What has not been said on the Internet and its data security? While scandals are going well, from data theft at Dailymotion or Yahoo to the Panama Papers and Wikileaks, cloud security is constantly questioned. Cybercrime and espionage are on everyone’s lips. Where’s the truth? Is the cloud that risky? This short post provides an introduction to the security of data stored in the cloud, and how to protect everything to the best of our possibilities and those offered by the service provider.
Before discussing security, let’s question the threats. What are we protecting us from? Usually the first answer that comes to mind is data theft. For an organization, this may mean intellectual property theft, theft of customer or loss of reputation. For an individual, it’s access to his bank accounts, usurpation of her identity or publication of confidential information to harm the individual.
As Eric Schmidt, former CEO of Google, said “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Easy to say, especially when it concerns genuinely confidential information which are not intended to be broadcasted. Beyond the question of the storage of information, the question is: are they safer in the cloud, on a server of the company or on my personal computer? We will come back to this question.
The other threat is the destruction of information. This is the case of some viruses which merely ‘just’ destroy everything with the intent to harm. It is in these moments that one realizes that the backups that were made are not comprehensive or accessible. Famous Murphy’s law!
Finally, in recent years, a growing threat is ransomware. This practice is either to steal data or to encrypt it, and then to ask their owners a ransom to get them back or get the encryption key. This type of attack is growing from year to year. According to Kaspersky Lab, twenty percent of victims who pay do not recover their files. So, the question is: should we pay?
What do we need to do to protect ourselves from these threats? Computer security experts and publishers of security solution recommended several actions:
Protect yourselves. This seems common sense, but easier said than done. While the attack surface increases (I’ll come back on this notion), threats evolve constantly and user awareness lags, putting the entire system in danger.
Assess the risks and the costs. Security has costs and consequences. It is not possible to protect everything unless you live in a total vacuum. The risk of data loss or theft should be assessed, and appropriate measures taken.
Classify information. Classify data allows you to know what is public, what isn’t, what is highly confidential and what is less. This allows to implement security rules based on the processed data.
Implement best practices. Human beings are often the weakest links. Identity theft is more and more the entry point to information theft. An identity protection policy needs to be setup through strong passwords or multi-factor authentication, to limit these risks.
Basic notion of security
Information security is a broad topic. Nowadays, it has become everybody’s concern and has entered the boardroom. You will find many books and articles about it, as well as many companies whose unique job it is. To enjoy the safety of cloud services, it seems essential to know what we’re talking about. Information Security is defined around four main concepts: Privacy, Integrity, Availability and Non-Repudiation.
As per ISO / IEC 27001, privacy is defined as the “right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom the information may be disclosed”. The identification of the users, the rights attributed to them and the encryption of information play a major role in protecting the access to information.
Integrity means that the information is complete and accurate. This also indicates that it cannot be modified by chance, unexpectedly or maliciously. Generally, the traceability of changes, the continuous backup of previous versions and control sums are there to guaranty the information integrity.
Availability defines that access to information is available within the limits defined by its owner. In the case of the cloud, we have seen that availability was the subject of a precise classification. To this, access time may be added, which may be defined according to the type of information (data archived may require more time to be retrieved for instance than “live” data).
This is a legal feature, a subset of integrity. It means that the sender and receiver of information are who they claim to be and that the information sent is consistent with the information received, and has thus not been altered. The mechanism of digital certificates is generally used and accepted by justice to prove non-repudiation. You must be able to guarantee security (integrity, confidentiality and availability) of its private key. This is where logical mechanisms as e.g. smart cards play a major role.