Whether you’re aware of it or not, you’re probably already in the cloud. Email providers, online spreadsheet and document programs, and music libraries that synchronize across all of your devices are all storing your data in the cloud. It’s wonderfully convenient, but it also can make your data vulnerable to malicious actors — not to mention service outages.
After all, when your data is stored in the cloud, it isn’t just sitting on your computer or device anymore. It’s sitting on a server somewhere — one that you most likely don’t have physical access to. Fortunately, a combination of common sense and clever security tools can keep your data safe.
Generally, when people talk about “the cloud,” they’re either talking about cloud hosting or cloud computing. In either case, cloud technology allows multiple people to take advantage of a set of networked servers at a data center. In the past, if you wanted to host something at a data center, you had to spend a lot of money to rent a server — meaning it wasn’t feasible for most people.
The cloud changes this by allowing a number of people to securely share a series of servers for numerous purposes – from storage to remotely completing basic tasks. Most applications that use the cloud tend to be automated, so the process is completely hands-off. In this scenario, you never really have to worry about your data — it’s taken care of for you, automatically uploaded to the cloud server whenever you update it.
With an application based in the cloud, you can edit your files from any location. When you type a character into your web browser, it sends it to that cloud application provider’s server, which actually modifies the file and saves the changes.
The cloud lets you access files from any compatible device, and can decrease the risk of catastrophic hardware failure. If you edit documents using an installed word processor and store them on your hard drive, you’re dependent on that drive. Even if you’ve made a backup, you’ll have to reinstall the word processor to edit that file. With a file and application in the cloud, however, your data is stored on a server, along with the program. It’s not invulnerable, but you’re at much lower risk of something happening to it.
But, it’s important to note that the cloud also adds risks. When something is stored in the cloud, you don’t have direct control over that file (or application). If someone manages to guess your password or finds a way to hack in, all your data could be compromised. Large organizations are particularly vulnerable, as they often store large amounts of sensitive information using cloud-based services. If a malicious third party manages to find a security hole, hackers can make off with vast amounts of sensitive data, such as social security numbers, medical records, and credit card information.
The good news is most breaches are preventable. The Anthem breach — which exposed the PHI and financial data of 10 million people — is a perfect example. In the case of Anthem, the hacker only had to gain access to a public-facing portal to obtain entry to everything. If the company had taken the time to implement encrypted cloud storage, restrict access with Data Loss Prevention (DLP), or audit their own security methods, it likely never would have happened.
These days, everyone is in the cloud, from personal users to large corporations. That means that all users (not just large corporations like Anthem) need to be aware of all the ways their data might be at risk. That includes:
Cloud services are more robust than your laptop, but they can still break. Power outages, natural disasters, and even glitches can disrupt service, or even destroy your data.
Often, service outages are compounded by failures in a company’s backup systems. In 2012, for example, an electrical storm disrupted power at Amazon Web Service’s (AWS) East Coast data centers. When the generators at one center didn’t kick in and the software that was supposed to let AWS users switch data centers didn’t work, the outage got much worse. As a result major services including Netflix, Instagram, and Pinterest temporarily went down.
A more recent AWS outage was simply the result of poor planning. Users were using servers more heavily than Amazon anticipated, which caused parts of their system — and the companies that depended on them — to shut down temporarily, again.
Outages that destroy data are rarer, but they do happen. Recently, a series of lightning strikes destroyed several Google servers, completely erasing some data.
The only way to completely protect your cloud data is to store a backup copy in another location. You can use a different cloud data storage service or a tape backup facility, or just keep a copy on your computer. The important thing is to keep an extra copy, and make sure you update it every time you change the original.
In cloud storage, as in email security, a weak password can gives hackers an easy way into your account. It’s not enough just to avoid using personal information like your birthday, or obvious sequences like “password” or “12345.” Even a random password is vulnerable if it’s short, because hackers can use programs to try every combination until they guess the right one.
Fortunately, adding just a few extra characters to your password can strengthen it dramatically. A password with 12 or more characters that has uppercase and lowercase letters, numbers, and special characters is considered basically unhackable, as it would take about 15 million years to try all the combinations. Choose a long password that’s easy to remember, use different passwords for each account and change your passwords frequently to keep your cloud data safe.
