Cloud Storage Security
In light of the rapid development of the Internet and the popularity of mobile devices, the demand in cloud storage continuously increases. Cloud storage has no geographical restriction, making the service available around the globe; plus that the requirement in information security differs in every country, therefore, we have to be more cautious when opting for cloud storage. This guideline focuses on cloud storage services and is divided into four parts: Cloud Storage Security Risks, How to Choose Cloud Storage Service Providers, Guidance for Using Cloud Storage Services, and Security Advice for Accessing Cloud Data.
Cloud Storage Security Risk
Cloud storage provides convenience and other advantages that we previously do not have, for example, scalability, pay-as-you-go, off-site data storage and access from everywhere. However we must also observe the new security risks, including:
Data leakage and eavesdropping
- Attacks against cloud storage servers.
- Unencrypted transmission channels for uploading and downloading files.
- Without enabling 2FA, leading to brute force attack to cloud storage account.
- No access control, anyone can make connections to the servers.
Abuse at service providers level
- Cloud storage service providers access customer data without permission.
Data management mistake
- Lack of data classification, uploading data including sensitive ones to the cloud storage without access control and encryption.
- No privilege control, co-users can access unnecessary data.
- Erroneously sharing sensitive data.
- Account credential theft due to phishing or loss of mobiles/computers.
- Misconfiguration of security measures or using default setting, leading to hackers to hijacking the accounts.
- For some regulated industry, there might be regulation to store data within the border of a certain jurisdiction. Cloud storage service might not provide that control and transparency of location of data storage.
Cloud storage service provider lock-in
- The data stored and the data format or structure might not be transferrable when user decides to unsubscribe and switch to another cloud storage service provider.
Selecting Cloud Storage Service Providers
There are a variety of cloud storage service providers and using cloud storage would induce different risks. As long as we choose the suitable service, the risks can be mitigated. Below are some relatively important points when choosing the service:
- The integrity of service providers and transparency of data protection policy – choose those with good reputation to ensure the stored data is not transferred to third parties, and those who publish clear policy on data protection.
- Access control – it is favourable to allow users to grant privileges to different users / roles to manage different files and folders.
- Version control – it is favourable to allow users to store and manage multiple versions of data.
- Password and authentication management – it is favourable to allow administrator to control password complexity and validity, and it is favourable to have two-factor authentication to enhance authentication security.
- Data encryption – it is favourable to provide encryption functions, better with different strength levels.
- Data purging – it is favourable to have data being permanently deleted when data erasure or service unsubscription is required.
- Data jurisdiction – if you are required to control the data jurisdiction, choose those which allow users to choose the data storage location that suits your requirement.
- Data export facility – There should be convenient way to export data in an on-demand basis. It will be better if the export facility can be automated and scheduled.
Cloud Storage Usage Guideline
For the use of cloud storage services, ensure that the services comply with CIA (Confidentiality, Integrity, Available), and use Data Lifecycle Management (DLM) to process data stored in the cloud to prevent data leakage, protect data, restore data and etc.
Based on the CIA and Data Lifecycle Management, this guideline has developed two separated sets of advice for business and personal users for reference.
To Business Users
For business users who back up their data using cloud storage, HKCERT has the following advice:
Classify the data to be backed up to cloud storage beforehand. If there is confidential and sensitive data, further processing, for example, encryption, may be needed before the upload.
Access control policy
Classify accessing users into groups by roles and plan the permission of access privileges.
Keep the version backup according to the internal policy and regulation.
Encrypt the confidential and sensitive data before backing up to cloud storage.
Check if data can be removed permanently in cloud service termination.
Create a backup policy and store the backup to offline device. If cloud storage service redundancy is required, you can consider electing different providers.
Plan for switching
You should think how to get back the data when one day you need to switch service provider.
To Personal Users
Personal users can use cloud storage to store various types of data, including personal address book (e.g. Gmail, Yahoo mail), calendar (Google calendar), photos and multimedia data (e.g. Flickr, Picasa) and general purpose data (e.g. Dropbox, Box, Google Drive, Amazon CloudDrive). Here are some security tips.
Data Classification before Upload
User should plan carefully what to store on cloud storage. Sensitive data should be stored only if justified, and if so, must be store in encrypted format, using strong encryption standard like AES-256.
Protect Data during Tranfer
Data should be transmitted to and from the cloud storage using encrypted communication channel, e.g. VPN, SSL or SSH.
Protection measures for automatic data synchronization
If a user installs a client software (desktop client or mobile client) to synchronize data between desktop computers (or mobile phone) with cloud storage automatically. You should:
- Ensure local synchronization folder stores only files intended to be exchanged with cloud storage
- Ensure the client software is downloaded from the official site.
- Configure the client software to encrypt files locally if it has such feature, e.g. Wuala, SpiderOak.
- Handle file change and deletion carefully, as change or deletion from one client will cause the change in the cloud and subsequently in other synchronized device(s).
If a user installs client software on desktop or mobile device, or configures a network attached storage (NAS) to synchronize data with cloud storage services automatically, they need to:
- Have a capacity planning such that the storage space limit on either end is not exceeded.
- Configure notifications to be sent to user to alert errors in data transfer or disk full.
Most mobile apps synchronize data on the phone (files, photo and video, sms, email, instant messages, installed applications and configurations) to the cloud. Make sure no sensitive data is uploaded.
Protection measures for authentication
- If user authenticates with userID and password of specific cloud storage services, do not share the same password across different services. When there is data breach in one service, it won't impact other services.
- If user authenticates using OpenID (i.e. logs in one OpenID identity provider such as Google or Facebook) to multiple cloud storage services, he should use strong authentication for the OpenID. It is recommended to use two step authentications, which is available in some OpenID identity provider (e.g. Google, Facebook, Twitter).
Protection measures for access control
- If a user intends to share access to file, photo and other data with friends or family, please grant the proper access permission to userID explicitly. An obscured URL does not provide confidentiality. Any party who has the knowledge of the obscured URL can access the data directly without control.
- When sharing access of data, it is recommended to use file sharing over directory sharing.
- When sharing access of data with a group of team members, it is recommended to create access account for each member instead of all members sharing a same access account.
Safety of Access Devices of Data on Cloud
Most cloud data users access the data on cloud by browser or mobile app.
Ensure you have a secure browser:
- Make sure the browser and plugins are patched up-to-date. A free tool Qualys Browser Check can be used for this purpose.
- When accessing the cloud storage website, check the validity of the SSL digital certificate.
- Configure the browser not to store passwords.
- Logout immediately when finished.
Most mobile app stores the login credentials and can automatically login the cloud storage services. Theft or loss of mobile device means access to data in the cloud may fall prey to malicious party. Our advices are:
- Please activate remote device wiping function, and use a screen-lock password to protect your lost phone from logins by third parties. If it is stolen, use the remote device wiping function to clear all the data.
- Do not use auto-logon function to avoid direct logins to cloud storage by third parties when the phone is lost.
- Do not keep downloaded files if possible. Enable file system encryption on the phone if necessary.
Cloud storage is blooming at light speeds with the provided services changing. Users should familiarize themselves with the services being used, keep themselves aware of incidents relating to cloud storage and choose the most suitable service so as to avoid data incidents.