There is a scene in the 2015 movie, Creed, where Rocky Balboa writes a workout plan for young Adonis Creed. Creed snaps a picture of the paper on his phone and then gives the paper back to Rocky. Rocky, confused, asks “Don’t want you this?” Creed tells him that it’s on his phone and, then Rocky asks, “What if it breaks or you lose it?” Creed responds “It’s in the cloud”.
A decade ago, the thought of having your personal or business data on unknown servers out of your control was met with a lot of skepticism. Business owners I dealt with did not like the idea of housing accounting and HR data off site, but as the technology improved and allowed for simple ease of access from any device from any location, we don’t think twice about it. Now it’s incomprehensible to think of small business trying to manage complete network infrastructures in the building.
As humans, we will always gravitate to things that are easier and cheaper. All other details are a far distant concern. So, for cloud storage, how safe is your data from prying eye, including would-be hackers and the companies you entrust your data with?
Almost every major and minor player in cloud storage solutions incorporate data encryption during transmission. Essentially, your data is ensured to be encrypted over the internet from prying eyes when you run a credit card at the store, your iPhone automatically backups up your photos to iCloud, or your computer syncs files with Dropbox during the upload process. But what about the data as it sits on the hosting provider’s servers not doing anything? This is referred to as data at rest.
It all depends on who can initiative data at rest encryption that can have access to it. A cloud storage provider that implements data at rest encryption can access your data. The appropriate personnel that maintain the encryption keys would, in fact, be able to unencrypt the data you store in the cloud. This should be limited to authorized personnel within the company. The method used to encrypt your data could be more relaxed with a single private key used for the entire customer base or a new private key created for each user.
If you, as the end user, initiate the data encryption and control the private key, only you, or someone you authorize would be able to view your data. The major downside to you controlling the private key is if you lose it, or forget your password, the data is essentially lost. But, if you maintain good backup principles it is the most restrictive method to keep your information from prying eyes.
By default, the major players (Yahoo, Gmail, Outlook) do not encrypt email messages. The systems scan your email to verify spam, direct marketing or viruses. If you have private email that must be sent thru one of these systems, search for instructions on end-to-end encryption for email. This will ensure only your intended recipient can read the message. In addition, there are 3rd party extensions that can also assist with encrypting your email. Facebook Messenger app will even allow for secure communication by hitting the secret button.
Encrypting cloud data has become a battlefield of sorts between technology companies and the government. Requests by the government have increased significantly in the past several years. Apple reported receiving 2,999 requests for data in the first 6 months of 2016. They received 5,999 requests in the second half. Facebook reported similar statistic with 46,710 in the first half of 2016 and 59,229 in the second half. Tech companies do not want to be in the business of policing stored data and government wants access for what they deem national security measures. It will be an ongoing fight for the privacy of your data. If you are curious on a tech company’s position and best practices standards before releasing personal data visit: https://www.eff.org/who-has-your-back-2017
Keeping your data in “the cloud” is significantly more secure and easier to access than trying to maintain that data on a device in your home or office. Tech companies bring a higher level of security than you could on your own, but don’t be surprised if that company can access that data if they want or are required to.