The cloud is not secure

We’re getting closer and closer to an age where our data is separate from the machines that we use to manipulate and interact with it. A stepping stone to that future is the “cloud” – a remote, server-based repository of your information that can be accessed by a variety of applications and interfaces. In some ways the cloud has been around since the beginning of computing (dumb terminals plugging into mainframes) but the new, shiny, consumer cloud is both similar and indifferent. And there are many incarnations.

Apple’s iCloud is a complex, powerful solution for remotely storing your data and making it accessible to your apps whether on any of your devices. A simpler solution is Dropbox which syncs your files between devices (and offers a decent web interface). In recent weeks Dropbox has become quite controversial. Dropbox had a serious security breach that allowed people to log into any account using any password. It was a very serious flaw and a serious oversight on Dropbox’s part. They’re currently being sued over the matter. More recently they made an important addition to their terms of service which gives them broad-reaching rights over your data. However they have made efforts to make it clear that they have no interests in rights greater than what they need to run the service.

While services like Dropbox are great and convenient (and probably have the user’s best interest at heart) one thing needs to be made very clear: The cloud is not secure. Having a strong password is no guarantee of security. Putting copyright licenses on your work is no guarantee of security if the TOS give the hosting company rights to it. It is safest to assume that at some point in the near future any data you keep on a cloud storage service can and will be compromised. Under “compromise” I include perfectly legal government seizures as well.

The only data that I put in Dropbox is stuff that I will be making public anyways – copies of school projects, essays or reports that I intend for people to see and distribute. I would never put anything I consider even remotely private in the hands of a service like Dropbox. You should only put private, personal data in the cloud if you first encrypt it locally with a proven encryption algorithm and the encryption algorithm is implemented by an open source, trusted piece of software. The open source is important otherwise there is no way to know that there isn’t a backdoor of some sort. To access the data you should download the encrypted version and then decrypt locally. Anything unencrypted that goes over the wire (or the air) is probably wide open to the world to see. For most people this already includes their email and Facebook data.

I keep my online backups in an encrypted Amazon S3 bucket. I also keep some code on a remote server and make sure to connect over SSH. However, I also don’t keep things like passwords, PINs and account numbers in any written form. The only really secure data is data that doesn’t exist. That being said, modern encryption techniques are still a pretty good defense in most cases. In this age of the cloud you should keep in mind that any data you put unencrypted on someone else’s servers (whether they be files in Dropbox or photos on Facebook) is essentially public.

Advertisements

Published by

Shrutarshi Basu

Programmer, writer and engineer, currently working out of Cornell University in Ithaca, New York.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s