Is cloud storage innately insecure?

Off the Beat: Bruce Byfield's Blog

Sep 05, 2014 GMT
Bruce Byfield

Whenever a major security story like the recent leak of nude celebrity photos occurs, I hope that some serious discussion will happen. But I am always disappointed, and this time was no exception. No one, apparently, wants to explore the obvious -- that, just maybe, buying cloud storage is a flawed business and security model.

I understand why people buy cloud storage, of course. It's convenient, especially if you want to access your data from multiple computers and different locations. Almost certainly, it is cheaper than paying for your own system administrators or even  buying new hard drives.

And let's not forget the coolness factor of using the latest technology. For an industry populated by intelligent people, the tech world sometimes has a distressingly strong herd mentality. Often, it leads to everyone stampeding towards the latest and greatest, even though there's no pressing need.

The plain truth is that cloud storage is attractive, and few of its customers would return to administering their own files or carrying flash drives to transport information from computer to computer.

So, instead of re-evaluating buying cloud storage, they insist that security breaches can happen with any technology, and quickly return to business as usual. At the most, they check the settings on their cloud accounts and maybe make a change or two before forgetting what happened as quickly as possible. Unfortunately, such responses do little to alleviate the essential problems.

The business model
Buying cloud storage comes down to a matter of trust. As  a buyer, you trust that the seller of storage will keep your data safe.

The seller is supposed to have a simple incentive to honor that trust: security breaches makes potential and current customers less likely to buy more storage or services.  iCloud, for instance, can only express concern and move quickly to investigate the recent photo leaks, in the hopes that, in not too many financial quarters, customers have forgot all about its failure.

Unfortunately, however, that incentive is simply not enough to protect buyers. Other services entrusted with customers' personal information, such as banks or credit unions, are subject to regulations and inspection that give a certain amount of guarantee to customers that everything is being done to safeguard their affairs.

These guarantees sometimes fail, of course, but they are considerably better than nothing. However, when you buy storage, you are asking the provider to police itself -- an expectation that is hardly best practice, no matter how good a reputation the provider has in other areas of business.

iCloud, for example, may advertise its security precautions and reassure potential buyers that "iCloud takes care of everything" and that Apple has "a company wide commitment to your privacy" but its terms of service  makes clear that this care and commitment does not extend to taking any responsibility for your data loss:

TO THE GREATEST EXTENT PERMISSIBLE BY APPLICABLE LAW, APPLE DOES NOT GUARANTEE OR WARRANT THAT ANY CONTENT YOU MAY STORE OR ACCESS THROUGH THE SERVICE WILL NOT BE SUBJECT TO INADVERTENT DAMAGE, CORRUPTION, LOSS, OR REMOVAL IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT, AND APPLE SHALL NOT BE RESPONSIBLE SHOULD SUCH DAMAGE, CORRUPTION, LOSS, OR REMOVAL OCCUR.

In other words, despite advertising security features, Apple by no means makes any promises that those features will be enough. Nor are Dropbox's terms substantially different. Amazon does accept liability up to $50, but that is hardly enough to change the general trend. In buying cloud storage, you are required to trust while being given absolutely no reason to do so.

The security model
Having an agreement that actually protects you might be some consolation if your data is lost or stolen. However, it is a limited consolation, the kind you might feel if your car was center-punched in an intersection and you wake up in the hospital in a body cast but knowing that you had the right of way. Your privacy has still been violated, with all the embarrassment or business disadvantage that implies.

Underlying the entire idea of cloud storage is that you are entrusting your security to someone else. Even worse, you are generally doing so on the basis of advertising and not much else.

Obviously, your own security may be inadequate. But, if you take the precautions that you should be taking, then theoretically you can discover those inadequacies and correct them.

By contrast, you have nothing but a provider's word that its security is adequate. Unless you happen to have personal contacts among the provider's employees, you usually have no way of knowing if the promised security is actually being provided. No doubt the storage providers do their best, but everyday practice can deviate a long way from declared policy without anyone in particular being to blame.

In particular, you cannot  know how many people have official access to your data -- or, even more importantly, how many have unofficial access. Are machines left running so that the night janitor can sit down and view files? How careful is the provider about removing the accounts of ex-employees? Does your provider allow government representatives access to your files? On your own servers, you or someone in your company should be able to answer such questions. In cloud storage, you can only trust that all is well.

These questions are not merely the paranoia they might sound to the layperson, either. Social engineering, the bypassing of security by exploiting human weakness, is by far the most common form of cracking. Even if you have no reason to doubt the security measures provided, you still have no way of knowing how well they are enforced.

Yet whether the recent photo leak is blamed on social engineering or the brute force exploitation of weak passwords, the problem remains the same: when you buy cloud storage, you are vastly complicating your security -- if not compromising it entirely.

Protecting Yourself
None of what I say is going to change most people's habits. Cloud storage is too convenient for people to walk away from entirely. As Linus Torvalds mentioned in his recent Q & A at Debconf, security experts tend to view these issues in black and white. A truly secure computer might be one without an Internet connection in an underground room accessible by only one person, but who would want to use it?

Still, you can help to reduce the risk by making sure that you take advantage of all the services that your storage provider offer. Strong passwords, two step identification, and strong encryption can all help to minimize the risk of trusting someone else.

Better yet, look for ways that you can retain the convenience of cloud services while regaining control of your data. If possible, encrypt your data yourself rather than relying on the provider to do so.

You might also look into applications like Tahoe-LAFS, which allow you not only to encrypt files yourself, but to divide files into shares. To read a file, you need to be able to download a set number of shares, and, these shares can be distributed over several cloud storage services, which complicates any cracker's life considerably.

However, by far the strongest precaution is use software such as ownCloud to set up your own cloud storage. In this way, you retain full control while enjoying the convenience of the cloud.

All these alternative reduce the central issue that giving unearned trust to a third party is generally a poor business practice and a violation of security principles. Your security might still be violated with these alternatives, but at least if you get careless, you have no one to blame for your troubles except yourself.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News