Are cloud services safe to use, or are you better of creating your own data castle? Let’s take a look at the difference between cloud services and self hosted solutions, and why trust is a key part of security.
Cloud services have become widely used over the past years, and it looks like they’ll be around for a while. But there are many concerns about the users privacy and the security of the stored data, both by professionals as well as the users of these services.
With government surveillance, the Snowden leaks and general cloud security fails, like the Apple iCloud incident, many decided to take back control over their data and store it somewhere “safe”. But is hosting the data yourself really safer then the majority of cloud services?
It’s hard to tell whether a cloud service is safe to use or not. In all but a very few cases you get little to no insight in how data is secured, how the overall company security is setup and how your data is insured. That’s right, insurance also plays a part. What if your sensitive data is being leaked by a pissed of employee? As a private user, such an incident might sting, but as a company this can be a real threat to existence, if the leaked data contains business critical information.
Data safety might also be an issue. This new product might be all the rage at the moment, but is the small startup company behind it able to afford backups or is a RAID3 all that’s protecting your data from being lost for good?
In the end, all you can do is research and ask. Try to find out as much as possible about the service and company you want to entrust with your data, and don’t be afraid to ask them about their security. Your first response is usually “We take security very seriously”, but if you persistently ask specific questions, you might just get a real answer.
Important things to keep in mind are
- Data Backups – If possible in a second datacenter or availability zone.
- 2 Factor Authentication – User logins alone might no be enough to secure your login.
- Reputation – Are there any know security issues in the past? Is the company known at all?
- Data Control – Can you delete data for good? Or is it stored in the cloud forever?
[Just a thought] – A security related questionnaire for cloud service providers, and a public index of companies that already provided answers to these would be a swell idea. Let me know if you’re building, or know of, such a service.
Of couse you could just decide to only trust yourself and do your own thing, and that’s exactly the reason for this post. Over the past two years, I met lots of people who decided to go their own way, despite having next to no knowledge of how these things work.
Can you do better?
The big question is, if you can do it better. Since trust in cloud services has taken a huge hit, self hosted application have become a popular alternative. But there are many things to consider if you want to roll your own “cloud”.
- Do you know how to secure your server and the application that is running on it?
- Do you have the time to continuously apply patches to both system and application
- Do you have the time to regularly check for misconfiguration and security holes?
- Do you have enough space to make backups (not on your server!)
Or in short
- Do you have ALL the required resources to do this?
If you’re answer is yes, then you should ask yourself one more question. Is it worth it? A lot of money, time and nerves is spent on hosting your own cloud applications in a secure manner, and since you started all of this because you want to protect your data, doing it in an insecure way would just be you, lying to yourself, about the security and safety of your data.
There are of course ways to minimize the risk and required level of trust to use cloud services, such as encrypting everything before uploading it – just in case you feel a bit lost right now.
Let me get one thing straight, I’m not trying to discourage anyone from running their own server. In fact, I would love to encourage anyone who wants to take back control over their data. I’m running my own server(s) for a couple of years now and I’m pretty happy with it. But I also want people to actually increase their security.
Feeling safe != being safe
The thing is, no matter what you do, when it comes to security, there will always be some level of trust involved. The further you minimize the required amount of trust in the ability and intentions of others, the more the required amount of resources will increase.
For example, you could host your own Owncloud instance on a hosted vserver. Now you don’t have to handover your data to Dropbox, Google or other services like theirs. But know, you have to put your trust in others.
You trust the Owncloud developers and the company behind them to do a good job at writing secure code and not harboring ill intentions towards their users (or any government enforcement against them). Also, you probably trust the community behind the project to keep and eye out for any bugs, vulnerabilities or suspicious occurrences regarding the project. Next, you trust the hoster that provides you with the vserver you rented, to be honest enough not to copy all the data you store on your server somewhere else, where it would be outside of your control.
Of course you could move everything to a local NAS running inside your home network, removing the issue with trusting a cheap hosting company, but probably suffering way slower connection speeds if you need your cloud to be available wherever you go.
Raise the bar, keep the balance
Security is all about raising the bar, but you still have to keep the balance between higher security and required resources to do so. There is no absolute solution and everyone has to decide whats the best choice for themselves. So be sure to ask yourself these questions
- Am I really improving on what I already have?
- Do I have the required resources to do so?
- Is it worth the extra effort and do I want to spend my spare time on this?
- Is there no cheaper way (time, effort, money) to increase security?
Especially the last part is often interesting. A compromise of cloud services and local encryption might help a lot of people get over the trust issue, without falling into a pit of increased work, lost time and most likely spent money.
These are just a few thought that have been rumbling around inside my head, after I talked to a few people about home cloud setups. Most of these people have few to no knowledge about service administration or security, which is why I was a bit torn apart between recommending for and against it.
Please share your thoughts on this with me, if you have any, either via Twitter @HashtagSecurity or in the comment section below.