Can we ever secure the cloud?

can we secure the cloud 2015 images

Cloud computing and big data are both taking the world by storm and are hot topics on all technology related conversations.

It is no great secret though that the biggest barrier to these technologies really taking off is security. Whilst everyone in the tech industry will argue that the cloud is in fact far more secure than traditional on site IT systems there is still a real fear – and a just fear – that technology in general is nowhere near as secure as it needs to be and this fear is really debilitating the progress of these new and somewhat experimental technologies.

The current security landscape

Regardless of the security that is in place for any particular cloud based service there is no denying the fact that many IT systems and cloud services are getting hacked in to one way or another.

There have been several high profile cases recently that confirm these security issues including the Sony Pictures Entertainment hack in 2014 and the Dropbox hack to name just a few.

As well as these high profile cases there are also dozens of hacking attempts accruing across all sectors of the market with the education sector being one of the most targeted but least policed.

It is important to note that as was the case in the Dropbox incident many of these breaches do not come as a result of the service provider’s infrastructure being compromised but are more often the result of individual user accounts being compromised or through third party providers who have API access to these systems and services. However, whilst this might abscond the providers from their legal culpability it is hardly an excuse from and ethical of technical point of view.

cloud security a problem for government 2015

Taking responsibility for data security

Before getting into any of the technicalities of data securities or any of thing things that need to change in order to improve security I think the most important step is understanding the importance of data security, the effect that we can all have on its effectiveness and ultimately realising that we all need to take responsibility for this security.

If companies like Dropbox provide API access to their systems then they must take some responsibility for all parties that have access via these means and equally as users we should all take responsibility for the security of these services because even if we don’t personally have any important information stored in Dropbox a breach of our account could indirectly provide a hacker with access to other more sensitive data.

How can security be improved?

We all need to take more responsibility for the security of our data but at the same time the technical measures need to be available to realise the security of our data. Whilst there are measures already in place I think that if these measures were coupled with a new understanding and sense of responsibility then they could be far more effective.

Two step authentication is a case in point and is a fantastic security measure that can go a long way to preventing user accounts from being compromised. Whilst many companies are offering two step authentication very few of those are making it mandatory and equally the end user is often reluctant to implement this security measure because they feel that it is not necessary for them – once again though we should be looking at the bigger picture here and appreciate that overall two step authentication would be working towards a greater good in terms of data security.

For those of you who aren’t familiar with the technology it involves authenticating not only with a password but also using an external device to provide further authentication normally in the form of a random and regularly changing pass code. Google provide a two-step authentication service known as Google Authenticator which consists of a smartphone app that can be linked with a supported online service such as the payment processor Stripe, after which it will constantly generate random codes every minute or so and when you log in to a connected service account you have to enter the current code along with your password.

This type of service takes away the possibility of a password being compromised or brute forced and whilst not bullet proof is exactly the type of security measure that being compulsory would cut down a huge amount of hacking attempts.

Server, network and resource security

As well as the responsibility that users should have in terms of security service providers also have a great responsibility in terms of network and server security – this should include not only the perimeter defences that are in place for the servers that these systems run on but also the data that is stored on those servers as well as all forms of access – including third party connections made available by API access.

It is perhaps time for a reform of all of these components with security being at the forefront – encryption of all data at rest similar to the policies that are in place within the financial sector would be a good start as well as new protocols and security measures for API access – perhaps an enterprise version of two step authentication.

In addition service providers also have the responsibility of ensuring password security for all of their users which could be improved by implementing stronger password requirements as well as mandatory password expiry. This point can be highlighting when you look at password complexity indicators across different service providers and see how much these indicators can vary with the same password being deemed very weak by one provider and extremely strong by another. Perhaps we also need standards in place across the board that dictate the requirements of a password for it to be considered strong.

These are just my thoughts on the subject and I would love to hear the opinion of our readers as to other measures that could be put in place to temper the issue of data security. In my opinion I don’t think we will really see the full potential of technologies such as the cloud, big data or the internet of things until we can overcome these issues with security – only then will the consumer really begin to trust these new technologies.