HKCert
HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

Security Guideline

Cloud Storage Security

Release Date: 31 / 03 / 2014
Last Update: 31 / 03 / 2014
 

In light of the rapid development of the Internet and the popularity of mobile devices, the demand in cloud storage continuously increases. Cloud storage has no geographical restriction, making the service available around the globe; plus that the requirement in information security differs in every country, therefore, we have to be more cautious when opting for cloud storage.

 

Cloud storage provides convenience and other advantages that we previously do not have, for example, scalability, pay-as-you-go, off-site data storage and access from everywhere. However we must also observe the new security risks, including:

  1. Data leakage and eavesdropping:
    • Attacks against cloud storage servers.
    • Unencrypted transmission channels for uploading and downloading files.
    • Only password protection provided but leaked to third parties.
  2. Abuse at service providers level:
    • Staff of service provider can freely view your uploaded data if they are not encrypted.
    • Dishonest service providers might sell your data to third parties.
  3. Personal mistakes:
    • Lack of data classification, resulting in uploading all data including sensitive ones to the cloud storage.
    • Erroneously sharing sensitive data.
    • Lost mobile phones being logged in by third parties.
  4. Data jurisdiction:
    • For some regulated industry, there might be regulation to store data within the border of a certain jurisdiction. Cloud storage service might not provide that control and transparency of location of data storage.
  5. Cloud service provider lock-in:
    • The data stored and the data structure might not be transferrable when user decides to unsubscribe and switch to another service provider.

Selecting Cloud Service Providers

There are a variety of cloud server providers and using cloud storage would induce different risks. As long as we choose the suitable service, the risks can be mitigated. Below are some relatively important points when choosing the service:

  1. The integrity of service providers and transparency of data protection policy – choose those with good reputation to ensure the stored data is not transferred to third parties, and those who publish clear policy on data protection.
  2. Access control – it is favourable to allow users to grant privileges to different users / roles to manage different files and folders.
  3. Version control – it is favourable to allow user to store and manage multiple versions of data.
  4. Password and authentication management – it is favourable to allows administrator to control password complexity and validity, and it is favourable to have two-factor authentication to enhance authentication security.
  5. Data encryption – it is favourable to provide encryption functions, better with different strength levels.
  6. Data purging – it is favourable to have data be permanently deleted when data erasure or service unsubscription is required.
  7. Data jurisdiction – if you are required to control the data jurisdiction, choose those which allow users to choose the data storage location that suits your requirement.
  8. Data export facility – There should be convenient way to export data in an on-demand basis. It will be better if the export facility can be automated and scheduled.

Guideline to Business Users

For business users who back up their data using cloud storage, HKCERT has the following advice:

  1. Data classification – classify the data to be backed up to cloud storage beforehand. If there is confidential and sensitive data, further processing, for example, encryption, may be needed before the upload.
  2. Access Control policy – classify accessing users into groups by roles and plan the permission of access privileges.
  3. Version control – retain the backup for at least 7 days, if possible, keep it for a month.
  4. Encryption protection – encrypt the confidential and sensitive data before backing up to cloud storage.
  5. Check data jurisdiction if required by regulator.
  6. Plan for switching - you should think how to get back the data when one day you need to switch service provider.

Guideline to Personal Users

Personal users can use cloud storage to store various types of data, including personal address book (e.g. Gmail, Yahoo mail), calendar (Google calendar), photos and multimedia data (e.g. Flickr, Picasa) and general purpose data (e.g. Dropbox, Box, Google Drive, Amazon CloudDrive). Here are some security tips.

  1. Protect Data at Rest
    • User should plan carefully what to store on cloud storage. Sensitive data should be stored only if justified, and if so, must be store in encrypted format, using strong encryption standard like AES-128 and AES-256.
  2. Protect Data in Motion
    • Data should be transmitted to and from the cloud storage using encrypted communication channel, e.g. SSL or SSH.
  3. Protection measures for automatic data synchronization
    • If a user installs a client software (desktop client or mobile client) to synchronize data between desktop computers (or mobile phone) with cloud storage automatically. You should:
      • Ensure local synchronization folder stores only files intended to be exchanged with cloud storage
      • Ensure the client software is downloaded from the official site.
      • Configure the client software to encrypt files locally if it has such feature, e.g. Wuala, SpiderOak.
      • Handle file change and deletion carefully, as change or deletion from one client will cause the change in the cloud and subsequently in other synchronized device(s).
    • If a user installs client software on desktop or mobile device, or configures a network attached storage (NAS) to synchronize data with cloud storage services automatically, they need to:
      • Have a capacity planning such that the storage space limit on either end is not exceeded.
      • Configure notifications to be sent to user to alert errors in data transfer or disk full.
    • Most mobile apps synchronize data on the phone (files, photo and video, sms, email, instant messages, installed applications and configurations) to the cloud. Make sure no sensitive data is uploaded.
  4. Protection measures for authentication
    • If user authenticates with userID and password of specific cloud storage services, do not share the same password across different services. When there is data breach in one service, it won't impact other services.
    • If user authenticates using OpenID (i.e. logs in one OpenID identity provider such as Google or Facebook) to multiple cloud storage services, he should use strong authentication for the OpenID. It is recommended to use two step authentications, which is available in some OpenID identity provider (e.g. Google, Facebook, Twitter.).
  5. Protection measures for access control
    • If a user intends to share access to file, photo and other data with friends or family, please grant the proper access permission to userID explicitly. An obscured URL does not provide confidentiality. Any party who has the knowledge of the obscured URL can access the data directly without control.
    • When sharing access of data, it is recommended to use file sharing over directory sharing.
    • When sharing access of data with a group of team members, it is recommended to create access account for each member instead of all members sharing a same access account.

Safety of access devices of data on cloud

Most cloud data users access the data on cloud by browser or mobile app.

  1. Ensure you have a secure browser:
    • Make sure the browser and plugins are patched up-to-date. A free tool Qualys Browser Check can be used for this purpose.
    • When accessing the cloud storage website, check the validity of the SSL digital certificate.
    • Configure the browser not to store passwords.
    • Logout immediately when finished.
  2. Most mobile app stores the login credentials and can automatically login the cloud storage services. Theft or loss of mobile device means access to data in the cloud may fall prey to malicious party. Our advices are:
    • Please activate remote device wiping function, and use a screen-lock password to protect your lost phone from logins by third parties. If it is stolen, use the remote device wiping function to clear all the data.
    • Do not use auto-logon function to avoid direct logins to cloud storage by third parties when the phone is lost.
    • Do not keep downloaded files if possible. Enable file system encryption on the phone if necessary.

Cloud storage is blooming at light speeds with the provided services changing. Users should familiarize themselves with the services being used, keep themselves aware of incidents relating to cloud storage and choose the most suitable service so as to avoid data incidents.

 

References
Checklists for Cloud Service Consumer | InfoCloud Portal
http://www.infocloud.gov.hk/home/9?lang=en