Is cloud storage innately insecure?
Off the Beat: Bruce Byfield's Blog
Whenever a major security story like the recent leak of nude celebrity photos occurs, I hope that some serious discussion will happen. But I am always disappointed, and this time was no exception. No one, apparently, wants to explore the obvious -- that, just maybe, buying cloud storage is a flawed business and security model.
I understand why people buy cloud storage, of course. It's convenient, especially if you want to access your data from multiple computers and different locations. Almost certainly, it is cheaper than paying for your own system administrators or even buying new hard drives.
And let's not forget the coolness factor of using the latest technology. For an industry populated by intelligent people, the tech world sometimes has a distressingly strong herd mentality. Often, it leads to everyone stampeding towards the latest and greatest, even though there's no pressing need.
The plain truth is that cloud storage is attractive, and few of its customers would return to administering their own files or carrying flash drives to transport information from computer to computer.
So, instead of re-evaluating buying cloud storage, they insist that security breaches can happen with any technology, and quickly return to business as usual. At the most, they check the settings on their cloud accounts and maybe make a change or two before forgetting what happened as quickly as possible. Unfortunately, such responses do little to alleviate the essential problems.
The business model
Buying cloud storage comes down to a matter of trust. As a buyer, you trust that the seller of storage will keep your data safe.
The seller is supposed to have a simple incentive to honor that trust: security breaches makes potential and current customers less likely to buy more storage or services. iCloud, for instance, can only express concern and move quickly to investigate the recent photo leaks, in the hopes that, in not too many financial quarters, customers have forgot all about its failure.
Unfortunately, however, that incentive is simply not enough to protect buyers. Other services entrusted with customers' personal information, such as banks or credit unions, are subject to regulations and inspection that give a certain amount of guarantee to customers that everything is being done to safeguard their affairs.
These guarantees sometimes fail, of course, but they are considerably better than nothing. However, when you buy storage, you are asking the provider to police itself -- an expectation that is hardly best practice, no matter how good a reputation the provider has in other areas of business.
iCloud, for example, may advertise its security precautions and reassure potential buyers that "iCloud takes care of everything" and that Apple has "a company wide commitment to your privacy" but its terms of service makes clear that this care and commitment does not extend to taking any responsibility for your data loss:
TO THE GREATEST EXTENT PERMISSIBLE BY APPLICABLE LAW, APPLE DOES NOT GUARANTEE OR WARRANT THAT ANY CONTENT YOU MAY STORE OR ACCESS THROUGH THE SERVICE WILL NOT BE SUBJECT TO INADVERTENT DAMAGE, CORRUPTION, LOSS, OR REMOVAL IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT, AND APPLE SHALL NOT BE RESPONSIBLE SHOULD SUCH DAMAGE, CORRUPTION, LOSS, OR REMOVAL OCCUR.
In other words, despite advertising security features, Apple by no means makes any promises that those features will be enough. Nor are Dropbox's terms substantially different. Amazon does accept liability up to $50, but that is hardly enough to change the general trend. In buying cloud storage, you are required to trust while being given absolutely no reason to do so.
The security model
Having an agreement that actually protects you might be some consolation if your data is lost or stolen. However, it is a limited consolation, the kind you might feel if your car was center-punched in an intersection and you wake up in the hospital in a body cast but knowing that you had the right of way. Your privacy has still been violated, with all the embarrassment or business disadvantage that implies.
Underlying the entire idea of cloud storage is that you are entrusting your security to someone else. Even worse, you are generally doing so on the basis of advertising and not much else.
Obviously, your own security may be inadequate. But, if you take the precautions that you should be taking, then theoretically you can discover those inadequacies and correct them.
By contrast, you have nothing but a provider's word that its security is adequate. Unless you happen to have personal contacts among the provider's employees, you usually have no way of knowing if the promised security is actually being provided. No doubt the storage providers do their best, but everyday practice can deviate a long way from declared policy without anyone in particular being to blame.
In particular, you cannot know how many people have official access to your data -- or, even more importantly, how many have unofficial access. Are machines left running so that the night janitor can sit down and view files? How careful is the provider about removing the accounts of ex-employees? Does your provider allow government representatives access to your files? On your own servers, you or someone in your company should be able to answer such questions. In cloud storage, you can only trust that all is well.
These questions are not merely the paranoia they might sound to the layperson, either. Social engineering, the bypassing of security by exploiting human weakness, is by far the most common form of cracking. Even if you have no reason to doubt the security measures provided, you still have no way of knowing how well they are enforced.
Yet whether the recent photo leak is blamed on social engineering or the brute force exploitation of weak passwords, the problem remains the same: when you buy cloud storage, you are vastly complicating your security -- if not compromising it entirely.
Protecting Yourself
None of what I say is going to change most people's habits. Cloud storage is too convenient for people to walk away from entirely. As Linus Torvalds mentioned in his recent Q & A at Debconf, security experts tend to view these issues in black and white. A truly secure computer might be one without an Internet connection in an underground room accessible by only one person, but who would want to use it?
Still, you can help to reduce the risk by making sure that you take advantage of all the services that your storage provider offer. Strong passwords, two step identification, and strong encryption can all help to minimize the risk of trusting someone else.
Better yet, look for ways that you can retain the convenience of cloud services while regaining control of your data. If possible, encrypt your data yourself rather than relying on the provider to do so.
You might also look into applications like Tahoe-LAFS, which allow you not only to encrypt files yourself, but to divide files into shares. To read a file, you need to be able to download a set number of shares, and, these shares can be distributed over several cloud storage services, which complicates any cracker's life considerably.
However, by far the strongest precaution is use software such as ownCloud to set up your own cloud storage. In this way, you retain full control while enjoying the convenience of the cloud.
All these alternative reduce the central issue that giving unearned trust to a third party is generally a poor business practice and a violation of security principles. Your security might still be violated with these alternatives, but at least if you get careless, you have no one to blame for your troubles except yourself.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.
-
Plasma Desktop Will Soon Ask for Donations
The next iteration of Plasma has reached the soft feature freeze for the 6.2 version and includes a feature that could be divisive.