How much should you (or can you) trust the cloud to be there when you need it? Last week, the top US internet sites went dark, on and off, for a couple of hours or so due to a historically unprecedented denial of service attack (DDoS). Over the past week, we've learnt that the assault was effected by millions of semi-smart devices, namely "internet of things" devices (IoT) such as webcams.
The DDoS attack saw many top sites go down: Twitter, Amazon, Netflix, Spotify, Tumblr, Etsy, Pinterest, AirBnB, Reddit, Box, and many others, a veritable list of who's who on the web.
As digital evidence is unearthed and collected, chatter has turned towards preventing future attacks. Applying an acceptable level of security on IoT, for example, is being suggested as part of the solution. But, such a move will take time. In the meanwhile, one should be asking a different question: how often could we experience similar attacks while people are working on shoring up security? And what does this mean for a user of the cloud and its services?
Remember how people had doubts about the cloud? That it wouldn't work… despite the fact that the cloud is nothing but finally crediting the underlying ways of the internet, so it was already "working?" Then it just grew and grew and grew – because, frankly, how could it not; the cloud is, at its core, servers connected to the internet with convenience baked right in – and now it's just embedded into people's lives. The fact that the world sat up and took notice of this latest attack hit the point home, that the cloud is integral in our lives, more so than any financial or network statistics you may have seen.
If you think about it, this is not the first time cloud services – or services that rely on the cloud – have been at the center of problems and controversy. But, we have reached a point where limited access to the cloud significantly affects our jobs and lives. It's not just about being unable to binge on marathon sessions of your favorite shows on Netflix (if they have it in your geocode, that is).
For example, many individuals and businesses make use of Dropbox and other cloud storage services. A DDoS attack on such companies that lasts for hours (dare I say days?) could be disastrous. What if the final draft of a contract was stored in that one Dropbox account, and couldn't be accessed in time for the deadline, for example?
Inaccessibility for more than a few hours sounds impossible, but the government of Turkey unexpectedly blocked wholesale access to Dropbox as well as other cloud-based storage services. As far as I can tell, Turkey hasn't lifted the ban. We're talking confirmed weeks here, possibly months on end.
Lack of access is not the only problem, though. It turns out that cloud services can be riddled with malware, or that sometimes things just don't work as they're supposed to. For example, one very established company has been inadvertently deleting Mac users' data because of a bug.
It should also be noted that even without a crippling attack that slows down traffic to a trickle, companies like Dropbox have other worries. Earlier this year, Dropbox announced that 68 million usernames and passwords had been compromised years ago (the hack itself was made public in 2012, but not that the passwords were stolen, which was a recent discovery).
At the heart of the data breach: a Dropbox engineer who had re-used a password.
Clients who took comfort in the cloud storage company's security features must have been nonplussed. After all, this is a company whose services are frequently used by the business community because of the convenience and security it provides.
The ability to add storage capacity as needed, when needed, combined with its accessibility – anywhere where you can reach the cloud – would have been moot if Dropbox hadn't also encrypted each account's contents (that promise, of course, has courted controversy in the past). Remember, the iPhone and Android smartphones only began to replace Blackberries in the workplace en masse once acceptable security was featured on their devices.
Customers thought that documents were safe thanks to the encryption used to secure each Dropbox account, and it could potentially have been undone by their own passwords.
At the same time, it should be noted that nobody is immune from data breaches, not even the NSA and the CIA, arguably the experts in the field of data security. If they can't do it – with their billions of dollars in funding from the government, practically an uninterruptible financial stream – what are the chances of companies that have to raise the funding for their operations?
(Incidentally, this is why it's a good idea to encrypt any sensitive files before uploading them into cloud storage, even if it's secured. Doing so takes care of a number of past and present criticisms that were directed at Dropbox's security practices and policies, including the unforeseen event of a senior engineer's password getting compromised).
Now that the cloud has become entrenched in our lives, cracks are beginning to show in its underpinnings.
Most of these are expected, just like hairline fractures and some settling are expected in the foundations of mega-tall skyscrapers. Over the past couple of years, we've increasingly witnessed how information stored in the cloud is ripe for hacking. The cloud is an extension of the internet, which was conceived as an open medium of communication, befitting its origin in research and academia. Better security is being developed and deployed to secure the internet, with each scandal and data breach working as a further impetus.
Security is for naught, however, if anyone can get the keys to the door, which is basically what happened at Dropbox (the whole lot of the 68 million creds can be freely downloaded, and at one point was being sold for no more than $1500). There is a limit to what Dropbox and other companies can do, however. One of the basic tenets of security is layering and distribution: don't leave all your keys in the same place, for example, if you will.
If you're using cloud services (and rest assured that the word "if" will disappear as time marches on), it makes sense not only to use the provided security features, but to use one that is under your – not the cloud service provider's – control. For cloud storage, it could very well be the use of a separate file encryption solution as well as proper data backups.
Related Articles and Sites: