Cloudy security

24 02 2016

“Cloud computing” two words guaranteed to generate a multitude of reactions, from confusion to fear and much in between. Most have heard of it, many talk about it and some even understand it, but what has it got to do with Joe or Jane Public and should you care?

In this post I’m going to try to blow away some of the fog about Cloud, but as it’s only a blog entry and not a book I’m not going to have the space to address all of the issues, opportunities and plain BS that the topic encompasses.

This is not written for the expert, although I welcome your feedback and comments, it’s written for the man or woman in the street who is wittingly or unwittingly putting their personal information and precious photos out there in Cloud Land. Why write a blog post on something that has been around for years? Well I’m finding that as people become more adept at using technology the less they understand it. This is for those people.

So first things first, what (or even where) is the Cloud?

As is so often the case there is no simple answer, or even total agreement on what the answer is. One thing you can be sure about is that it’s not a cloud, or even ‘the internet’.

The Cloud can best be thought of as computing infrastructure that is run by other people where you can store your electronic files or do computing stuff.

Cloud breaks down into three main types, public (anyone can use it), private (only you can use it) or hybrid (a bit of both), and the services offered break down into PaaS (Platform as a Service), SaaS (Software as a Service) or IaaS (Infrastructure as a Service). There is also FOaaS but I’ll let you Google that one.

For most of us we could not care less if it’s a P an I or an S, or even if it’s public or private (but trust me it will usually be public), all we care about is that we have somewhere to store our pictures or music or whatever and we can access them from our phone, tablet or desktop from anywhere in the world, and share them with anyone we want to at any time, ideally with the minimum of fuss.

I’m not not going to touch on Office 365 or Dropbox, or how those of you running your own businesses might want to make use of the Cloud (maybe that’s a topic for another blog), just the ‘in your face’ ones that almost everyone is using by default.

iCloud (Apple), OneDrive (Microsoft), Google Drive (Google) to name but a few, all give you free storage ranging from 5Gb to 25Gb with the option to buy more if you want it, and they are all linked to your vendor account (Apple-id, Outlook or Google etc) so are (theoretically) secure. These are all public clouds in that it’s a ‘one size fits all’ model – no tailoring of the service allowed, with access available to anyone who wants it (albeit with access to your bit restricted to you and (hopefully) blocked to everyone else (apart from those people listed below and those you’ve chosen to share it with)).

So far so hunky dory. Loads of storage, easily accessible and free, what’s not to love?

Well, to  be honest, if you don’t care where your stuff is stored (Europe, America, Asia, under the Atlantic (well maybe not yet but watch this space)), and you don’t care how many employees, contractors, third parties or other relations of your chosen supplier can access your stuff in the spirit of ‘system management’, and you don’t know or care who they can share it with, then not much. But therein lies the rub, with most of the free cloud storage, and quite a bit of the not so free, you have no control over any of this. When you sign up for your cloud storage you agree to all manner of things in the Terms and Conditions (Apple’s runs to over 20,000 words), and unless you hit “I Agree” you can’t use the service. No discussion, no negotiation just a simple “accept or go elsewhere”.

When you put your music collection, precious photos or critical documents “into the Cloud”, what are you actually expecting to happen? How long do you think they will be there, are they backed up, can you transfer them somewhere else (such as if you decide to move from Apple to Android)? The bottom line is you don’t know because you never asked. You just blindly went with the flow because it was there and it was free.

Will Apple stop offering i-Cloud or Microsoft OneDrive? Will they change the T&C and start to charge you for the storage? Will they decide that as part of the free deal they can use your stuff for their own purposes (as Instagram tried to do when they suddenly announced they were going to sell YOUR photos for THEIR benefit – and only backed down after they started to lose market share)? The bottom line is you don’t know, and you can’t know because you don’t have any say in the infrastructure. You’ve given everything to someone else to store in their datacentres and you aren’t even paying them for the privilege.

I’m not saying don’t use the Cloud, what I am saying though use it with your eyes open and consider spreading the risk. Think about what you are uploading and how much it matters to you. If it’s your photo collection then upload them to more than one Cloud provider after all they’re free and it would be rude not to take advantage (I have mine in both Google and OneDrive, just in case one of them has a problem, and there’s always the copy on my own devices).

