Is my information safe in the cloud?

The Cloud

I've talked about cloud computing before, but as a reminder, my definition is really pretty simple:

The cloud is nothing more than the internet and cloud services are nothing more than services that you can access over the internet.

Some examples:

• Hotmail, Gmail, Yahoo mail, and the like - If you're using their web interfaces, your email is in "the cloud" and has been for a very long time.

• Share your photos on Flickr, Picasa, Photobucket, or some other online photo sharing service? You've been putting your photos in "the cloud".

• Google Docs stores documents of various sorts for access and collaboration in "the cloud".

• Services like Roboform, Lastpass, DropBox, Evernote, and others back up your data to their servers in "the cloud" and they often allow you access to your data from just about anywhere that you can connect to the internet.

You get the idea ... "the cloud" isn't really anything all that new; in fact, you've probably been using it for some time already. As network speeds and capabilities have expanded, so too has our use of helpful and powerful services out on the internet.

Calling it "the cloud" just sounds a lot sexier.

Why cloud security matters

There are two basic types of information that you care about keeping safe when you use online services:

• Information about you, such as your email address, passwords, account numbers, and the like.

• Information that you're using the service to manage, such as your email, address book, documents, photos, and more. While some of this might be public - such as photos which you choose to share - much of it may be private information that you wouldn't want the world to see.

When using an internet-based service, you're placing all of that information onto servers that by definition anyone on the internet can access. How much of your information that they can access is a function of how secure the service is and what privacy choices that you may have made within that service's offering.

And it's also a function of their technology.

Threat #1: Account hacks

The most common threat that individuals face is simply the single account hack. Your account is somehow compromised and someone other than you (someone who shouldn't) gains access to your information.

While the most common or obvious example currently is an email account being hacked to send spam, your use of any online service is at risk if you don't take appropriate measures.

When you place information in a location like a server on the internet that anyone could reach, it's fairly clear that you need to protect the access to it.

• Pick a strong password.

• Access your account only from computers that you know are secure.

• Don't share your login information with anyone.

• Avoid scenarios where your login information might be captured, such as unencrypted connections on free open-WiFi.

• Take the time to understand the service's privacy policy and account settings to ensure that you're not publicly sharing something that you meant to keep private.

Hopefully, that's a boring list as these are all things that you should already know by now.

But the fact remains that when individual account compromise typically happens, it can usually be traced back to an oversight or issue somehow caused by the account holder.

Protection from individual account compromise is in your control.

Threat #2: System hacks

We hear of this occasionally, but in recent weeks, there does seem to have been an increase in the number of reported system hacks.

The scenario is conceptually simple: a hacker gains access to areas of the online service that he's not supposed to. Once in, he gets access to the private user data stored there, or worse, access to the accounts and login credentials for users.

This is typically not something that you have control over, but you do rely on the service to prevent this by having appropriate security measures in place. As a result, you also need to make sure to choose reputable services with good security track records.

When you place information into an online service, you are fundamentally trusting that they know what they're doing. You trust them to have appropriate security in place to prevent hacking and data or account theft, and you trust them to appropriately back up your information in case of assorted forms of legitimate failure.

If you don't trust them, then don't use the service, and don't put your data there. It's as simple as that.

Threat #3: Data loss

If your data is in only one place, then it's not backed up. You risk losing it, completely and permanently, should something ever happen to that one place.

An online service - any online service - should be considered "only one place". The fact that they probably back up has absolutely no bearing on it. If you lose access to your online service for any reason, everything that you've put into that one place will be lost. Period.

It's heartbreaking, but I've had messages from people who've lost years of work, such as their master's thesis or multiple years worth of writing or blogging because they kept it in exactly one place: an online service that they subsequently lost access to. It's happened more than once, and the net result is the same: everything is gone. Forever.

Back up what you save in the cloud somehow - on your computer(s), on a different online service, on anything that guarantees you have at least two (ideally three) copies of everything you care about.

Threat #4: Legal access

I hesitate to call this a "threat", but depending on what you use the cloud for, or depending on your trust of the legal system, this can be an important consideration.

Can the service examine your data?

By that, I mean is it possible for a technician or other individual authorized by the service to examine the data that you have stored within the service?

In most cases, the answer is yes. Your email can almost certainly be read by technicians at your ISP. Your notes and documents may well be similarly accessible to the staff of the online service where you store them.

We typically rely on two things when it comes to this type of security:

• We're not that interesting. Seriously, a mail service's technician would have to be pretty bored to spend time reading random emails from random people they don't know or care about.

• The service restricts that kind of access to only trusted staff members. The receptionist at the service's front desk probably doesn't have the ability to get at your files; that's probably restricted to only a handful of senior level - and therefore highly trusted - technicians.

The only real exception to this scenario is when you do become interesting to law enforcement. This also varies depending on the laws in your area, but typically, law enforcement can compel the service to hand over your information with appropriate court orders.

The only solution to that scenario is strong encryption.

Either you must encrypt your data prior to placing it on the service or you need to take the extra step to ensure that the service itself encrypts the data in such a way that even they cannot access it. Typically, that means that the data is encrypted by the service on your machine as part of uploading (it's never not encrypted, except on your machine) and that your data cannot be recovered if you lose your password. Data recovery in the face of a lost password implies that the data can be accessed somehow without it, even if only by the service.

Choices

Online services or services in "the cloud" offer a wide variety of features and convenience, but not without risk and potential cost.

The more sensitive the data, the more careful that you need to be about keeping it in the cloud.

That means carefully considering which services you might trust with keeping your data and just what data you're going to keep there.

And, of course, making sure that you're doing all the right things to keep your access safe and secure.