The stakes are especially high for files that contain financial information, trade secrets, and legal briefs.
So how do you protect yourself from the risks of unauthorized access? The basic tools aren’t that different from those you might use to protect data on a local area network. But the nature of the cloud means asking a few tough questions:
Who has access?
In the aftermath of disclosures that global intelligence agencies are able to tap into Internet traffic with impunity, you might think that spies are lurking around every corner and tapping every wire. In reality, the lesson of Edward Snowden’s NSA disclosures is more mundane. The biggest threat is from a rogue employee misusing their trusted position. The best cloud providers have excellent physical security and strict auditing that makes it impossible for an insider to get away with data theft.
Are you protected from password theft?
The first line of defense for most cloud services is a password. Even if you insist on complex, random, hard-to-guess passwords, that’s still a weak barrier for a determined thief, who can use social engineering, phishing emails, or Wi-Fi sniffing to steal passwords. You can effectively shut down those attacks by using multi-factor authentication, which requires a second form of identification, typically tied to a physical device, such as a code sent via text message or generated by an app on a mobile phone.
Is your data fully encrypted?
Any cloud service worth its salt should protect your data using strong encryption. But not all encryption is created equal. Ideally, you want encryption at rest and in transit. Encryption at rest protects the data from unauthorized access is an attacker is able to access the contents of the cloud server. Encryption in transit prevents an attacker from eavesdropping as you transfer files between a local device and a cloud server. That latter scenario is especially likely if you routinely access files over unsecured networks in coffee shops, airports, hotels, and other public places.
Who holds the keys?
The science behind encryption is simple. Your data files are encoded using a mathematical algorithm in combination with a complex private key. Anyone who tries to access the contents of the file without the key sees the ciphertext, which is, for all intents and purposes, gibberish. If your files contain especially valuable information, you need to think long and hard about how to manage those keys. In most cloud services, the service provider manages the encryption keys. That’s convenient, but it also means your secrets can be unlocked if a law enforcement agency shows up with a subpoena. For maximum security, narrow the list of potential cloud providers to those who let you manage the keys, encrypting data locally so that it never reaches the server in an unencrypted format. That architecture prevents anyone but you from unlocking your secrets. A word of warning, though: If you lose that key, there’s literally no way to recover your files!
Implementing the proper mix of security features can go a long way toward giving you the convenience of the cloud without exposing you to undue risk. And be prepared to review that list of questions again, at least annually. Cloud storage is an incredibly competitive marketplace, and a provider that falls short today could be a perfect fit next year.