Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/14/2019
12:00 PM
100%
0%

When Using Cloud, Paranoia Can Pay Off

Journalists are increasingly concerned about what cloud providers may access or share with governments - and companies should worry as well.

Cloud business services — from document collaboration to spreadsheets to e-mail — are now ubiquitous, with more than eight out of 10 companies using cloud productivity platforms such as Microsoft Office 365 and Google G Suite.

Yet, as reported incidents of privacy violations have increased, the concerns of businesses and individual users have grown. Many journalists, for example, worry that data kept in the cloud could be accessed by a hostile government or by the service provider. Workers worried about their employers, government agencies, or the service provider themselves, should think hard about the information they store in cloud services, Martin Shelton, a principal researcher with the Freedom of the Press Foundation, stated in an Oct. 9 column

"If you can see it, the administrator can likely see it," he wrote. "If the administrator can see it, Google can likely see it. And if Google can see it, it's likely subject to requests from government agencies." 

The concerns are not new, but a reminder of the world which technology has wrought. Ever since intelligence contractor Edward Snowden leaked classified information about the degree to which the US government surveilled and collected information on US citizens, digital-rights groups and many technology companies have warned about potential access that third parties have to cloud data. 

The concerns have only piled up as journalists have become increasingly targeted worldwide, but data and privacy concerns have become a worry for businesses as well. With 81% of companies using cloud productivity applications, both businesses and workers should understand the risks of using a cloud service, experts say.

While Google has locked down G Suite with encryption, two-factor authentication, and its emphasis on a culture focused on security, concerns still remain about situations where government can compel data disclosure, as well as whether automated scans or collected metadata can leak significant private details. 

"The short version is that, theoretically, Google can see anything that you can see in G Suite," says Jeremy Gillula, technology projects director with the Electronic Frontier Foundation. "Whether or not they actually do, is a totally different story."

Users of any cloud productivity software generally have three threats to worry about: hackers, providers, and governments.

Because both Microsoft and Google encrypt data at rest in their cloud, the information is protected against direct online attack. Steal the data, and it is still unreadable. However, online attackers have increasingly focused on stealing credentials and accessing the cloud by impersonating the authorized user. To foil such attacks, companies and individuals need to add multi-factor authentication, experts say.

Finally, providers also have access to the data. Some companies, such as Uber, have allowed broad access to the data in the past. Google and Microsoft both have similar privacy statements, stressing that the customers owns the data.

"G Suite customers own their data, not Google," the provider states in its Google Cloud Security and Compliance Whitepaper. "The data that G Suite organizations and users put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties."

Meanwhile, government requests have become increasingly common, with 43,683 requests from various governments in 2018, up a third from the 32,877 requests made of Google in 2017, according to the company's semi-annual transparency report. For the past two years, the company has produced data in more than 81 percent of requests. Microsoft fielded a similar number of requests — 44,655 — in 2018, but only two-thirds of requests produced some data, according to its transparency report.

Countries can apply significant pressure on companies to censor speech, or turn over data. 

Researcher Shelton recommends that users occasionally conduct a privacy audit to see what data they are storing on cloud services and whether any of the data is sensitive enough to need offline storage.

Companies that want to increase the security of their data can use a third-party encryption service, such as Virtru, which allows the keys to be stored in a third-party server. While Google will still have access to all the telemetry and some metadata, such technology can protect the content on the server from any unauthorized access, says Will Ackerly, chief technology officer and co-founder of the company.

"You don't have to trust Google with the content or the content of attachments," he says. "We can help companies store content beyond what Google is certified to stored."

Overall, cloud services can typically provide better security than most individuals or companies can manage, and cloud providers have become more transparent about government requests and how they handle data internally. Still, cloud-service users need to evaluate their own threats and determine whether some data is too sensitive to store in the cloud, researcher Shelton says.

"[A]s a user of these systems, it's nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to," he wrote.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...