Is cloud storage innately insecure?

Off the Beat: Bruce Byfield's Blog
Whenever a major security story like the recent leak of nude celebrity photos occurs, I hope that some serious discussion will happen. But I am always disappointed, and this time was no exception. No one, apparently, wants to explore the obvious -- that, just maybe, buying cloud storage is a flawed business and security model.
I understand why people buy cloud storage, of course. It's convenient, especially if you want to access your data from multiple computers and different locations. Almost certainly, it is cheaper than paying for your own system administrators or even buying new hard drives.
And let's not forget the coolness factor of using the latest technology. For an industry populated by intelligent people, the tech world sometimes has a distressingly strong herd mentality. Often, it leads to everyone stampeding towards the latest and greatest, even though there's no pressing need.
The plain truth is that cloud storage is attractive, and few of its customers would return to administering their own files or carrying flash drives to transport information from computer to computer.
So, instead of re-evaluating buying cloud storage, they insist that security breaches can happen with any technology, and quickly return to business as usual. At the most, they check the settings on their cloud accounts and maybe make a change or two before forgetting what happened as quickly as possible. Unfortunately, such responses do little to alleviate the essential problems.
The business model
Buying cloud storage comes down to a matter of trust. As a buyer, you trust that the seller of storage will keep your data safe.
The seller is supposed to have a simple incentive to honor that trust: security breaches makes potential and current customers less likely to buy more storage or services. iCloud, for instance, can only express concern and move quickly to investigate the recent photo leaks, in the hopes that, in not too many financial quarters, customers have forgot all about its failure.
Unfortunately, however, that incentive is simply not enough to protect buyers. Other services entrusted with customers' personal information, such as banks or credit unions, are subject to regulations and inspection that give a certain amount of guarantee to customers that everything is being done to safeguard their affairs.
These guarantees sometimes fail, of course, but they are considerably better than nothing. However, when you buy storage, you are asking the provider to police itself -- an expectation that is hardly best practice, no matter how good a reputation the provider has in other areas of business.
iCloud, for example, may advertise its security precautions and reassure potential buyers that "iCloud takes care of everything" and that Apple has "a company wide commitment to your privacy" but its terms of service makes clear that this care and commitment does not extend to taking any responsibility for your data loss:
TO THE GREATEST EXTENT PERMISSIBLE BY APPLICABLE LAW, APPLE DOES NOT GUARANTEE OR WARRANT THAT ANY CONTENT YOU MAY STORE OR ACCESS THROUGH THE SERVICE WILL NOT BE SUBJECT TO INADVERTENT DAMAGE, CORRUPTION, LOSS, OR REMOVAL IN ACCORDANCE WITH THE TERMS OF THIS AGREEMENT, AND APPLE SHALL NOT BE RESPONSIBLE SHOULD SUCH DAMAGE, CORRUPTION, LOSS, OR REMOVAL OCCUR.
In other words, despite advertising security features, Apple by no means makes any promises that those features will be enough. Nor are Dropbox's terms substantially different. Amazon does accept liability up to $50, but that is hardly enough to change the general trend. In buying cloud storage, you are required to trust while being given absolutely no reason to do so.
The security model
Having an agreement that actually protects you might be some consolation if your data is lost or stolen. However, it is a limited consolation, the kind you might feel if your car was center-punched in an intersection and you wake up in the hospital in a body cast but knowing that you had the right of way. Your privacy has still been violated, with all the embarrassment or business disadvantage that implies.
Underlying the entire idea of cloud storage is that you are entrusting your security to someone else. Even worse, you are generally doing so on the basis of advertising and not much else.
Obviously, your own security may be inadequate. But, if you take the precautions that you should be taking, then theoretically you can discover those inadequacies and correct them.
By contrast, you have nothing but a provider's word that its security is adequate. Unless you happen to have personal contacts among the provider's employees, you usually have no way of knowing if the promised security is actually being provided. No doubt the storage providers do their best, but everyday practice can deviate a long way from declared policy without anyone in particular being to blame.
In particular, you cannot know how many people have official access to your data -- or, even more importantly, how many have unofficial access. Are machines left running so that the night janitor can sit down and view files? How careful is the provider about removing the accounts of ex-employees? Does your provider allow government representatives access to your files? On your own servers, you or someone in your company should be able to answer such questions. In cloud storage, you can only trust that all is well.
These questions are not merely the paranoia they might sound to the layperson, either. Social engineering, the bypassing of security by exploiting human weakness, is by far the most common form of cracking. Even if you have no reason to doubt the security measures provided, you still have no way of knowing how well they are enforced.
Yet whether the recent photo leak is blamed on social engineering or the brute force exploitation of weak passwords, the problem remains the same: when you buy cloud storage, you are vastly complicating your security -- if not compromising it entirely.
Protecting Yourself
None of what I say is going to change most people's habits. Cloud storage is too convenient for people to walk away from entirely. As Linus Torvalds mentioned in his recent Q & A at Debconf, security experts tend to view these issues in black and white. A truly secure computer might be one without an Internet connection in an underground room accessible by only one person, but who would want to use it?
Still, you can help to reduce the risk by making sure that you take advantage of all the services that your storage provider offer. Strong passwords, two step identification, and strong encryption can all help to minimize the risk of trusting someone else.
Better yet, look for ways that you can retain the convenience of cloud services while regaining control of your data. If possible, encrypt your data yourself rather than relying on the provider to do so.
You might also look into applications like Tahoe-LAFS, which allow you not only to encrypt files yourself, but to divide files into shares. To read a file, you need to be able to download a set number of shares, and, these shares can be distributed over several cloud storage services, which complicates any cracker's life considerably.
However, by far the strongest precaution is use software such as ownCloud to set up your own cloud storage. In this way, you retain full control while enjoying the convenience of the cloud.
All these alternative reduce the central issue that giving unearned trust to a third party is generally a poor business practice and a violation of security principles. Your security might still be violated with these alternatives, but at least if you get careless, you have no one to blame for your troubles except yourself.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

News
-
KDE Unleashes Plasma 6.5
The Plasma 6.5 desktop environment is now available with new features, improvements, and the usual bug fixes.
-
Xubuntu Site Possibly Hacked
It appears that the Xubuntu site was hacked and briefly served up a malicious ZIP file from its download page.
-
LMDE 7 Now Available
Linux Mint Debian Edition, version 7, has been officially released and is based on upstream Debian.
-
Linux Kernel 6.16 Reaches EOL
Linux kernel 6.16 has reached its end of life, which means you'll need to upgrade to the next stable release, Linux kernel 6.17.
-
Amazon Ditches Android for a Linux-Based OS
Amazon has migrated from Android to the Linux-based Vega OS for its Fire TV.
-
Cairo Dock 3.6 Now Available for More Compositors
If you're a fan of third-party desktop docks, then the latest release of Cairo Dock with Wayland support is for you.
-
System76 Unleashes Pop!_OS 24.04 Beta
System76's first beta of Pop!_OS 24.04 is an impressive feat.
-
Linux Kernel 6.17 is Available
Linus Torvalds has announced that the latest kernel has been released with plenty of core improvements and even more hardware support.
-
Kali Linux 2025.3 Released with New Hacking Tools
If you're a Kali Linux fan, you'll be glad to know that the third release of this famous pen-testing distribution is now available with updates for key components.
-
Zorin OS 18 Beta Available for Testing
The latest release from the team behind Zorin OS is ready for public testing, and it includes plenty of improvements to make it more powerful, user-friendly, and productive.