By Summer Hirst
"I've
looked at clouds from both sides now, from up and down, and still
somehow... it's cloud illusions I recall... I really don't know clouds at
all." - Judy Collins, Singer, "Both Sides Now"
Judy Collins, as confused as she was about the real clouds, might not have been able to figure out the tech clouds either.
Among
other buzzwords, "the cloud" is very commonly heard when we discuss
technology. You might have heard tech gurus, millennials, or even your
grandmother use this word but does anyone really understand the cloud?
This is why when The Onion released a parody video on how nobody really knows how cloud works, it instantly clicked. The movie Sex Tape depicted the same: "Nobody understands the cloud!"
The fact, however, is different. The cloud isn't all that hard to understand.
Cloud
computing can be compared to using someone else's computer. For
example, when you use Gmail, you store your email on Google's cloud. So
your emails are not stored in your local device but on Google's device.
Or
imagine playing videos on YouTube. The videos you play are not stored
on your device. Instead, they are stored on Google's computer and you
watch them directly from there, even if those computers are thousands of
miles away from you.
A
cloud can be referred to as a group of machines with storage and
processing capabilities. This group acts as an extension to your
device.
Whether
you're working on your iPhone, Android, laptop, or any other device,
all the big companies have huge data centers that have storage
"factories". Companies such as Apple, Google, Microsoft, Amazon, Yahoo,
etc. have their own data centers.
So yeah, the cloud isn't just a vague concept. It's real, concrete, and tangible.
Let's Discuss Some Obvious Questions You Might Have About the Cloud Technology
What is the cloud again?
Apart from the mass of tiny liquid droplets of water, a cloud is a data center or a collection of servers where data is stored.
If I had to see where my files were stored, where should I go?
Cloud
companies have storage factories all over the world and you won't get
to know which factory is storing your files. So you can't really go
looking for them. But you WILL be able to see them all on your device.
Why should I use it?
You're
probably using it already. Using email? Watching YouTube videos? Using
automatic backup facilities on your smartphone to store your photos?
Yep, you're using the cloud.
According to a report,
only 26% of cloud users know that they use cloud technology. If you
think you don't use the cloud, you need to analyze your internet habits
and see how common and extensive the cloud is.
Does everyone have their own cloud?
The
data is stored on common disk space. But you do have a separate portion
of it. Your files, notes, and photos, etc. can be accessed only by you.
Of course, if your password gets hacked or you forget to log off your
device, your account can be seen by others.
Why is cloud so confusing?
It
doesn't have to be. Cloud is just a name given to data center that
store data so you can use it remotely on your device. That's it.
A
few years back, people stored files on floppy disks. As file sizes
grew, floppy disks became insufficient. They were replaced by CDs. Then
DVDs. USB storage devices. And now, it's the cloud. Instead of carrying
around your storage, you take up a part of a large server and store your
files there.
It's Cloudy Everywhere
Still
think you're not a part of the whole cloud universe? Here are some
companies that provide their services through the cloud. Ever used one
of these?
- Airbnb: Hospitality services that help you travel around the world
- Dropbox: A data syncing software system
- Facebook: A social media giant with billions of users
- Twitter: Microblogging platform for individuals and businesses
- Evernote: Similar to Dropbox - a service that stores your notes and files
- Netflix - video streaming
- Spotify - music streaming
- Zynga - online gaming
All the above services have these things in common:
- The user isn't involved in the active management of services.
- You don't need physical access to gain access to these services.
- You get on-demand services, which means they're there when you need them.
How Cloud Has Changed Our Digital Atmosphere
Before
smartphones, laptops, and tablets, we had a big box under the desk. It
housed the processor, hard disk, and other components of the computer.
After the cloud, we don't have to buy big data storage devices. We can rent a part on a server and store our data there.
That's not the only benefit. Here's what you get from the cloud.
- Reduced costs: Instead
of buying expensive storage devices, you can store your documents and
files in the cloud. And if you don't have a lot to store, you can use
free cloud services.
- Increased reliability: If
you lose or drop your hard disk, your data will be erased permanently.
Same with a hard disk crash. However, when your data is stored in a data
factory, it's taken care of by expert engineers and is well-protected.
