In 2014, now a decade ago in cyber-time, I interviewed TecSec CEO and security specialist, Jay Wack. I asked about the security of the cloud, which at the time was starting to transform the storage of electronic information. “There’s really no such thing as the cloud,” Mr. Wack told me, “there are only other people’s computers.” I was not entirely surprised by his answer. He had a snappy way of coming to conclusions. In this case I said, “Oh, something like time-sharing in the old days.” This may have been true at first; but it is now worth some investigation if the present threat environment today demands a secure cloud. Even then, Jay Wack warned: “You cannot secure the network, only the data.”
The Need for Encryption
Concerns definitely were awakening in 2014. An article from Techcrunch by Ted Schlein entitled, “The Five Tough Truths of Cybersecurity,” is a vision of what we are seeing today. The imperative is to protect your data. Second-guessing the hackers is not a useful trade for most people with ordinary lives. You need to encrypt data all the way to the browser, and the browser itself has to be 100% authenticated. Companies needed to work on solving this end-to-end encryption problem, forcing hackers to face a new challenge: they can steal the data, but they would not be able to read it. Writing about the security of the cloud in PC World in 2014, Sarah Jacobsson Purewal compared, in “Loaded and Locked,” the potentially safe and secure cloud storage providers with those that were not.
There are several types of threats in the world of cybersecurity and several levels at which security can be integrated and implemented. But there are threats outside the actual technology itself. Not least of all is the potential failure of the company managing access to the cloud. Almost overnight, for example, the long-respected product called Crashplan, provided by Code42, changed its provider policy and now serves only small businesses and enterprises.
This leaves individuals (and many sole proprietors) wondering about their data and in need of new services or higher costs. Security adds substantially to the cost of doing business and it is important to monitor administrative requirements and the services as they merge, migrate or advance. Every safety and security feature is strictly time-bound. We know in the future, both near and distant, that the entire security environment will change.
A focus on data security from Sarah Purewal is revisited again in PC World in August 2016. She adds to the review a note for each product and its best attribute. Others do this as well. A 2016 ZNet review by Steven J. Vaughan-Nichols shows that some people are less interested in the security of cloud storage than in other aspects of a product’s functionality, such as price and ease of use. Popular consumer repositories such as Google Drive, OneDrive and iCloud are discussed, but there is little to no attention to security as an essential feature. This suggests a lingering belief in the cloud as a special place that is inherently secure.
Steve Bostedor at C/D/H in Grand Rapids, MI, was a vocal naysayer of the cloud movement only a few years ago. He seemed to share my view that the cloud was nothing more than hosted services that have been around since the 1980s. It just had with a jazzy new name. Now he believes cloud computing has also grown to be immensely more reliable, flexible and secure, as have the massive infrastructures behind it.
Among other things, C/D/H helps companies navigate the choices among cloud services, although they also work closely with Microsoft Azure, a growing panoply of services combining everything Microsoft. It might be worth looking at the marketplace of services, both from Microsoft and other companies. C/D/H likes the fact that their customers are given deeper insight into where data is going and powerful tools to keep it from going anywhere undesirable.
Bostedor recommends that businesses sit down with key stakeholders and, as a team, determine what reasonably should be implemented within the context of the business. Given the complement of services represented by Azure, it would be difficult to implement any other way.
I think it worth looking into the information available about cloud security methods with several of the leading cloud storage or backup service providers and the many options that exist for deploying and employing cybersecurity tools in the cloud. Concerns for Internet security have evolved just in the short term. Given the evolution in security concerns, differences in business requirements, and options in storage and backup, it is clear we can no longer assume, as we once did, that all things cloud are secure. We have to take the right steps, however. Thus, choosing the right cloud provider affects security in every dimension.
In February 2017, Cloudwards offered reviews of cloud storage and backup services for small business, some without Enterprise versions. The link provides a comparison of the top 10 results of their research, categorized by Unlimited Space, Fastest, Easiest and Best with Syncing. But there is no category such as Security. This comes into play now for the Enterprise, and even advances into multiple security methods as evidenced by Microsoft Azure as viewed as a marketplace portal. While consumers enjoy ease-of-use, law firms need more security. While most providers say they offer security, it is often hard to say how. Firms large and small need to seek, at the very least, a provider that offers end-to-end encryption.
Victoria Kazz did a nice job of describing the importance of encryption at Cloudwards in November 2014. She reported then that both free software and paid encryption programs were available, but differentiated the type of information that should be digitally stored or how frequently it would be added to the cloud. Then, as now, encryption enables individuals and companies to secure their information without just using passwords. And any type of data can be encrypted — emails, text messages, credit cards numbers, and tax information can all be stored in the cloud safely if it goes through the encryption process.
Today there is urgency in securing all data, and the means of doing so have become, in their ways, both more complex and easier to use. In August 2017, when Peter Hale reported from Acronis that Code42 Software discontinued its individual CrashPlan service, he wrote that Acronis True Image 2018 was the only personal backup software that used artificial intelligence-based technology to actively to protect data from ransomware — a unique defense at a time ransomware attacks are on the rise. Does this improve upon end-to-end encryption? How does it differ? What about other risks? Acronis needs to say more about their AI-based technology, about the security of data, and where the data reside.
At the Enterprise level, Ntrepid leverages its national security history reputation with a number of programs. They offer the ability to isolate browsing activity from the local computer and network, allowing users to access any website and follow any link without risk to the company’s infrastructure or data. The company offers businesses a greater array of security services than businesses may be aware of, including an anonymous, geo-appropriate IP address, where corporate affiliation and geographic location can be managed.
By 2017, the Internet of Things (IoT) and the online presence of the global population warrant greater attention. Alison DeNisco reported in TechRepublic that Forrester Research found that adoption of consumer and enterprise IoT devices and applications continues to grow, along with concerns that these tools can increase an enterprise’s attack surface. Encryption of data at rest and in transit has become easier to implement in recent years, and is key for protecting sensitive data generated by IoT devices. At the same time, many security professionals struggle to overcome encryption challenges such as classification and key management.
There is a good deal in this story about the Forrester Report. One item is that enterprises should consider homomorphic encryption, a system that allows the user to keep data encrypted as it is queried, processed, and analyzed. Forrester offers the example of a retailer who could use this method to encrypt a customer’s credit card number, and keep it to use for future transactions without fear, because it would never need to be decrypted.
The ubiquitous nature of security concerns is evident in the Sept 1, 2017 issue of Fortune Magazine. There, Ryan Derousseau followed the trail of global companies scrambling to boost their cyber-defense budgets, reporting where money is being spent in this arena. He profiles a few of the companies visibly competing to provide defenses that companies demand. It is very telling, and again, a portrait of things to come. But it will not be the last.
***** Nina Cunningham, Ph.D., is an affiliate of Altman Weil, Inc., and president and CEO of Quidlibet Research Inc., a global strategic planning and cost management firm founded in 1983.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.