Cloud Security: Keeping Your Information Safe in the Cloud
, by Karin Tansey
Although we have a long way to go before conquering outer space, we should look perhaps a bit closer to our own atmosphere. And consider the following: How safe are the contents we store in the cloud? Have you thought of cloud security? Let's take a look at this 'cloud' that you speak of.
Cloud services are applications that are Software as a Service (SaaS) based and hosted on Other People's Property (OPP). This means that a user is not required to download and install a software package to use the service. All you need is the Internet browser of your choice and you're good to go. Millions of consumers interact and store massive amounts of personal data every day in the cloud.
For example, those of us who watch Netflix or use Instagram to send pictures - all that content is stored in the cloud. DropBox, a file storage and archiving service, maintains your pictures, media and documents on that company's storage infrastructure so they are easily accessible from anywhere. But this isn't the only information being kept in the cloud. Along with your movie queue, favorite playlists and info about all your friend's happenings, Personally Identifiable Information (PII) used to access this content resides on these same cloud-based platforms. First and last name, email address, phone number, date of birth, address, gender, card expiration date - all of the normal stuff you have to enter into a form field in order to get access to the features and functions of the website or online service that we want.
So, What's the connection between cloud security, data breaches, and identity theft?
Although not all cloud services are risky, major data breaches are happening every year. The non-profit, Identity Theft Resource Center, tracks all US breaches and issues a report of its findings at the end of the year. 2013 was a banner year with 619 data breaches (about 1.7 breaches per day) that put 57.8[i] million records in harm's way. Looking through the full report is like looking through a list of Who's Who in Data Breaches for your state. It is simply amazing to see the breadth and depth of data loss. This isn't to say all services have cloud security problems, but it's important to only put your personal information on credible cloud services.
While everything continues to move toward the cloud, we are increasingly left with little choice as to how we must interact with services. The service providers dictate what information we must provide in order to use their services. I've noticed an increasing trend for sites to require the use of Facebook sign-in credentials in order to create an account on their site, thus defeating the user's ability to create the account using fake contact information or unique login credentials.
HINT: It may be wise to be more thoughtful of whom you accept as friends these days. As the convenience of using the same set of credentials across multiple sites seems obvious, so do the cloud security implications. Instead of guessing that you're using the same credentials across multiple sites, this pretty much guarantees it. So, all I have to do is hijack your Facebook account in order to get access to your social profile AND access to your other online accounts, right? Right.
Ultimately, it is up to consumers to be thoughtful and aware of the amount and type of information they share (this gal, two thumbs pointing at self, will often use fake information to populate an account, while saving the "real stuff" for those companies with whom I trust and truly want to do business with), understand the methodology that companies they transact with use to secure their information once it is provided, and determine if the risk of doing business and sharing all your PII with them is really worth the reward. Some services have a lot more cloud security measures in place than others. If you do your research, you can find a service to trust.
Got any security tips for using the cloud? Let us know! Discuss similar topics on our FICO Forums.
[i] ITRC, 2013 Breach Category Summary, 1/1/2014