never designed to be secure in the first place. To secure this you need to:
- Encrypt attachments and communicate the decryption key using a separate means
- Use an encrypted email service.
Either way, treat email as insecure since the routing information is in plain/unencrypyed text. Best practice is not to communicate sensitive information via email.
SMS is also insecure, so instead use an encrypted messaging platform.
TIP 3 – 2-Factor Authentication
I strongly advocate using 2-factor authentication for all your sensitive accounts and also where it is provided for others. However some services are still using SMS as the primary channel to communicate the one-time passcode. My recommendation here is to use an authentication app on your smart phone and preferably one that allows you to store and recover the setup. The ones I recommend are:
- Microsoft Authenticator
- LastPass Authenticator.
Both of these are available for IOS and Android from the relevant app store and can be used for the majority of services.
TIP 4 – Oversharing Personal Information
- How they will use your information
- Their retention period and policy
- They have an encryption policy.
If not, then you shouldn’t be using that service.
Be extra careful when posting to social media to ensure that your personal information (e.g. phone number, address, date of birth) isn’t public. This should be shared only with close friends, and preferably not at all on sites like FaceBook.
The rule of thumb is ‘If you are not paying for a product, your information is the product’. These companies will probably anonymize your information so that you can’t be identified from it, but they will aggregate your data with others and sell it as data sets for marketing purposes. Also look out for those checkboxes that allow them to share your information with others and check/uncheck that box accordingly to stop this happening.
We all use cloud services these days, and I hope this guidance has helped you to use them safely. A few precautions go a long way to making your experience a better one.
Headline image provided by ShutterStock