How Secure Is The Cloud?

Cloud Computing

Cloud computing has quickly become all encompassing, offering what is often a lower-cost and easier-to-use solution to many common IT problems. But the ever-expansive definition of the ‘Cloud’ is also leaving a gap of understanding when it comes to the best practices for improvement in the areas of security and privacy.

Security and privacy continue to be top-of-mind for many educators, yet there is little awareness of the risks involved in utilising Cloud service offerings – let alone answering the fundamental question of how secure is the cloud?

The key issue arises when you begin defining exactly what Cloud computing is, which is where you quickly realise that it is something completely different to everyone you ask. With so many vendors competing in this area it is a shame that marketing messages have continued to confuse even those with years of experience in the IT industry.

What I would like to present to you here, however, is the broadest meaning of the Cloud so that you can then form your own opinion and apply the best security and privacy principles to whatever technical solution you end up using.

Advertisement
Edval Timetabling 

In the most generic sense, ‘Cloud computing’ simply refers to outsourcing computing functions that you would otherwise have to manage, acquire or build yourself. The major benefit is usually that it will be cheaper to pay a subscription or annuity, rather than invest in substantial amounts of hardware or software to get started.

It is also worth noting that the genesis of Cloud computing was in the IT Enterprise sector and has since become somewhat diluted as a term adopted for representing almost anything cool or leading-edge in consumer and mainstream markets.

What this expansion has meant is that there are at least five key mainstream areas of technical functionality where the concept of Cloud computing has been applied.

Cloud storage and file hosting services – this is the ability to store files and data remotely, sometimes just for backup or archive purposes, and sometimes for everyday use where your files are synchronised to your computer or mobile device. Examples include Dropbox and Google Drive.

Web applications – this is one area that is almost taken for granted with so many free examples such as Facebook, Twitter and many others. With the web having become dynamic over the last 15 years, many ‘websites’ are now in fact Web applications – capable of presenting users with the functionality and performance of traditional desktop applications. Other examples include Yammer and Salesforce.

Webmail – similar to web applications, this refers to applications that are specifically designed to handle email, and often the security and privacy requirements are much more stringent because of what they need to protect. Examples include Gmail, Yahoo and Outlook.com.

Web hosting services – traditional web hosting services have existed on the internet since the beginning, allowing you to upload your website remotely and have it available 24/7. Ironically, the term ‘Cloud computing’ was applied to this category after the fact, but nonetheless is considered to be a valid use of the term. Examples include NetRegistry and GoDaddy.

Virtualisation – this is a technology that allows multiple ‘instances’ of an operating system to coexist on a single computer; it results in a much more effective use of computing resources. This technology is being used by schools or businesses that continue to maintain existing infrastructure in-house, and it is also available as a service offered remotely by various providers. Internet-based examples include Amazon EC2 and Microsoft Azure; whereas in-house solutions are represented by vendors such as VMWare or Citrix.

With the immensely heavy workload that most educators endure, I am going to presume that file hosting services such as Dropbox or Google Drive have added the best value and productivity when it comes to sharing or accessing files after hours.

With this most common use in mind, there are two sides to consider when such technologies are used in the education environment – first there is the end-user perspective, and then there is that of the educational institution itself.

Cloud Storage Security Issues For End-users

Cloud storage providers accept almost all of the responsibility for hosting files and ensuring they are available when needed, except for one thing – the security credentials used to access them.

The ubiquitous global access of files stored in the cloud comes at the cost of those files being available to an attacker in any other foreign location as well, so great care must be taken with keeping the credentials (usernames and passwords) secret and well secured at all times.

Reputable cloud providers will offer enhanced security features designed to restrict accounts being accessed by non-account owners. Such features are usually implemented by requiring you to enter an extra security value that could be sent to you via SMS, generated using a secure authentication token device or even displayed on a mobile app. You should activate all such features if available.

The internet is awash with ‘free’ cloud providers, and while on the surface some of them may seem acceptable for business purposes, some of them are not. I cannot stress enough the importance of ensuring that the tools and providers used are fit-for-purpose.