- Universal access: You're
at a vacation and realize you have to send an important file to your
boss. If it's on your hard disk, there's no way of doing that. But with
cloud, you can send that file from anywhere you are.
- Device independence: You
can access your files from any device. For example, if you have your
files on a DVD, you can use it only on your computer. But with files
stored on the cloud, the files can be accessed from your computer as
well as your phone.
- Unlimited resources: You
can use online tools that you don't have to download on your device.
There are several tools for designing and programming that run on the
cloud.
- Remote sharing: You can share your files with others over the cloud. You don't need to be located geographically close to each other for that.
Let's
take the example of Uber. It uses maps, geolocation, online payments,
and SMS technology. All of this would need a cloud service to work
right.
The
user books a cab, sends their location, and finds a driver. The driver
arrives and finds the person and both the parties communicate. Once the
cab drive is complete, the financial transaction is done.
Without cloud services, all this wouldn't be possible.
But while it sounds very attractive, is it completely free of risk?
Can You Trust the Cloud?
That's an important question. Can you really place your sensitive data in the cloud?
Having
your files synchronized in Dropbox, Google Drive, Apple iCloud, or any
other cloud service is certainly handy. Even if you lose your smartphone
or break your laptop, you'll still be able to retrieve your photos and
documents.
But should you assume that your data is safe?
The
fact is that no data is ever 100% safe, whether you save it on the
cloud, PC, smartphone, SD cards, USB hard drives or floppies. Even when
the cloud service encrypts your data so that it's practically
unhackable, even with supercomputers. In theory, nothing is absolutely
secure.
There
have been cases of hacking where servers of big companies have been
hacked. In May this year, Canva, the graphic designing service suffered a
data breach where the records of 139 million users were compromised. And this is just one of the many, many data breaches that occur every year.
Jack Schofield, a technology journalist, once said, "Never assume your data is safe, even if it's online."
Let's
add a corollary to that - backups don't exist unless your files are
available on at least three different places. And deleting them from one
medium should not affect the others.
Why Are People Hesitant When It Comes to Cloud Technology?
It's not physically under your control.
With
the cloud, your personal photos and videos are "up there" and you're
not directly in control. So you're not sure if that's trustworthy.
With
a USB hard drive, you know your personal items are with you. There are
no copies. You control what you have. With the cloud, who knows how many
copies are there - at least that's what the common fear is.
Someone
else is handling your files so your security lies in their hands. And
they're not just handling your files but the files of thousands of other
customers. Would they care about your files specifically? You know
you're not directly in control and this is what makes you anxious.
That's not the only security concern. There are several other considerations. Let's look at some of them.
Cloud Security Concerns
Sure,
the cloud is convenient, cheap, and has changed the way we live.
However, there are a number of security issues that can lead to
cybercrime.
Hackers
use a number of techniques to access our private data without any legal
authorization. They can also use phishing to lure you into giving them
your cloud credentials. Here are some security risks that loom over
cloud technology.
Malware Injection
A
malware injection is a code or script that's embedded by a hacker into a
cloud service that acts as a valid instance. This means that the cloud
server will read it as a normal script and perform the actions in the
script without detecting a breach.
Once the injection is executed, the hacker can read the contents and compromise sensitive data. According to a report by East Carolina University, malware injections have become a huge security concern for cloud security.
Man in the Cloud
Just like the man in the middle attack, if the hacker is in the cloud, it's called the Man in the Cloud (MITC) attack.
These
attacks are worrying as they don't require any malicious code or other
exploits during their initial stages. Instead, they depend on the file
synchronization services for gaining command and control. A hacker can
just reconfigure cloud services without the knowledge of the end user
and create an attack tool.
And the problem is that it might not be easy to recover such compromised accounts. According to a report by Imperva, MITC attacks are not just threats but have actually happened.
The
process of synchronization to the cloud is as follows: Files are added
to the local sync folder. These are automatically uploaded to the cloud.
Any files loaded directly to the cloud are also downloaded to the sync
folder.
The
system monitors the sync folder to see if there are any changes. If any
changes are detected, they are communicated to the cloud using a
dedicated channel. Any changes made to the cloud folder are also
reflected on the local sync folder.
To
communicate with the cloud, a user needs credentials. But most cloud
services use sync tokens instead of explicit username/password
combinations.