Most cloud storage services are designed to automatically sync data. While that’s usually a great thing, as it means your data is always backed up, it does have a dark side. Loading the cloud app — or even just turning on the device — gives the user immediate access to the stored data. Unfortunately, this can potentially allow hackers to gain access to your files.
One of the worst security holes — the man-in-the-cloud attack — can compromise popular programs like Box, Dropbox, and Microsoft OneDrive. Hackers can steal the security token that gives your computer access to the cloud, even without your password. They can then use the token to access your data, or even encrypt it and hold it hostage. Alternately, they can modify your files to inject malware into your computer.
Clearing your cache regularly and not saving passwords on your computer can defeat some hackers, but won’t prevent man-in-the-cloud attacks. Likewise, encrypted cloud storage can prevent hackers from reading your data, but it can’t stop them from deleting or sabotaging it.
A cloud access security broker such as Imperva Skyfence or Bitglass can prevent this attack by acting as a barrier between your computer and vulnerable SaaS programs. You should also turn off automatic sync, and avoid public, unsecured WiFi whenever possible. Finally, check the dates on files stored in the cloud to see when they were last edited; if someone has made recent changes to a file you haven’t opened in a while, it could indicate you’ve been hacked.
It’s hard to tell how well cloud providers are protecting your data. Reading the terms of service will let you know if a company might intentionally use or disclose your data, but it won’t reveal sloppy internal security and a failure to follow security best practices.
Unfortunately, if your organization’s data is compromised, you could be held responsible, even if the provider is at fault. Businesses are required to safeguard sensitive personal information, particularly info governed by compliance regimes such as HIPAA or PCI. Even if your cloud provider claims to be “HIPAA compliant,” that doesn’t necessarily protect you or make you compliant.
To mitigate your risk and liability, pick a provider that uses external auditing. Look for cloud providers that undergo auditing for SSAE 16 Type II compliance, ISAE 3402 compliance, or both. If outside security experts have carefully audited their security, you can be reasonably sure it’s safe.
Encrypted cloud storage provides an extra layer of security to your data. Even if a hacker gains access or a secret government court orders a cloud storage provider to disclose your personal information, they still won’t be able to read it.
Client-side encrypted cloud storage doesn’t come standard with most SaaS business software such as Office 365 and Google Apps (now known as G Suite). Many services encrypt data in motion — the information flowing between your computer and the cloud service — which is a great start. However, this protection is usually based on SSL/TLS encryption, which is vulnerable to attacks.
At Virtru, we’re working hard to make cloud solutions even more secure. Our G Suite encryption protects spreadsheets, documents, and other confidential data in the cloud, no matter where it travels. And because it uses client-side encryption, it’s not vulnerable to attacks that can compromise less complete encryption protocols, such as SSL/TLS.
The larger the organization, the easier it is to lose track of where data is. Employees can accidentally save company assets to personal accounts, give the whole company access to files that only a few should see, or accidentally forward confidential reports to the wrong people. If a malicious person gets access to that information, it can result in lost clients, big compliance fines, and permanent damage to your organization’s reputation.
Companies can improve the situation with good data loss prevention policies, governing how employees are allowed to use, access and share cloud storage. However, policy alone can’t always prevent the biggest security hole: human error. No matter how many memos you send or trainings you hold, an absent-minded employee could still hit “Reply to All” and expose important company secrets.
Virtru DLP provides a crucial barrier against human error by stopping emails that could expose data before they are sent. It can encrypt or strip attachments automatically, pop up a warning if an employee tries to email a Social Security number (or other sensitive information) and even automatically forward certain messages to your IT administrator.
With common rules to detect sensitive data, rule packs for compliance with security regimes such as HIPAA and the ability to make custom rules, it’s easy to configure for your company’s unique security needs.
The cloud has changed IT security forever. You can’t wall in your data with firewalls when your data is scattered all over the planet. The only way to protect information is by making it secure by default by using strong encryption. That’s where we come in.
Virtru encrypts emails with a single click, ensuring that only the intended recipient can read your messages. Virtru DLP adds the ability to enforce security in your organization, preventing the slip-ups that can expose sensitive data. Finally, our G Suite software provides client-side encryption for G Suite, allowing you to safely store files in the cloud without having to worry about who might see them.
Contact us to learn more about our partnership opportunities.