I’m sure you’ve heard by now about the list of celebrities whose private images and other data were stolen and distributed. I wasn’t planning on writing anything about this, but as time passes I’m noticing more and more people commenting about a “lack of cloud security.” I’ve seen more than one post (by news outlets mostly, not IT professionals) claiming that our data isn’t safe in the cloud, that you shouldn’t move to the cloud, and that the cloud is bad! I can’t correct them all directly, but I can attempt to educate businesses that might be scared off from cloud storage options like OneDrive for Business after this scandal. Trust me, the cloud security is fine.
The Cloud Hacked?
Many people are criticizing the victims of this leak, saying that if they didn’t want their pictures seen they shouldn’t have uploaded them to the cloud. They claim that there isn’t enough cloud security, and therefore anything you store there is automatically compromised. From what I have read, all of the celebrities in question were using Apple devices. iCloud is Apple’s cloud storage that automatically backs up photos stored on iOS devices like iPad and iPhone. That means that these users may not have known or had any control over their pictures being backed up. I don’t know how tech savvy they are, so I can’t speak for all of them, but I would guess that a lot of them did not realize that iCloud synced data, including photos, automatically.
According to Apple, iCloud employs a minimum of 128-bit AES encryption to content, both in transit and at rest. This means that data that is being transferred to iCloud and data already stored in iCloud is encrypted. For those of you unfamiliar with this encryption method, AES (Advanced Encryption Standard) encryption uses a symmetric-key algorithm. The same key is used to encrypt and decrypt the data. There have been very few successful attacks on AES, so I feel safe assuming that these data breaches are not a result of someone attacking and compromising iCloud’s encryption. It is reasonable to assume that whoever carried out these attacks singled out specific accounts and used brute force attacks to access them.
I do not think this breach is indicative of a problem with cloud security, or even security of a specific cloud storage. This is simply an example of someone that wanted information and knew how to get it.
Cloud security
It is my firm belief that there is no such thing as 100% privacy on the Internet or 100% cloud security. When dealing with personal data, like pictures, I operate under the rule of “don’t put it on the Internet thinking that it will never surface.” I do not mean to say that I expect my data to be stolen or compromised, more that I don’t expect it NOT to be. When I first started learning about businesses storing in the cloud, I was leery. I can understand why businesses are hesitant to make the move. I’m not leery anymore though, and businesses shouldn’t be either.
There are layers of cloud security that make it more difficult to find and steal information. There are tools you can use to protect your data more effectively than other tools. However, there are always people out there that want your data and will do whatever they can to steal it. It is reasonable to expect that if you didn’t do anything special to try and protect your information, someone can and will be able to access it without doing anything special either.
Some IT security folks argue that even when you go through great lengths to protect your data, it still isn’t safe. I imagine that to an extent this is probably true. That’s where you apply the 90/10 rule of information security: 10% of all security standards are technical and the other 90% rely on the behavior of the users. I’ve also heard that this rule has a secondary meaning: 10% effort on your part will protect against 90% of attacks. These rules apply to cloud security, as well as physical security.
It is imperative from a business standpoint to set and adhere to strict security standards for your employees. This means defining rules for acceptable passwords (no p@ssw0rds) and encouraging (forcing) users to change their passwords often. Also, you wouldn’t believe how many people still write their passwords on a post it on the bottom of their keyboard! Don’t do this! Businesses also need to govern the acceptable use of company information and the storage of that information. Develop a file storage policy. For example, you might require all business information goes into OneDrive for Business, all personal data is saved locally (or on a personal OneDrive) to keep it separate.
Why You Should Still Use OneDrive for Business
All storage options present risk, but some of them are riskier than others. You can compare cloud security vs security of data on flash drives and you might find that they both have drawbacks. I still believe in cloud security and cloud storage like OneDrive for Business and my personal OneDrive.
OneDrive takes cloud security seriously. OneDrive for Business encrypts data, both in transit using SSL/TLS and at rest. Data is protected physically by measures including 24-hour monitoring and multi-factor authentication for data center access. Data is protected logically by measures like limited human access to data through use of lock box processes and port scanning and intrusion detection. OneDrive for Business is made by Microsoft, and is therefore supported and backed by the might of Microsoft. If someone compromises their security then they probably compromised everyone else’s too!
OneDrive for Business gives you a lot of tools to help users develop good security habits. You can define rules for employee passwords and force employees to update their passwords on a certain schedule. OneDrive also gives you the option to use two-step verification, forcing users to provide an additional security code if logging on from an untrusted device. Employees can also save personal security information in their Microsoft accounts that OneDrive will use to verify identities if necessary.
Finally, OneDrive lets you manage the permissions of your files. If your permissions are properly established, only approved users can access your data. That means the only way an unauthorized person will see your data is if they compromise your account, and if you followed the steps listed above then you’ve already minimized that risk!