Posted by Kalyani M. on Jun 6, 2013
Cloud services have completely changed IT for businesses across a wide range of sectors. But as more and more companies rely on the cloud for storage, syncing, and computing, hackers have started to target popular cloud services for the trove of sensitive data hosted there. IT departments struggle to stay ahead of hackers seeking to exploit sensitive information through data theft or disrupt operations through distributed denial of service attacks. While the cloud and Bring Your Own Device policies have granted businesses cost savings, convenience, and worker mobility, some IT departments have not considered the security risks inherent in employing public cloud services.
Non-private cloud services are vulnerable to third party attack and even legal snooping from governmental organizations ranging from the IRS to the Department of Defense. Recently, U.S. Attorney General Eric Holder announced his support for changes in current laws to require all governmental institutions to obtain a warrant based on probable cause before seizing cloud-based emails, documents, and other uploaded files. Holder stated, “the more general notion of having a warrant to obtain the content of communications from a service provider is something that we support.” As it stands, the Electronic Communications Privacy Act (ECPA) grants the government legal access to personal emails that have been opened as well as unopened emails older than six months. Such a legal violation of privacy rights is permissible with only a subpoena signed by any federal prosecutor, as opposed to a legal warrant signed by a judge, which is the case for physical mail.
But companies can protect their data from both hackers and legal snoops through employing a private cloud service while engaging in safe internal IT policies. Once way to secure sensitive company data in house is through implementing persistent encryption technology to protect data on its way to the cloud. This “on-promise gateway” allows businesses to ensure that data stays encrypted from the internal gateway proxy to the storing process with the cloud service provider. Starting off with encrypted data is an important first step in helping to secure vital data.
Encrypting data before sending it over to a private cloud service is essential to standard business security, especially when considering the threat of hacking or even viruses, which could rapidly spread across private user devices. According to McAfee, popular cloud storage services like Dropbox and Apple’s iCloud can leave users vulnerable to “cross-device infection” when users download storage interfaces on multiple devices. EMEA CTO Raj Samini said, “The attack surface has increased…You get cross-device threats. What if you have an infected file transferred from your iPhone to iCloud, which then finds its way onto your PC? A threat can traverse multiple devices.”
Just last year, an iOS app was embedded with Windows malware. Users that plugged the iOS device into a Windows PC would effectively transfer the file to the machine, resulting in an infection. As more businesses employ cloud services, Samani predicts the rise of such instances of cross-device infection. The risk is heighted by mobile workers and Bring Your Own Device policies, which raise privacy issues for both workers and businesses that employ non-private cloud services. As an information and communication technologies research analyst stated, “The popularity of social media and the substantial increase in social website threats, such as identity thefts, have prompted several companies to scout for security applications capable of meeting their security needs.” Through encrypting data in house and employing private cloud services, companies can take full advantage of the cloud’s many benefits without worrying about third party attacks, legal snooping, or cross-device infection.
According to Daniel Lai, CIO for Hong Kong’s Special Administrative Region, Hong Kong’s market uptake in cloud computing increased 20.9% in 2011 to 33% in 2012. Larger enterprises took up 53% of the market share and small businesses comprised the remaining 47%, showing that companies of all sizes have enjoyed the cost savings and convenience that the cloud affords. But some companies still are wary of making the switch to the cloud due to security concerns, with half of companies surveyed citing security as the most important reason keeping them from the cloud. And there is some reason to fear most of the cloud services on the market, as frequent news of hacks and data breaches reveal the massive security gaps spread throughout the industry. But this vulnerability has only left the door wide open to emerging solutions that can offer true privacy and user anonymity.
Cloud Privacy in a Crowded Market
Most cloud services presenting themselves as “secure” still have massive vulnerabilities leaving company data open to hacking and even data mining. For businesses looking for absolute data security, an anonymous cloud storage and sync service like SpiderOak provides the benefits of the cloud along with complete data privacy. This service offers two-factor password authentication and 256-bit AES encryption so that sensitive user files and passwords stay private. Two-factor authentication is similar banking services that require a PIN to log on in addition to a password. For SpiderOak, users can submit their private code through SMS along with their individual encrypted password. Once logged in, users can store and sync files with complete anonymity, because this cloud service has “zero-knowledge” of user data and plaintext encryption keys, which are only stored on the user’s chosen devices. SpiderOak’s services are available for businesses and individual users on Windows, Mac, and Linux, along with Android and iOS.