The same for documents that are not sensitive. But if they are sensitive (for whatever reason) just remember that whilst your strong password (see a previous blog) will stop miscreants cracking into your account and reading your stuff, the Cloud provider’s staff will have access for perfectly valid reasons such as keeping the systems running, and unless the data is encrypted (which is unlikely) they will be able to read it. Now, are they going to target your files out of the Petabytes of data they are holding, well it depends on who you are, but the fact is they could, and if that bothers you, maybe the Cloud is not the right place for you and your data.

So in summary. The Cloud is the perfect Martini solution (Google it if you’re under 35) for your electronic information. But in exchange for the ease of use and free storage you are giving control over the security of your stuff to someone else. If you don’t care, then fill your boots as they say. If you do then maybe you need to be more selective.

As Mr Wordsworth said “I wandered lonely as a cloud, That floats on high o’er vales and hills” it’s just that you have no idea where those vales and hills may be.

Happy surfing

David

Advertisements




Encryption and back doors

21 02 2016

A lot has been written over the past few months about demands that the providers of encryption software provide ‘backdoors’ so that law enforcement can decrypt information that the ‘bad guys’ want to hide. So I thought I’d add my h’app’enth worth into the debate.

As is so often the case in technical matters, much of what has been written is biased or just plain wrong, with vested interests (on both sides of the debate) trying to promote their angle though misinformation and the spread of FUD (fear, uncertainty and doubt).

The current FBI vs Apple law suit is just another thread in this saga, and whilst it is not explicitly about the encryption on the device, the ‘backdoor’ argument is the same.

So lets strip this debate back to it’s bare bones, by posing a few very simple questions.

  1. Is encryption a fundamental necessity for the way we use computing in the 21st Century?
  2. Do we believe that, in the age of ubiquitous social media and the proliferation of computing devices and technologies across the globe, a secret (such as the backdoor key) can be kept out of the hands of those not meant to know it?
  3. Do we trust those in posession of the secret to only use it for the intended purpose, and that all of the checks and balances introduced to manage the use of the secret will be adhered to by all parties?

Starting with the first question, I believe the answer is “absolutely”. Trillions of £’s worth of transactions occur every day across the globe, ranging from international finance down to buying a book off Amazon. Personal details (medical, political, sexual orientation etc) of individuals are stored and shared by and between companies and the wider population to make our services function. Trade secrets are stored to provide long term security to companies and their employees, and so the list goes on. All of these require the information to be secure and trusted and encryption is the only way we can go anyways towards achieving this in the computer age.

The second one is even easier to answer. Edward Snowdon, Chelsea Manning and a host of other less well known whistleblowers have shown that Governments cannot keep their secrets safe, however hard they try. Companies lose hundreds of millions of customer records every year from within their boundaries, and people (who are what everything comes down to in the end) continue to do stupid things, sharing their passwords, downloading viruses and falling for social engineering scams. To my mind this proves that secrets cannot be kept. People will always make mistakes or leak information that they believe should be in the public domain. And that does not even begin to cover the likelihood of threats of violence or extortion to make people reveal information against their will.

The final one is slightly harder to answer. Conspiracy theorists and libertarians will answer with a resounding “No!”. Government spokespeople will offer all sorts of assurances, and the truth lies somewhere in between. To my mind the important point is that ‘governments’, ‘law enforcement’ and ‘secret services’ are not things. They are made up from the people who work there, the same people who do stupid or bad things, often for what they consider to be the right reasons. So in my view there will always be those who can find a justification for bypassing the rules which makes this control unreliable.

So, in summary.

In my opinion, the encryption that we rely on must be secure and effective; we can’t expect the secrets to remain secret; and we can’t reasonably expect all of those in possession of the secret to only use it when legally permitted. That means the argument for mandatory backdoors is fundamentally flawed, even before you consider the technical challenges of trying to create one.

Everything else just becomes noise around the edges. Yes, of course bad guys will use encryption, but as the totally failed attempt of the USA to ban the export of encryption tools a few years back demonstrated, they will always find a tool where the government does not have the backdoor key.

At the end of the day an old secruity truism comes to the fore. “The wall is not there to keep you out, it’s there to see how badly you want to come in”. We know that when law enforcement REALLY want to get something they will, and the absence of a backdoor won’t stop them, but that’s a discussion for another day.

Happy surfing, and remember, just because you’re paranoid it does not mean the bad guys are not out to get you.

If you agree with me or think I’m totally missing the point please feel free to share your thoughts in the commnets section.

David

 








%d bloggers like this: