Skip to content
Naked Security Naked Security

Storing your stuff securely in the cloud

How much of our stuff is going to the cloud? Probably a lot more than you realize. Let's look at the risks and how to mitigate them.

How much of your stuff goes into the cloud? Probably a lot more than you realize.

Not just your files, photos, videos, but also your app settings, notes, reminders, and if you use a password manager, possibly your password vault too.

If you work in any kind of collaborative organization – from corporate life to family life – you probably do a lot of work in shared online documents that you pass around, maybe even share the credentials. I’m not here to wag a finger at you, this is just reality for many of us. What’s important is to understand the risks in what we’re doing and what we can do to mitigate them.

As the saying goes, the cloud is just someone else’s computer. So the risk with storing things in the cloud is that you’re giving up your own local control over your files. This means there is a risk, however small, that someone else can access them, maliciously or accidentally.

Some examples of unauthorized entrants can include:

  • An attacker who hacks their way into the cloud server where your files are stored
  • An employee of that cloud company who has more access to customers’ files than they should
  • A colleague who has since left your organization, but still has access to your files

Maybe that former colleague doesn’t care about being able to access their old files, or perhaps they’ve gone on to work for a competitor. Maybe that attacker is only able to gain access to a bunch of old Word documents you’ve forgotten about, or perhaps they’ve found an unencrypted collection of all your financial passwords.

Either way, storing your stuff – whatever it is – securely in the cloud means keeping unwanted folks out, even though you can’t physically access it. That means using a combination of a few security measures.

ALWAYS: opt for services that use strong encryption

You wouldn’t store your vital files just anywhere, would you? You don’t want to hand your files over to any old haphazard service that says it provides cloud storage.

Is the file transfer process from your computer to their servers secure? When the data is on their servers, are they encrypting and securing it there as well, and if so, how?

This information is bare-minimum stuff. If you can’t find details about it easily, go elsewhere.

IF YOU CAN: encrypt locally first

If you are storing files locally and then backing them up in the cloud via a program like Dropbox, S3, or Google Drive, your best bet to secure them is to encrypt them locally – meaning on your own computer, hard drive, or other device – before they head off to the cloud. That way if someone does manage to break into your cloud storage, your encrypted files will be nothing but useless bits of unreadable data to them.

Of course, you don’t always use the cloud like a giant hard drive full of files, so it isn’t always in your power to encypt files locally – sometimes you have to rely on the services you use have to do it for you.

It’s worth checking to see if they are.

Take password managers, for example. Good ones will encrypt your data locally before backing it up online – and equally if not more importantly, will keep the key needed to encrypt and decrypt this data on your device and NEVER in the cloud. It takes a bit of reading and research to verify this for yourself, but any service worth using will make it clear where and how it handles this information.

ALWAYS: use robust passcodes and MFA

A lot of cloud services – like Google Drive or iCloud – offer an option to access files and information online, via a web portal. If you expect to access your stuff this way then any attacker who successfully guesses or phishes your password for that service can too.

For that reason, you should allows use a strong, unique password, and enable multi-factor authentication (MFA) wherever it’s available.

Your phone and computer are also portals to your cloud-based life too, so make sure they’re protected by strong PINs and passcodes as well.

ALWAYS: follow the principle of least privilege

The principle of least privilege is the idea of giving people only the access they need to do what they need to do, and nothing more.

If possible, have users create their own accounts so that you don’t need to share credentials. This way, users can be given the access they need, rather than the access that everybody else needs. It also means that if somebody leaves your organisation you don’t have to reset the one-and-only password for everyone, or, as often happens, if no one gets around to revoking the leaver’s access, they don’t take access to everything with them.

ALWAYS: have a backup for vital data

If there are files, photos, or other bits of data that you can’t live your life without, you owe it to yourself to make sure you have backups of your cloud data.

Personally, I have several physical hard drive backups for my must-have files, in addition to cloud backups. Backups are only useful if they are regularly tested, so I make sure to check in on them from time to time to ensure everything’s still where it should be and working. If my cloud backups are one day compromised, or the cloud service I use breaks or goes bust (remember, it’s just somebody else’s computer) it’s likely my physical hard drive backups will be able to save the day.

4 Comments

When they shout “cloud,” buy more real estate. The crowd is very wrong and even Steve Wozniak said it.

Easiest way to verify if the encrypted provider does or doesn’t have a key to your data: Password reset functions.

If the data provider offers a password reset function, should you forget yours, and you can regain access to your data, then they also have a copy of the keys and you’re open to hacking by employees or other actors. If they do not have the ability to reset a password (Eg, if you forget your password and that results in a complete data loss of the cloud data) then the key is stored locally on your device and you are completely safe. Easy.

Conceptually, all of this makes good, practical sense. Only you will act in your best interest when it comes to encrypting your data before backing up to the “cloud”. That said, I would have liked to have seen a few, unbiased examples of commonly used (and commonly ‘trusted’) software and applications that could be a starting point for novice readers not necessarily in-the-know. Ultimately, the caveat is that such things are entirely dependent on the user’s trust in said software. Providing examples can help users begin exploring their options.

Encryption is easily hacked, 128/256 bit for sure, those have been vulnerable some 2009, easily unraveled with the right suite of tools that I assure you ALL the likes of the NSA/CIA has, as I used to consult to them as a forensics and computer archery expert before my current “life.”
If it’s important, DON’T put it in the cloud if you have risks associated with its loss. The COSTS to recover that loss FAR outweigh the cost of new cheap local hard drives that CAN be secured with tools, and physically secured, unlike cloud data.
Or just don’t care and do it anyway, trusting these companies with your data.
The ONLY unhackable operating systems are those that are trusted, I’m NOT aware of ANY cloud providers operating on that platform…or if suggest THEM for SURE!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?