Jan 16, 2018

Cloud storage first developed from the late 1960s notion of an “intergalactic computer network” that was a twinkle in the eye of one of the founders of the Advanced Research Projects Agency Network (ARPANET). It really got off the ground in the late 1990s – early 2000s when companies including Salesforce and Amazon began providing options for cloud-based storage, enterprise application delivery, and computation. Put simply, cloud storage is a model of data storage where digital data is stored on remote servers which a user can access from the Internet or other network service. There are both public and private options: private cloud storage is typically isolated to one company, and allows a customized level of security; public cloud storage means shared storage in the provider’s data center of your choice (i.e., Google, Apple, Amazon, etc.) and you are not responsible for general maintenance. Cloud storage is one option amongst many, though it has become increasingly popular over the past few years. Other options include offline detachable storage (external hard drives) and onsite servers.

Cloudy days are on the rise, however, as cloud storage offers a wide variety of benefits over more conventional methods of data storage, such as increased bandwidth (allowing for faster upload and download speeds), the potential for large cost savings, and better manageability. However, there are still points of vulnerability, including data breaches, account hijacking and insecure software applications. It is important to understand the risks and rewards, as more and more cloud storage options surface at cheaper and cheaper rates.

While there are obviously many upsides to cloud storage, especially as the supportive technology becomes increasingly sophisticated, risks remain. Neither public nor private cloud systems are infallible, and there are points of vulnerability for each. Depending on the business model, both public and private cloud systems are both offering more accessible and flexible ways of controlling and operating large digital data sets – for many companies, cloud computing is simply not optional anymore.

Public clouds are popular because they are readily available, quick to set up, relatively cost effective (sometimes, even giving away certain amounts of storage for free as an incentive), and accessible from almost anywhere that there is an Internet connection. However, the various documentation related to public cloud usage is extremely important in understanding your data’s security posture – including but not limited to the customer agreement, terms of service, acceptable use policy, and privacy policy. In general, these agreements tend to reject any liability, lacking specific protections and commitments that many businesses may require. The variety of terminology, including but not limited to use, suspension, terms, termination, indemnification and disclaimers, are therefore all areas of potential negotiation.  Just because public cloud storage usage is increasingly widespread does not mean that the terms of use are generically beneficial to consumers. Thorough review of all relevant documentation by both a legal team and a security technology team should be completed before the parties offer up signatures.

Regardless of how much negotiation takes place, public clouds can still be hacked. Recently, Amazon Web Services (AWS) cloud computing resources were reported to have been exploited by hackers attempting to mine for bitcoins. This is a rare occurrence, but not an isolated incident. There are security measures and procedures that should be understood and instituted in a proactive manner. Besides reviewing firewall, VPN, encryption, and security operations center (SOC) options, each company that utilizes a public cloud should strategize incident response, business continuity, and backup plans.

Private clouds may be customized to a variety of specifications. Since this type of cloud system is typically more expensive, the terms of use and other relevant binding documentation are more readily negotiable (for increased cost, of course). The control that a business can demonstrate over a private cloud system comes in a variety of forms, including configuration, access, connectivity, privacy and – very importantly - security. Security measures that should be considered overlap with those necessary for public cloud usage, but may actually require more attention because of how responsibility is allocated.

Part of the appeal of cloud-based storage is the accessibility of backups. While every cloud system is different, and can be customized, backups are one of the most important uses of such systems. Both for personal and professional use, including as an evidentiary source in litigation, cloud systems provide an alternative or additional backup source. iCloud is a very popular cloud-based storage system that is provided by Apple, with over 782 million users worldwide. Using it as a case study, we can better understand the capabilities of such systems. Here is a screen shot of a typical iCloud configuration page:

icloud2

An iCloud backup can include:

  • App data
  • Apple Watch backups
  • Call history
  • Device settings
  • HomeKit configuration
  • Home screen and app organization
  • iMessage, text (SMS), and MMS messages
  • Photos and videos on your iPhone, iPad, and iPod touch1
  • Purchase history from Apple services, like your music, movies, TV shows, apps, and books2
  • Ringtones
  • Visual Voicemail password (requires the SIM card that was in use during backup)
  • Emails

By default, all application data will be backed up to the iCloud. Users can manage which applications are backed up by going to Settings > iCloud > Manage Storage > Backups. Related to security, iCloud accounts can be protected by dual factor authentication and end-to-end encryption. End-to-end encryption protects with a key derived from information unique to your device, combined with your device passcode. A variety of features (and their corresponding data) are stored in iCloud using end-to-end encryption, including iCloud Keychain (which holds all of your saved accounts and passwords), saved payment information, Wi-Fi network information, and Siri information:icloud1

 

Cloud storage systems are certainly on an upward trend, and will only increase in effectivity and efficiency. Still, it is important to continually review the terms of use, understand the risks, and be cognizant of the dataflow – that is, how data moves, where and when it moves to and from, and who accesses the data. This is especially important if data kept on a cloud storage system contains protected health information (PHI), personally identifiable information (PII), payment card information (PCI) and/or other protected information, then it must be encrypted and may need to meet other security and compliance thresholds as well. If your cloud vendor agreement waives key responsibilities, then make sure that your insurance coverage provides an alternate layer of protection, consider a different vendor or product, and potentially consider a more expensive private cloud that you can better customize and control.