Inaccurate Design

The Cloud Dichotomy

Monday, 8 September 2014

The recent iCloud ‘breach’ (we’re going to call it that) has exposed one of the key weaknesses of cloud services: you’re not in control of your data. You don’t control access to it, you don’t control what security measures are in place, and there’s potentially interaction between different cloud services from the same provider that can undermine the security controls that are there.

This does raise another good point, which has been talked about a bit in the past (mainly by the cloud providers). Is your cloud provider better than you at keeping your data secure?

There are usually three key elements to data ‘security’: confidentiality, integrity and availability. In the context of most home users, there is essentially only confidentiality and availability (for home users, ‘available’ means your data is available when you want it, without having been modified or corrupted). Users want their data to be confidential, and not exposed to the world, and they want their data to be available when they need it. This applies equally to emails, photos, tax records, and nudie pictures. The key is to recognise that each type of data has different confidentiality and availability requirements. Emails are used every day, where’s tax records might only be used once per year. By the same token, your holiday snaps probably don’t have the same confidentiality requirements as your nudie pics.

So are cloud providers better than the average user at keeping data confidential and available? I’d content that they have the availability aspect locked down tight. No average home user could ensure that their data has the uptime and availability of Dropbox, iCloud, Google Drive, or any other number of cloud providers. If you keep a local backup of data you might have the advantage when a provider goes down (very rare), but an average user will get their machine broken or infected numerous times before a cloud provider has an issue.

Confidentiality is another story. When your photos are on your phone, you control who has access. You can put a passcode on it, you can keep it in your pocket, and you can decide who to hand your phone to. You can also choose when the photos are deleted. Once they go to the cloud, they’re out of your control. Remember a few years ago when Dropbox made passwords optional for four hours?? You don’t control that.

There are definitely things that your cloud provider can definitely do better than the average user (in an ideal world anyway).

  • they monitor their networks with IDS/IPS systems,
  • they have their patch management processes under control,
  • they have two-factor authentication, and
  • ultimately they employ people whose job it is to keep the systems secure.

It’s up to you to decide if the benefits outweigh the risks. It’s convenient being able to access your files from anywhere, and it’s a good backup, but are you willing to put those pics in the hand of someone else to protect? There’s no right answer, and it will depend on how much you value your privacy, how much you value convenience, and how you feel about Google, Apple, Microsoft et al.