Security Think Tank: Consumer cloud is fine for business, if....

How can businesses use free or low-cost cloud storage services aimed at consumers, but ensure their data is safe and secure?

Can I use cheaper, consumer focused cloud services for storing critical data and if yes, how can I best secure that data? In addition, why do I even need to bother with securing the data? Surely the cloud providers can be trusted?

Yes, you can use the consumer cloud storage options, but only after you read this mini-guide in full, writes Amar Singh. Why bother? Apart from the fact that nobody else will be able to access your data, organisations such as the Information Commissioner’s Office (ICO) are also now openly encouraging organisations to secure their data.

In the early days of the cloud, free storage was mostly availed by attaching important files to cloud based email services such as gmail – which was very popular for this practice, as it was among the pioneers offering a huge amount of cloud storage for free and its attachment size limits were, at that, time very generous – but today, storage in the cloud is as ubiquitous as the air we breathe. All right maybe not that ubiquitous, but you get the gist of it.

Storage in the cloud is without a doubt one of the most heavily used cloud-based services in use today and is now available to both the commercial customer and the average consumer. In fact it is now almost standard for a smartphone user to receive some sort of cloud storage space for free. Furthermore, it is extremely likely you will receive a nominal amount of free cloud storage when you buy a hard disk or new software (often photo/video editing software).

Consumer storage for business use?

The consumer has driven a great deal of innovation in the cloud storage space. So much so that, today, those providers that started off by offering consumer-only products are now offering the same or slightly beefed up services to businesses of all types, especially the SME type organisation.

Be cautious – but why?

Cloud-based storage poses two main challenges for the business: one of data residency and the other of unauthorised access. (In reality there are many other challenges outside the scope of this article. On a positive note, every challenge poses an equal or better opportunity!)

The question of data residency arises when the cloud provider – and that includes almost all of the providers – is unable to provide an iron-clad guarantee that the businesses' data is physically located and appropriately protected in a particular region.

In the UK, the Information Commissioner's Office, in its eighth principle on data protection, clearly states: “Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.”

Unauthorised access, in this context, means the ability to access your stored data, without your permission, either by nation states and their spy agencies or by employees of the storage provider.

To sum up the above two concerns, you lose control of your data when you use the cloud to store your data. 

Surely my password will keep my data secure?

The password argument does not hold water for several reasons, among them being the fact that most users will generate easy-to-guess passwords that are a doddle to guess even for a regular IT tinkerer, let alone governments and hackers. Sensible businesses should NOT depend on passwords alone to secure their data.

What next?

Instead of supporting any one provider (although I do provide one example that I find very useful) the key to ensuring that you can get the benefits of both worlds – cheap consumer-based storage and data secured from unauthorised access – is to make sure you:

  • Force, if not encourage, yourself and your employees to use extremely strong passwords. No compromises.
  • Encrypt your data - or forget about privacy.

In standard cloud storage setup the provider of the service holds the secrets key to decrypting your data. Given that most respectable providers do have appropriate technical, policy and procedural controls in place to stop the abuse of this privilege, but in the end the dependency is on the human, the employee(s) of that provider.

Face the fact: If you do not encrypt your data it will be open to abuse.

The secret to ensuring control over access to your encrypted data lies in what I prefer to call the "keys to the kingdom" or in common IT parlance the private key. Put another way, he who holds the private key to your encrypted data can read your data.

Client-side encryption is another approach and way to describe the private key concept. This is where the hard work to encrypt your data is done by your local machine (the client) before the data is uploaded to the cloud.

Key takeaways for encryption:

  • Ask the cloud storage provider if they use the private key in their encryption mechanism.
  • Ask the cloud provider where the private key is stored and whether or not they store this private key anywhere else, such as on their local server. And seek this guarantee in writing if and where possible.
  • Don't trust anything that reads like, "We use key escrow”.

Please do not, under any circumstances, share the encryption’s private key and do not lose the private key.

What does a strong password look like?

The age old mantra: use strong and complex passwords, is more relevant today than ever before.

Below is a sample of weak passwords many people still use to secure important data. The passwords below can be guessed in minutes if not seconds!

1Ki77, Susan53, jellyfish, jelly22fish, Ilovemypiano, ILoveMyPiano, ihateliverandonions, [email protected], Mypuppylikescheese, MyPuppyLikesCh33s3.

How about the two separate 63-character passwords! Yes, the below two password strings are very secure and very difficult to guess or crack.


PRTiAwKIddO\*24khV8o0*&C<;C1i<J7wE2jf)[email protected])}l*Yt6VHh$:#J?b9D5o!

What! Remember a 63-character password?

So, the reality is that I rarely use a password this long and no, I am not asking you to commit this long a password to either short term or long term memory.

This is where password managers take the stage. Without writing a whole new booklet on password managers it is enough to recommend that, whatever passwords you use for whatever website or cloud service, manage and store that password using password manager software.

In reality, you do not often need 63 characters. Today, for most people, even a 20 − 30 character password (generated and stored in a properly secured password manager) should suffice.

Some of the important features to look out for in a password manager:

  • Generation of very strong and random characters for passwords,
  • Easy, secure access to the same passwords across multiple devices (phone, tablets and machines) anytime and anywhere.

Finally, remember this! Use an extremely strong password to lock and safeguard your password manager. If you put all your passwords in your password manager and choose an easy to guess password to enter the manager, you are in trouble!

Key takeaways for passwords

  • Get yourself a password manager,
  • Use more than 30-characters in the password (63 characters if you are very paranoid) as the key to your password manager
  • Where possible, enable dual factor authentication (this is where you have to enter a code, normally sent to your phone via SMS, along with your password) to access your data. Currently Google and now Dropbox offer this functionality.

Amar Singh is chair of Isaca London Security Advisory Group

Read more on Cloud security