Cloud security

Leave a comment Posted on apple cloud, cloud, Cloud security, cloudprivacy

Are you the reason why the cloud isn’t ready for the masses?

This is an anonymous post from a friend who has been involved in the tech industry for the past 7 – 8 years. While we are not always aligned in our views, he brings some unique insights that are worth sharing to get a diverse perspective on the issues.

Are you the reason why the cloud isn’t ready for the masses?

“I’m not an expert on cloud storage or security, but I do know enough to be dangerous. One thing I do know for sure is that the cloud isn’t ready for the majority of people to store their personal content. My parent, my siblings, my wife and my brother-in-law are all smart and intelligent but they are all exposing themselves to significant risk by using the cloud.

What bothers me a lot about this is that there are many of vendors that oversell the benefits of cloud storage and side-step some of the risks. They put the burden on the consumer to figure it out themselves.  They even opt users in to using the cloud by default or make it confusing to turn the cloud sync functionality off. I’m looking at you, Apple.

“How do I turn the damn cloud off”

You need not look further than Jennifer Lawrence or other data breaches to see the impact of such an issue. Forget the millions of cases that never make it to the front page.

The biggest problem that we currently face is in dealing with passwords. The concept of user name/passwords is over 20 years old. As such, the weakest link isn’t the cloud but the user. Phishing can make it very easy for a user to give up their password. Even in cases where phishing isn’t involved, many users will use the SAME password on websites that they really should not trust. If Uber can have loose controls over who accesses your data, I guarantee you that other websites have weak controls as well.  Who in those companies has seen your password? Do you even know?

What’s really scary is that you can be careful and provide unique passwords to each website, but accidentally type in the wrong password once and lose all the security you depended on. This is because some websites might be logging your password. Facebook’s founder took advantage of such an approach when he was in college. I used to accidentally do this all the time.

There are ways to alleviate this issue, but NO ONE wants to use them unless forced. One-time passwords (OTP) are a good example. Phones are a great way to actually verify the user. They allow a user to control who has access, because the minute they lose their phone they know that they are no longer secure. Setting up an OTP on your phone is what major cloud service providers recommend, but few know about it or use it. It also needs to be simpler AND available for use on ALL sites that you trust.

1Password-like solutions are also another great option. There is a chance your one local password could be compromised, but it is significantly lower risk than manually entering in the same password across websites (possible over the unsecure internet).

There are so many vectors for attack and many papers have been written about them, but OTP and 1Password-like solutions alleviate a lot of them with regards to protecting access.

For full disclosure, as I said before, I know enough to be dangerous. As such, I put a lot of sensitive data such as health related receipts in the cloud because I have given it significant thought and found it untenable to keep hundreds of receipts in my basement. I also use a VPN over insecure WiFi and encrypt files – but I think that’s a little extreme for most.

The reason why I wrote this blog post is because a lot of cloud vendors make ease of use a priority over security, because they need to show their VCs growth. But, they need to make our security our priority and innovate beyond the password. The assets they keep in their storage are, in many ways, more important than those kept by a bank. Once they are leaked, there’s no way for a government body like the FDA to make the consumer whole again.”

Leave a comment Posted on Apple two step verification, Cloud Computing, Cloud security, tradeoffs

How to be personally secure in the cloud world (Part 2)

Interestingly after publishing the last blog, I started getting blog views from the Russian Federation. The image above shows the last 7 days of views, before this blog was published.

Here is part 2 of the discussion with Jeremy (Background: I recently had a chance to talk to a friend, Jeremy Guthrie, who has been in the Information Technology / Internet Service Provider business for 23 years, concentrating on networking and security architecture).

What about the tradeoffs of over-securing?

Jeremy: One of the most dangerous things you do every day is get into your car and drive somewhere. But we all do drive or use some sort of transportation daily, because of the fact that there is a risk and a tradeoff. So don’t over secure yourself so much that you hurt your online experiences substantially.

For example, let’s think about the Apple iCloud breach from this summer. Apple and other providers could have done way more to protect the information that was stolen. However, these providers also have to consider the tradeoffs of various levels of security vs. usability. For example, you can gain more security by using multi-level authentication or varying degrees of password complexity or user logouts after X number of logins. This also means it could make their cloud services difficult to use and cumbersome. So this security situation is a tradeoff between convenience and usability vs. security. If you have to attract a large user base, you have to make the product easy to use. Regardless, the provider should be transparent about how they protect their data across their entire online interface. Your choice is whether you want to leverage their additional tools to secure your data and post your data there.

My thoughts: Apple has implemented two-step verification for Apple ID, which is the user ID used with iCloud. It is not turned on by default. Here is a link to turn it on: http://support.apple.com/en-us/HT5570

Anything else we should watch out for?

Jeremy: Be careful about exchanging too much information on websites associated with different political / charitable causes. While the websites might try to secure the environment, these are generally targets for groups of hackers who want to malign the website / cause. Thus you are providing an unnecessary target on your information.

Another Interesting phenomenon currently developing is the Apply Pay feature and how it will impact your financial services. For example, before when your credit card was stolen and unauthorized transactions were made through it, the bank would help you out in most cases and take your word for it. However, now that the credit card credentials are on your phone, if it gets stolen for a certain time period before you realize the phone is stolen, will the bank hold you responsible for proving whether this item was stolen? Effectively, the phone is still authorized by you to make the payments on your behalf. And if you thought TouchID was not vulnerable to finger print spoofing, think again. The onus would shift to you to prove that the phone was stolen, in a time period when you don’t actually have your phone in your possession. Just something to ponder.

Interesting reads Jeremy recommended about security:

  • Freakonomics blogs and podcasts about security offer an interesting take on security, risk aversion and the costs related to it
  • Science of Fear – Why We Fear the Things We Shouldn’t–and Put Ourselves in Greater Danger by Daniel Gardner is about tradeoffs
  • Spycraft: The Secret History of the CIA’s Spytechs, from Communism to Al-Qaeda by Robert Wallace is a look into how far people will go to get information.