Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/14/2019
12:00 PM
100%
0%

When Using Cloud, Paranoia Can Pay Off

Journalists are increasingly concerned about what cloud providers may access or share with governments - and companies should worry as well.

Cloud business services — from document collaboration to spreadsheets to e-mail — are now ubiquitous, with more than eight out of 10 companies using cloud productivity platforms such as Microsoft Office 365 and Google G Suite.

Yet, as reported incidents of privacy violations have increased, the concerns of businesses and individual users have grown. Many journalists, for example, worry that data kept in the cloud could be accessed by a hostile government or by the service provider. Workers worried about their employers, government agencies, or the service provider themselves, should think hard about the information they store in cloud services, Martin Shelton, a principal researcher with the Freedom of the Press Foundation, stated in an Oct. 9 column

"If you can see it, the administrator can likely see it," he wrote. "If the administrator can see it, Google can likely see it. And if Google can see it, it's likely subject to requests from government agencies." 

The concerns are not new, but a reminder of the world which technology has wrought. Ever since intelligence contractor Edward Snowden leaked classified information about the degree to which the US government surveilled and collected information on US citizens, digital-rights groups and many technology companies have warned about potential access that third parties have to cloud data. 

The concerns have only piled up as journalists have become increasingly targeted worldwide, but data and privacy concerns have become a worry for businesses as well. With 81% of companies using cloud productivity applications, both businesses and workers should understand the risks of using a cloud service, experts say.

While Google has locked down G Suite with encryption, two-factor authentication, and its emphasis on a culture focused on security, concerns still remain about situations where government can compel data disclosure, as well as whether automated scans or collected metadata can leak significant private details. 

"The short version is that, theoretically, Google can see anything that you can see in G Suite," says Jeremy Gillula, technology projects director with the Electronic Frontier Foundation. "Whether or not they actually do, is a totally different story."

Users of any cloud productivity software generally have three threats to worry about: hackers, providers, and governments.

Because both Microsoft and Google encrypt data at rest in their cloud, the information is protected against direct online attack. Steal the data, and it is still unreadable. However, online attackers have increasingly focused on stealing credentials and accessing the cloud by impersonating the authorized user. To foil such attacks, companies and individuals need to add multi-factor authentication, experts say.

Finally, providers also have access to the data. Some companies, such as Uber, have allowed broad access to the data in the past. Google and Microsoft both have similar privacy statements, stressing that the customers owns the data.

"G Suite customers own their data, not Google," the provider states in its Google Cloud Security and Compliance Whitepaper. "The data that G Suite organizations and users put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties."

Meanwhile, government requests have become increasingly common, with 43,683 requests from various governments in 2018, up a third from the 32,877 requests made of Google in 2017, according to the company's semi-annual transparency report. For the past two years, the company has produced data in more than 81 percent of requests. Microsoft fielded a similar number of requests — 44,655 — in 2018, but only two-thirds of requests produced some data, according to its transparency report.

Countries can apply significant pressure on companies to censor speech, or turn over data. 

Researcher Shelton recommends that users occasionally conduct a privacy audit to see what data they are storing on cloud services and whether any of the data is sensitive enough to need offline storage.

Companies that want to increase the security of their data can use a third-party encryption service, such as Virtru, which allows the keys to be stored in a third-party server. While Google will still have access to all the telemetry and some metadata, such technology can protect the content on the server from any unauthorized access, says Will Ackerly, chief technology officer and co-founder of the company.

"You don't have to trust Google with the content or the content of attachments," he says. "We can help companies store content beyond what Google is certified to stored."

Overall, cloud services can typically provide better security than most individuals or companies can manage, and cloud providers have become more transparent about government requests and how they handle data internally. Still, cloud-service users need to evaluate their own threats and determine whether some data is too sensitive to store in the cloud, researcher Shelton says.

"[A]s a user of these systems, it's nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to," he wrote.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-5271
PUBLISHED: 2019-11-12
Pacemaker before 1.1.6 configure script creates temporary files insecurely
CVE-2014-3599
PUBLISHED: 2019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2014-7143
PUBLISHED: 2019-11-12
Python Twisted 14.0 trustRoot is not respected in HTTP client
CVE-2018-18819
PUBLISHED: 2019-11-12
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creat...
CVE-2019-18658
PUBLISHED: 2019-11-12
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlin...