Santa Clara University

Information Security Office

News and Events

 

Information Security News and Events

Back to Blog

De-Cloud Your Life

Wednesday, May. 21, 2014

The term "the cloud" can be used to refer to the Internet. Marketers have popularized the phrase "in the cloud" to refer to software, platforms, and infrastructure that are sold as a service. Usually, the seller has servers that host products and services from a remote location, so users don't have to. They can just log on to the network without installing anything. These services may be offered in a public, private, or mixed network. Google, Amazon, IBM, Oracle Cloud, Microsoft Azure, and Dropbox are some examples of cloud vendors.  

Cloud services have expanded as more and more users are using the Internet. Cloud services can be quite useful as a cheap "offsite backup". For example, keeping documents or a list of serial numbers of your things in case of a robbery or catastrophic event, such as an earthquake.

Let's use Dropbox for an example.

Dropbox usually requires a username and password to access documents. It even offers a two-factor solution as an option. However, a user can allow others to view a document by sending them a "secret link". But links can be easily leaked. As users rely more on cloud services to share files, with passwords that are too troublesome to set up, leaked links will become more commonplace. 

Let's assume that the cloud service works as designed and your username and password is strong enough. But when you share files with other people, you run the risk of others not taking extra care with the files as you would. Their passwords could be weaker than yours or they could share the link onto the Internet.  

Although cloud services are good, there are just some information that you shouldn't store into the cloud, such as confidential, personal, finacial, or medical information, unless you encrypt them before uploading. 

Here are a couple of ways to "de-cloud" your life:

  • Setup an "ownCloud" server. It works very much like Dropbox with mobile clients available for Android and iOS. But you will have to run the server. I suggest you make it accessible via a VPN connection only. Sharepoint may be a similar solution for Windows folks.
  • Run your own mail server: This can be a real pain and even large companies move mail services to cloud providers. But pretty much all cloud mail providers will store your data in the clear, and in many ways they have to. Systems to provide real end-to-end encryption for cloud/web-based e-mail are still experimental at this point.
  • Offsite backup at a friend's or relative's house. With wide spread use of high speed home network connections, it is possible to setup a decent offsite backup system by "co-locating" a simple NAS somewhere. The disks on the NAS can be encrypted and the connection can use a VPN again.
  • For Apple users, make local backups of your devices instead of using iCloud. iCloud stores backups unencrypted and all it takes for an attacker to retrieve a backup is your iCloud username/password.

Tags: cloud service, information security

Categories
Tags
Information Security Office, 1-408-554-5554, iso@scu.edu