Case in point, in early 2012 the well-known internet file sharing site known as Megaupload was shut down when it was embroiled in a copyright infringement case. As a result, a business known as OhioSportsNet was greatly affected. It was using Megaupload to store its own files and video footage of high-school sports events – all of which was permanently lost.

If you are using ‘free’ cloud file storage, make sure you understand the risks involved, and if the files you intend to store are valuable, then invest the time and effort to ensure you have backups of that data elsewhere.

A lot can be said for the immense benefits that globalisation has provided to consumers economically, and this has been no more evident that on the internet. But you should be aware that in some cases the differences in laws and jurisdictions can present challenges if you are forced to react to an exceptional circumstance if using an internationally-based Cloud provider.

Dealing with an Australian-based company (including international providers that have local operations) tends to be the lower risk option for taking up Cloud-based services. Be wary of foreign and ‘free’ operators and ensure that you do your homework and seek advice.

Summary of tips for end-users:

  • Keep usernames and passwords secret; as you should already be doing.
  • Turn on extra features such as login notifications or two-step verifications.
  • Ensure you understand the value of your data and keep backups accordingly.
  • Give preference to locally-based providers for better legal protection.

Cloud Storage Security Issues For Educational Institutions

Educational institutions, not unlike businesses, are often faced with the problem of trying to implement stable and reliable IT systems and practices for adoption by employees in a world where consumer technologies and free alternatives are now competing.

It is understandable that time poor teachers are tempted to jump the gun to solve their own IT problems or implement technologies they are familiar with. However, it is important that educational institutions address this problem directly with a mix of dialogue and pragmatism.

The biggest risk is that of compliance with the recently reformed Privacy laws in Australia, especially Privacy Principle No. 8 which refers to “cross-border disclosure of personal information” – in particular, make sure that teachers do not take data storage matters into their own hands without the knowledge of the school.

The easiest risk mitigation for privacy compliance may well exist in the choice to use a locally-based Cloud provider, rather than one overseas – or at the very least to have a detailed understanding of the terms and conditions of Cloud storage suppliers to ensure they can comply.

Furthermore, it is critical that institutions only implement business-grade solutions offered by providers that have matching service level agreements (SLA) and protections against data loss. While ‘free’ or very low cost options may be tempting, the risk calculations never lie: you get what you pay for.

Managing staff accounts and access to a Cloud storage provider is also much simpler when using a service that allows a central administrator to create and remove access as needed – ensuring that staff turnover has little impact on the ability of the institution to effectively retain valuable data over time.

Finally, and as with the precautions needed by end-users, having an independent or third-party service that provides data backup or archiving is critical to insulating the entire institution from a catastrophic loss of data at the hands of a Cloud provider.

In the United States, when Hurricane Sandy hit New York State, some Cloud providers experienced outages lasting up to 23 days, so it is worthwhile ensuring that you have contingencies in place for unexpected natural disasters – do not assume that the Cloud is infallible.

Summary of tips for education institutions:

  • Enforce a policy to ensure only officially implemented Cloud providers are used.
  • Review compliance of third-party and international providers with Australian Privacy laws.
  • Consider using the services of a locally-based Cloud provider for ease of compliance.
  • Only use business grade offerings, not free or low cost, however tempting they may be.
  • Manage staff accounts, security and access centrally with your IT administrator.
  • Always consider a third-party backup or independent backup scenario.

So, how secure is the Cloud? Provided you take the right precautions at securing your access control, compliance and backups, usually a reputable Cloud provider will be able to easily surpass the availability and assurance that you would be able to achieve yourself.

 

The following two tabs change content below.
Michael McKinnon

Michael McKinnon

Director, Commercial Services at Sense of Security
Michael McKinnon is Director, Commercial Services at Sense of Security. With more than 20 years’ experience in the industry, Michael is passionate about new and emerging technologies and is committed to educating the community on safe online practices. He is renowned for delivering informative and entertaining presentations on internet security, now and into the future, and on keeping children safe online.


There are no comments

Add yours