There is a scene in the 2015 movie Creed, where Rocky Balboa writes a workout plan for young Adonis Creed. Creed snaps a picture of the paper on his phone. He gives the paper back to Rocky. Rocky, confused, asks, “Don’t want you this?” Creed responds it’s on his phone, and Rocky asks what if it breaks or you lose it. Creed responds, “It’s in the cloud.”
A decade ago, the thought of having your personal or business data on unknown servers out of your control was met with a lot of skepticism. Business owners I dealt with did not like the idea of housing accounting and HR data off-premise. But as technology improved and allowed for simple ease of access from any device from any location we don’t think twice about it. Now it’s incomprehensible to think of small businesses trying to manage complete network infrastructures in the building.
As humans, we will always gravitate to things that are easier and cheaper. All other details are a far-distant concern. So, for cloud storage, how safe is your data from prying eyes? Both from would-be hackers and the companies you entrust your data with?
Data in Motion
Almost every major and minor player in cloud storage solutions incorporates data encryption during transmission. Essentially your data is ensured to be encrypted over the internet from prying eyes when you run a credit card at the store, your iPhone automatically backups up your photos to iCloud, or your computer syncs files with Dropbox during the upload process.
Data at Rest
But what about the data as it sits on the hosting provider’s servers not doing anything? This is referred to as data at rest. It all depends on who can initiate data at rest encryption that can have access to it. A cloud storage provider that implements data-at-rest encryption can access your data. The appropriate personnel that maintains the encryption keys would in fact be able to unencrypt the data you have stored in the cloud. This should be limited to authorized personnel within the company. The method used to encrypt your data could be more relaxed with a single private key used for the entire customer base or a new private key created for each user.
If you as the end user initiate the data encryption and control the private key, only you or someone you authorize would be able to view your data. The major downside to you controlling the private key is if you lose it, or forget your passwords the data is essentially lost. But if you maintain good backup principles this is the most restrictive method to keep your information from prying eyes.
By default, the major players (Yahoo, Gmail, Outlook) do not encrypt email messages. The systems scan your email to verify spam, direct marketing, or viruses. If you have a private email that must be sent thru one of these systems search for instructions on end-to-end encryption for email. This will ensure only your intended recipient can read the message. There are 3rd party extensions that can also assist with encrypting your email. Facebook Messenger app will even allow for secure communication by hitting the secret button.
Government Access to Your Data
Encrypting cloud data has become a battlefield of sorts between technology companies and the government. Requests by the government for increased significantly in the past several years. Apple reported receiving 2,999 requests for data in the first 6 months of 2016. They received 5,999 requests in the second half. Facebook reported similar statistic with 46,710 in the first half of 2016 and 59,229 in the second half. Tech companies do not want to be in the business of policing stored data and the government wants access to what they deem national security measures. It will be an ongoing fight for the privacy of your data. If you are curious about a tech company’s position and best practices standards before releasing personnel data visit: https://www.eff.org/who-has-your-back-2017
Keeping your data in “the cloud” is significantly more secure and easy to access than maintaining that data on a device in your home or office. Tech companies bring a higher level of security than you could on your own. Just don’t be surprised if that company can access that data if they want or are required to. But honestly, you probably already share all of your good pictures on Facebook!
John Barker is a Stafford, VA resident who is a technology and cybersecurity consultant at Virtual CIO Agency with over 25 years of experience. He also serves on Stafford County Schools’ Technology Advisory Committee and is part of the Cybersecurity Forum Initiative (CSFI.US) research team. He has regularly contributed to InsideNova and, starting in 2023, the Free Lance-Star (Fredericksburg.com). John enjoys spending time with his wife Erin, dog Rocket, and cats Dash, Trip, and Nibbler. He is an avid weightlifter and holds a private pilot’s license.
MBA | CISSP | PMP