This is an anonymous post from a friend who has been involved in the tech industry for the past 7 – 8 years. While we are not always aligned in our views, he brings some unique insights that are worth sharing to get a diverse perspective on the issues.

Are you the reason why the cloud isn’t ready for the masses?

“I’m not an expert on cloud storage or security, but I do know enough to be dangerous. One thing I do know for sure is that the cloud isn’t ready for the majority of people to store their personal content. My parent, my siblings, my wife and my brother-in-law are all smart and intelligent but they are all exposing themselves to significant risk by using the cloud.

What bothers me a lot about this is that there are many of vendors that oversell the benefits of cloud storage and side-step some of the risks. They put the burden on the consumer to figure it out themselves.  They even opt users in to using the cloud by default or make it confusing to turn the cloud sync functionality off. I’m looking at you, Apple.

“How do I turn the damn cloud off”

You need not look further than Jennifer Lawrence or other data breaches to see the impact of such an issue. Forget the millions of cases that never make it to the front page.

The biggest problem that we currently face is in dealing with passwords. The concept of user name/passwords is over 20 years old. As such, the weakest link isn’t the cloud but the user. Phishing can make it very easy for a user to give up their password. Even in cases where phishing isn’t involved, many users will use the SAME password on websites that they really should not trust. If Uber can have loose controls over who accesses your data, I guarantee you that other websites have weak controls as well.  Who in those companies has seen your password? Do you even know?

What’s really scary is that you can be careful and provide unique passwords to each website, but accidentally type in the wrong password once and lose all the security you depended on. This is because some websites might be logging your password. Facebook’s founder took advantage of such an approach when he was in college. I used to accidentally do this all the time.

There are ways to alleviate this issue, but NO ONE wants to use them unless forced. One-time passwords (OTP) are a good example. Phones are a great way to actually verify the user. They allow a user to control who has access, because the minute they lose their phone they know that they are no longer secure. Setting up an OTP on your phone is what major cloud service providers recommend, but few know about it or use it. It also needs to be simpler AND available for use on ALL sites that you trust.

1Password-like solutions are also another great option. There is a chance your one local password could be compromised, but it is significantly lower risk than manually entering in the same password across websites (possible over the unsecure internet).

There are so many vectors for attack and many papers have been written about them, but OTP and 1Password-like solutions alleviate a lot of them with regards to protecting access.

For full disclosure, as I said before, I know enough to be dangerous. As such, I put a lot of sensitive data such as health related receipts in the cloud because I have given it significant thought and found it untenable to keep hundreds of receipts in my basement. I also use a VPN over insecure WiFi and encrypt files – but I think that’s a little extreme for most.

The reason why I wrote this blog post is because a lot of cloud vendors make ease of use a priority over security, because they need to show their VCs growth. But, they need to make our security our priority and innovate beyond the password. The assets they keep in their storage are, in many ways, more important than those kept by a bank. Once they are leaked, there’s no way for a government body like the FDA to make the consumer whole again.”