Over the past few weeks we have seen data on cloud storage services being compromised. Celebrities’ personal photos were stolen from Apple’s iCloud service. Then Snapchat was compromised, with both photos and videos were stolen. Now, Dropbox is reacting to what they say is a compromise of another service’s credentials store that is being used to compromise Dropbox accounts of users who use the same username and password on multiple services.
A common theme across all of these is clear… cloud services are being compromised. Does this mean you should not trust cloud services? Pull all your data back down to local storage and cancel your Internet connection? Go off the grid and return to the trees? Of course not! Cloud services are a major component of our connected lives, and it is not at all true that they are inherently unsafe or vulnerable. They are, however, accessible from literally anywhere in the world, so most people should take more precautions with their data than they may be accustomed to.
Here are some tips to help both users and corporations use cloud services more securely.
Most of these services allow, or even require, users to use their email address as their username. While this makes it simple for people to remember their username, it also makes it easy for bad guys to figure out the first half of your credentials. If you have the option to use something else, or have multiple email addresses or aliases you can use, it will help make it harder for attackers to determine your username for a particular service. I like to use my email address as my username, so I won’t change this, but it does drive home the next point.
Use strong, and much more importantly, unique passwords for each service. If you use the same username and the same password across multiple services and one is compromised, an attacker now has access to all your cloud services. This is the exact scenario Dropbox alleges happened to them. They were not themselves compromised, but some other service was and since users are using the same username and password, that provided attackers with the credentials to access victims’ Dropbox accounts.
The subset of accounts that was posted online shows an alarming trend. Users are frequently using dictionary words for their passwords. This makes it extremely easy for attackers to compromise your account. Make sure your passwords are not only unique, but also strong. Use a mix of uppercase letters, lowercase letters, numbers, and punctuation. Consider using a passphrase rather than just a password, which is longer and more complex, but also easier to remember than some random string of characters.
If a cloud-based service offers multi-factor authentication, use it! Many are able to work with mobile phone apps or use SMS messages to your mobile phone, so that before an attacker can compromise your data, they must also have your physical device. You may not know that your credentials have been compromised for days or even weeks after the fact, but you will notice your phone is missing within minutes.
While most cloud services offer encryption, both for network traffic and local storage, they manage that encryption. You may want to consider using third-party file encryption where you control the keys and keep their storage local, so that even if your data is stolen, attackers cannot use the data since the encryption keys remain with you.
Most cloud services rely upon client software. That can be an agent installed on your workstation, or the operating system of your phone. Those that are web browser based only, still rely upon your browser. Keeping your client software up to date helps to ensure that your machine is not the source of a compromise.
Policy and availability
For corporations, there are legitimate concerns about storing corporate data in cloud-based services, especially consumer-oriented services. Users want to use these services because they work well, and enable users to do things. Corporations should first make sure they have a clear policy around what is permitted and what is not, and where corporate data can be stored and where it cannot be. Corporations should also offer their users with corporate-controlled equivalents of the consumer services that are controlled by the corporation and offer users the functionality they need. Microsoft offers OneDrive for users, and OneDrive for Business for corporations. Dropbox is for personal use, while Dropbox for Business for corporations. Other services have similar models. Companies can embrace the cloud while maintaining control.
Web filtering software
Businesses should also implement web filtering software to both support and enforce their policies. The web filtering software you choose should be both granular and intelligent enough to block only what you mean to block, without restricting access to things you want to allow. For example, you may want to block Google Drive but still permit users to search with Google. You don’t want a solution that just blocks Google. Implement a solution that supports the business need; not one that limits your options.
Companies that don’t want to embrace the cloud are in the same position today as companies that thought the Internet was a fad back in the mid-90s. The companies that take the lead, deploy technologies in a controlled and secure fashion, and enable their users to do their jobs will have a competitive advantage over those that do not. The tips above can help you to do this safely and security, and stay off the evening news!