Cloud security - Should you trust it.

This week we saw a few celeb types get a little miffed at their muffs being placed on the internet after they had placed them delicately on a cloud storage service.  Cue the uproar that the cloud isn't a safe place to place ones sex tapes, and pictures of our bodily parts.

However lets think about this for a minute.  What does security mean?

I believe that there are two meanings of security which are worth considering here.  Firstly I might secure something so that I don't lose it, or I might secure something so that someone else does not get it.  Whilst this may seem like the same thing, it can be worth looking at as two sides to the same coin.

Cloud services are generally much more secure in the first case than your hard disk sitting on your desk.  A file uploaded to amazon, google, or iCloud will be backed up in multiple locations, with professionals looking after power backup, and file backup, If you wish for things to be deleted then thats doable, you just need to wait a while in case you change your mind.  This kind of security is what cloud services do best.  Much better than you will achieve with equipment at home.  The closest I have at home to this level of security is apples time machine disk which silently back up my computer onto a separate hard disk at the other side of my flat.  This is vulnerable if the house catches fire, and to be honest if it wasn't working I probably wouldn't notice until it was too late.

The second definition of security by its very nature is harder to achieve than your hard disk solution at home.  Preventing someone else getting your files held conveniently online is harder to do as we are creatures of poor habits.  We don't choose passwords that are too difficult to remember.  We reuse these passwords as we use them a lot to gain access to other things.  Most of the cloud services offer two step authentication, but we as consumers think that this is a pain in the butt, and therefore disable it as soon as possible, if we ever set it up in the first place.  If we read the stuff being told to us by the cloud companies we would know this, and most of us have been told this sort of thing time and time again, but we instinctively make a trade off between security and convenience.

What could be done to make things better?  

The first thing is we can behave better as consumers.  This is a pipe dream, and unrealistic,  we all want our cake, and want to eat it it.  This is human nature.  Companies have specialists that they employ who can reduce the risks, or consultants that can inform them how to reduce the risks.  But in our home lives and at schools we will not improve the way we behave collectively.  There is nothing wrong with this, its a problem that needs solving.

The second option is developers can improve the way we do passwords.  Developers are working on this, and many systems work to do this.  The trouble is that there is little way of determining how good your website is at dealing with your password as a consumer.  and when you have found your purchase - you want to make your purchase - and we as consumers get a little blinded in the rush.

There are also moves to replace the passwords that we use today for everything we do with another system.

Three simple things we can do as consumers to protect ourselves.

Firstly we can encourage developers to use good practices.  One such good practice is to use something called OAuth authentication.  You have seen them - these are the things that allow you to log into websites, and services with your Facebook or google account.  Yes you are using a password that you have used previously - but you are not sending it to the website, you are sending it properly to google or Facebook (or github, linked in etc).  These websites use passwords properly and need a little more trust than youraveragesupermarket.com.  Yes there is a way to do passwords properly, yes google and Facebook can be hacked still, and yes this makes the benefits of hacking these websites higher, but they also have the best defences. Its a pity most of them are in the US and therefore subject to US law.   This approach would really make sense if there was an EU OAuth host.  Even as an British Australian, An Australian, or English OAuth host in my own country that would be responsive to my own vote. and yes I said English there - I wouldn't want an independent Scottish government ruling over my details in their servers. This reduces the number of passwords we use, and secures the authentication system that we use to log into other websites. It also means that we should spend less time filling in the same forms if web developers use this properly.

Secondly We need to change our passwords often.  Use a password generator such as keychain, and write them down and store it innocuously in your wallet if you need to.  Just not with your username.

Thirdly if your aim for security is in fact for privacy - then learn to encrypt files before saving them to your cloud services.  This can be done reasonably simply, and maybe file encryption, based on a pin number, may need to be included for photographs, and other files in iCloud.




Comments

Popular Posts