The
reason behind that is even if the token is compromised, it will not
compromise the account. However, there's a weakness in the sync token in
which if the hacker gets the host_id value of the token, it will be
impossible to revoke permissions even if the password of the account is
changed.
Account Hijacking
Since
cloud technology is being used widely, account hijacking is a major
risk. Attackers can use your login information to access sensitive data
stored in the cloud.
Apart
from just stealing passwords, hackers can also target scripting bugs to
gain access to unauthorized data. In 2010, Amazon saw a scripting bug that
was aimed to steal user credentials. It was discovered and purged
quickly but this just goes to show that scripting bugs can find their
way into even the most secure systems.
Apart from that, hackers can use phishing and keylogging to steal user credentials.
Meltdown and Spectre
In January 2018, studies showed
that a feature that's common in most microprocessors could let content
(including encrypted data) by read from the memory using malicious code.
There
were two variants of this issue and they are known as Meltdown and
Spectre. They can affect any device from servers to smartphones. Since
they have the ability to affect data centers as well, this is a cloud
security threat.
Both
these variants allow side-channel attacks. Any attacker that has used
hacked credentials to access the system can read the kernel
information.
While
there are patches for this issue, they cannot stop the attack. They can
only make the attack a bit difficult to execute. Also, these patches
can reduce the performance so some organizations might not want to use
them.
The CERT advisory recommended replacing all processors with this feature, which is a tough call.
The
good thing is that there have been no reported cases where a hacker
used Meltdown or Spectre. But experts believe that these attacks are
likely. The best thing for all cloud providers is to use the patches
that are available.
As a customer, you should ask your cloud provider how they intend to respond to Meltdown and Spectre.
Security Concerns in the Coming Years
A Gartner study shows
the security and privacy concerns related to the cloud will continue to
haunt corporations and consumers. While the study also predicted that
about 95% of failures related to cloud security will be due to
customers' mistakes, there are also several security concerns that cloud
companies should take into consideration.
A recent study by
Cloud Study Alliance showed that companies have started adopting cloud
technology but there are several security concerns related to
unauthorized access and data leaks. Security in public cloud atmosphere
is the responsibility of users and providers.
The big question about risks is that do they ever materialize?
When Cloud Got Hacked
Sure,
the cloud has tight security. But it is not infallible. While companies
might follow strong safety protocols, if your password is weak and
someone guesses it, they can get access to your files. It's all about
finding the weakest link.
Let's look at some cloud horror stories.
The Fappening
Not many years ago, there was the great iCloud hack when
celebrity nudes were leaked and published online. This was called the
fappening and it gained a lot of popularity because of its controversial
nature.
According to TechCrunch, it was less of a hack and more of combining phishing attacks, guessing passwords, and using the Forgot Password links.
Any technology is only as strong as the weakest link. The security of your account ultimately lies in your own hands.
College professor lost her Dropbox data
A college professor lost over 3,200 files from
her Dropbox folder. Dr. Heidi Kevoe-Feldman, professor at Northeastern
University, had been using Dropbox for several years and very carefully
at that.
She
kept files in two computers and in her Dropbox and she had them all
synced. Her files went missing from the Dropbox folder as well as the
two computers. They were also gone from a backup external hard drive
that was also synced.
Luckily
for her, she used the Time Machine feature on her Mac computer and was
able to get back all the files. If she didn't have that feature, her
files would've gone forever.
This
story is especially scary because Kevoe-Feldman took complete care of
keeping multiple copies so that she doesn't lose the data and yet,
somehow, she did lose it.
JetBlue flights delayed
In 2016, there was an outage at one of the Verizon data centers,
leading to disruptions in the flights of JetBlue Airways. The airport
and check-in gates were affected along with the JetBlue website, app,
and toll-free phone number. The problem was resolved in a few hours but
led to the delay of 200 flights.
It wasn't disclosed which data center was affected and why the auxiliary systems didn't work to compensate for the outage.
Uber Failure
In 2016, Uber received emails from
an individual saying that he has access to data stored on the private
Uber cloud on AWS (Amazon Web Services). Uber investigated and found
that he indeed had access to archived copies of the database.
