No, Cloud Computing does not Happen at Altitude

A few years ago, Citrix Systems, Inc.—a virtualization technology company based in San Francisco’s Bay Area—commissioned a study of over one thousand Americans that focused on cloud computing. A majority of respondents described the cloud as a “white, fluffy thing,” and over half of these adults—including a majority of millennials—indicated that stormy weather could interfere with cloud computing.

While it’s easy to chuckle at these findings, most people can be forgiven for not speaking in buzzwords, especially since a majority of folks have absolutely no idea what cloud computing is: over 54% of Citrix’s respondents claimed that they never used the cloud, even though almost all of them (97%) admitted to using Facebook, Twitter, or other online services to bank, shop, play games, store music and photos, or stream movies.

Here’s the deal: if you are accessing anything from the Internet—e-mail, video, pictures, music—you are using the cloud. In fact, if you have an Apple or Android-powered smartphone in your pocket, there’s a pretty good chance that you’re also storing information in the cloud, including photos, videos, personal contacts, and other information. If you don’t believe me, just ask Jennifer Lawrence or Kate Upton.

Rather than being white and fluffy, the “cloud” refers to any shared, centralized computing resource—disk storage, services, databases, or actual code—that is accessed via the Internet (in fact, well before marketers got a hold of the term, programmers used to use a picture of a cloud to represent the Internet in their program documentation; this is how “cloud” got its name).

Facebook, for example, is a cloud-based application: you access it from your web browser or mobile phone, and everything you read, view, or post is stored on Facebook’s servers. Netflix is another cloud-based provider: the movies and television shows that you watch are stored centrally on Netflix’s servers, and are only sent to your devices when you request them. Apple’s iCloud is a whole set of cloud services that many consumers are now familiar with, allowing you to save pictures, videos, contact information, and even back-up files to a central network location so that they can be synchronized or shared across all of your devices.

Cloud computing is now ubiquitous, and—for those of us old enough to remember—hearkens back to a day when everything you did on a computer was through a green-screen terminal that was hooked up to somebody’s mainframe. It’s not a completely absurd comparison: most of today’s devices—including that fancy new iPhone you just paid $849 for—function exactly like the dumb terminals of yore, simply collecting or presenting information that is ultimately processed, stored served from a central location. Of course, you can do a lot more things with these modern “terminals”—take pictures, play video games, make phone calls—but, really, how useful is your smartphone without a data connection?

The rise of cloud computing represents a significant shift in how we use software and manage data, meaning that understanding where your data lives and how it’s secured is far more important today than it was before. Applications used to be installed directly onto your computer; any data that those applications needed or produced—spreadsheets, documents, presentations, databases—were also saved on your computer’s hard drive. This made collaboration difficult, application integrations next to impossible, and it meant that if you were away from your computer, you were away from your data. But you at least knew where it all was.

Not any more. Almost all modern software is written for the cloud, meaning that the logic, data, and even the hardware that an application is running on is probably located in a data center. Functionality is accessed via a web browser (or, in the case of mobile versions, through native front-end interfaces that exchange data with the web behind the scenes). This centralization makes sharing, collaboration, and even systems integrations relatively easy, and, as a side benefit, easier to support by your IT shop.

Centralization also means that your data is no longer under your full control, making trust and online security a little more important than it was when all of your valuable data never left the computer that is sitting on your lap.

If you are worried about your cloud provider being infiltrated and your data being pilfered, you probably shouldn’t be. Professional cloud providers will protect their infrastructure by distributing and synchronizing it across hardened, highly secure data centers. Some cloud providers don’t have any hardware at all, opting to use virtual infrastructure like Amazon’s Elastic Compute Cloud or Simple Storage Service, which is hosted and managed in one of Amazon’s regional centers. Finally, most cloud providers have business or systems processes and controls that strictly limit access to your data by company insiders.

A more likely vector for infiltration is via the Internet itself: not a single cloud provider is immune to the risk of hackers using technical vulnerabilities, purloined passwords, or any number of social engineering techniques to try and gain unauthorized access to their systems. The steps these providers take to mitigate these risks is what’s important: most will have robust intrusion detection and auditing systems that automatically monitor for unauthorized access, and it’s rare today to find a provider that doesn’t follow the industry’s best practices for safeguarding data (including compartmentalizing key systems, encrypting sensitive data when in transit, limiting the number of login attempts within a given time period and storing user credentials in a manner that makes them difficult to guess if they are somehow compromised).

Unfortunately, none of these defenses matter if you’re not doing the right things to protect your data…and that’s where most of us fall down. It’s now known that the recent theft of celebrity photos wasn’t caused by Apple’s iCloud service being compromised, but because hackers were able to use a combination of techniques to guess weak passwords, re-use passwords that were stolen from other websites, and reset passwords using answers to security questions that were publicly available.

The irony here is that most attack vectors that hackers use to guess passwords are trivially easy to defend against, yet most of us don’t deploy these defenses because doing so would be somewhat inconvenient. If you are interested, though, here are five practical things that you can do to make sure that you’re not the weakest link in your cloud provider’s security chain:

  • First, stop re-using your passwords. We all do it, but using the same password across multiple online properties is the easiest way for you to lose your data. Why? Because once somebody has the password for one of your accounts (and it will happen), they will suddenly have access to your entire digital life. Seriously, you are much better off writing unique passwords down on a piece of paper and keeping them in a drawer than re-using the same one over and over.
  • Use two-factor authentication whenever possible. Almost all of the large cloud providers and most major financial services institutions will send a single-use password to your mobile phone, tablet, or other device when you try and log in from an unknown machine. These passwords expire the moment they are used and are simply the easiest way to protect against bad security habits. Business leaders using cloud solutions to manage client data should be demanding that their vendors support two-factor authentication today. There is simply too much is at risk.
  • Remember when I told you to write your passwords down on a piece of paper? Yeah, don’t do that. Instead, make use of a password manager to automatically create, store, and enter strong, unique passwords for you. The best-of-breed here is Agile Bits’ 1Password, an application that does all of the above while protecting your credentials in an encrypted keychain that can be accessed from MacOS, Windows, iOS and Android devices.
  • Make sure you understand what your web and mobile applications are actually doing. Here’s a simple test: if the application you are using doesn’t work without an Internet connection, then a good portion of its functionality probably lives in the cloud. Also, pay attention to what permissions your applications are asking for (does that sketchy new game you downloaded really need access to your camera roll?) and keep in mind that some third-party applications, like Dropbox, will automatically copy photos and other data to the cloud if you opt-in to some of their features.
  • Finally, remember that any unencrypted data that you send to the cloud is fundamentally out of your control once it leaves your device. There is simply no way to know for sure where it is stored, how it’s stored , or who can ultimately get access to it. It’s a lesson my mother taught me when I was a young boy: if you want to make sure you keep a secret, don’t share it with anybody.