Get the Most out of Cloud Storage and Services while Minimizing the Risk
Description
The Bottom Line
Cloud services, such as Microsoft OneDrive, iCloud, and Google Drive, enable real-time collaboration and allow you to back up your data. To reduce cybersecurity risks associated with cloud storage:
- Ensure that your cloud provider encrypts your data and is headquartered in a country with privacy and security laws to help protect your data.
- Protect your account with a strong password and multifactor authentication (MFA). Be wary of phishing attempts.
The Problem
At one point or another, you’ve probably had the unpleasant experience of losing important data. Perhaps you were 17 pages into a final paper when your laptop decided to completely conk out on you, or you lost an important inventory spreadsheet because your computer had a malware infection.
Cloud storage solutions help you to avoid these unfortunate situations by allowing you to back up your device, files, and other data frequently and easily to prevent data loss. In addition, cloud services allow you to easily collaborate with others on shared documents.
While cloud services offer convenience and can provide peace of mind that your data is backed up, they also carry the following risks:
- Expanded attack surface: If multiple people are collaborating on a shared drive or document, only one person’s account has to be compromised for a threat actor to access the data.
- Less control over your data: Cloud services store your data on servers they own. This means you do not have physical control over the hardware on which your data is stored. A reputable cloud service provider will implement rigorous physical security controls to protect these servers from unauthorized access, but if the company is headquartered in a foreign country or conducts substantial business there, that foreign country’s government may be able to compel the company to provide your data. Additionally, things like scheduled server maintenance may prevent you from having 24/7 access to your data.
- Potential for data to be intercepted: If your cloud service does not provide end-to-end encryption for data shared between your device and the cloud service, a threat actor could intercept it. Similarly, if the cloud provider does not encrypt your data while it is stored on their servers, threat actors that gain access to the cloud provider’s network could access your data. (Note: Reputable cloud providers encrypt your data while it is in motion and at rest.)
- Potential for data to be lost: If you only store your data in the cloud and don’t save a local copy, cyber incidents such as a denial-of-service attack could lead to temporary or even permanent loss of your data.
The Solution
To reap the benefits of using cloud services while minimizing the risks, ensure that your cloud service:
- Uses end-to-end encryption to protect your data as it moves between your device and the cloud service.
- Uses strong encryption to protect your data when it is stored on cloud servers.
- Allows you to use a strong password and MFA to make it more difficult for threat actors to access your cloud account.
- Is headquartered in a country with privacy and security laws that help protect your data.
While using a cloud service, you should also:
- Keep updated copies of critical data on devices you physically control, such as your computer or an external hard drive, to reduce the risk of permanent data loss.
- Protect your account with a strong password and use MFA.
- Be vigilant against phishing attempts to trick you into clicking on a link and entering your cloud account credentials.
- Keep your device and software updated to reduce the chances that a threat actor can access your cloud account through malware installed on your device.
- Manage account permissions using the principle of least privilege so that only those who need access to documents in the drive have it.
- Ensure that anyone with access to the cloud service protects their account with a strong password and MFA and is trained to recognize phishing attempts.
Note: You can typically find this information on the cloud service provider’s website.
Takeaways
Do
- Use a cloud provider that offers end-to-end encryption for data moving between your device and the cloud, and encryption for data stored on cloud infrastructure.
- Use a cloud provider in a country whose legal regime confers protections for privacy and security of personal data.
- Use a strong password and MFA to protect your cloud account.
- Store a local copy of your data.
- Routinely update your device and software.
Do Not
- Enter your cloud account credentials into a webpage if you’re not sure it’s legitimate.
- Give everyone in your organization unfettered access to the shared cloud drive.
Project Upskill is a product of the Joint Cyber Defense Collaborative.
Prerequisites
- Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
- Module 2: Protecting Your Accounts from Compromise
- Module 3: Protecting Data Stored on Your Devices
- Module 4: Protecting Your Data in Transit
- Topic 4.0: How to Communicate Securely on Your Mobile Device
- Topic 4.1: Tips to Stay Safe while Surfing the Web, Part 1: Web Browser Settings
- Topic 4.2: Tips to Stay Safe while Surfing the Web, Part 2: Accessing Websites Securely