The
hacker gained access to that data because Uber didn't use multifactor
authentication on its GitHub account. Instead of revealing the hack, the
cab company kept quiet for over a year and even used its bug bounty to keep the hacker silent.
GCP attack
In January this year, hackers used GCP (Google Cloud Platform) to launch a malware attack using
PDF baits. This attack primarily targeted banking and financial
institutions. Public firms all over the world were their secondary
target.
Voter Records Leak
In 2017, the records of over 198 million US voters were
made public. These records contained the data of voters for over 10
years. The database was owned by Deep Root Analytics and it was stored
on the Amazon S3 server.
The
data was made publicly available because of a misconfiguration problem.
While it wasn't a hacking issue, it was a serious security risk.
Alteryx Data Breach
The records of over 123 million US households were
exposed due to a data breach. The database contained 248 categories
including phone numbers, ages, addresses, and personal interests. The
data was stored on AWS and Alteryx failed in providing it the right
layers of security.
While there was no evidence of this data landing in the wrong hands, but the vulnerability is still a huge problem.
These were just a few of the innumerous cases that happen every year.
Organizations
often misunderstand the security offerings of modern cloud services
such as Google, Amazon, and Microsoft, and this is why there are cases
of misconfiguration.
How to Safeguard Your Data in the Cloud
Check Cloud Server location
There
are several US-based cloud services. However, since the US is among the
Five Eye countries, there are strong chances that they'll spy on your
data.
It's
best to select a cloud provider that's located in a privacy-friendly
country. Also, try to use a zero-knowledge cloud service. Zero-knowledge
cloud means they won't know what you keep in their folders.
On some occasions, Dropbox has restricted users' file access because
they were not in accordance with DMCA rules. However, they say that
they review only public links and not private folders.
But then, we cannot forget that Snowden warned us that
Dropbox is hostile to privacy as it had appointed Condoleezza Rice,
former Secretary of State, to its board. She's still on the board and
has always been anti-privacy, so Dropbox's dedication to privacy is
questionable.
Keep local backups
Although
this kind-of beats the whole purpose of using a cloud service in the
first place, if something is very important to you, make sure you also
have a local backup with you so you don't face what Dr. Heidi
Kevoe-Feldman faced.
Also,
don't sync your local backup with the cloud. Otherwise, if something is
deleted from the cloud, it might disappear from your local backup as
well.
Use a VPN
While
many cloud services keep your online data encrypted, it is still
unguarded when you share your files with someone else on another medium.
To make sure all your data is safe when it travels through the
internet, use a VPN.
Just like a zero-knowledge cloud service, make sure your VPN is a zero-log one so it doesn't track your online activities.
Be cautious
If
we have learned anything from the fappening, it's that we should keep
strong passwords and not fall for phishing. Cloud technology can be safe
only if you're careful. If you keep "password" or "abc123" as your
password, no amount of security will keep you safe.
Also,
if you plan to make a sex tape or keep nudes on your phone, it's best
to not upload them to the cloud. Before you make a video or click
photos, turn off the auto cloud backup option from your phone. Once
you've recorded the video, export the files to an external local hard
disk. Now delete it from your phone and recycle bin before you turn the
automatic backup on.
The Cloud's Nature
The
cloud can be dark and ominous or white and fluffy, depending on how you
use it. If you're a Bob Ross fan, you might even call it a happy little
cloud.
It
offers the benefits of lower costs, flexibility, scalability, and ease
of use. Of course, there are some security concerns as well but several
security failures have happened due to neglect on the part of cloud
users.
The
notion that only onsite data is safe isn't true. Today's cloud
providers have invested a lot in security and they intend to keep user
data completely secure.
But
the trick is to find the right provider that doesn't intend to snoop on
your files and to stay careful while uploading and syncing to the
cloud.
Even
if your data is not stolen or publicly published, it can still be
available to the government. If the government demands to see the data
you've stored in the cloud, it's up to the cloud service company if they
want to deny access.
Companies like Microsoft and Google often get requests from various governments to access user data. In several cases, these companies hand over some kind of data, even if it's not the full content. Google published its transparency report showing how often they are contacted by governments and when they comply with their requests.
The
moral of the story is that if you want to fully enjoy the benefits that
the cloud has to offer, you need to think before you sync.