When Using Cloud, Paranoia Can Pay Off
Journalists are increasingly concerned about what cloud providers may access or share with governments - and companies should worry as well.
October 14, 2019
Cloud business services — from document collaboration to spreadsheets to e-mail — are now ubiquitous, with more than eight out of 10 companies using cloud productivity platforms such as Microsoft Office 365 and Google G Suite.
Yet, as reported incidents of privacy violations have increased, the concerns of businesses and individual users have grown. Many journalists, for example, worry that data kept in the cloud could be accessed by a hostile government or by the service provider. Workers worried about their employers, government agencies, or the service provider themselves, should think hard about the information they store in cloud services, Martin Shelton, a principal researcher with the Freedom of the Press Foundation, stated in an Oct. 9 column.
"If you can see it, the administrator can likely see it," he wrote. "If the administrator can see it, Google can likely see it. And if Google can see it, it's likely subject to requests from government agencies."
The concerns are not new, but a reminder of the world which technology has wrought. Ever since intelligence contractor Edward Snowden leaked classified information about the degree to which the US government surveilled and collected information on US citizens, digital-rights groups and many technology companies have warned about potential access that third parties have to cloud data.
The concerns have only piled up as journalists have become increasingly targeted worldwide, but data and privacy concerns have become a worry for businesses as well. With 81% of companies using cloud productivity applications, both businesses and workers should understand the risks of using a cloud service, experts say.
While Google has locked down G Suite with encryption, two-factor authentication, and its emphasis on a culture focused on security, concerns still remain about situations where government can compel data disclosure, as well as whether automated scans or collected metadata can leak significant private details.
"The short version is that, theoretically, Google can see anything that you can see in G Suite," says Jeremy Gillula, technology projects director with the Electronic Frontier Foundation. "Whether or not they actually do, is a totally different story."
Users of any cloud productivity software generally have three threats to worry about: hackers, providers, and governments.
Because both Microsoft and Google encrypt data at rest in their cloud, the information is protected against direct online attack. Steal the data, and it is still unreadable. However, online attackers have increasingly focused on stealing credentials and accessing the cloud by impersonating the authorized user. To foil such attacks, companies and individuals need to add multi-factor authentication, experts say.
Finally, providers also have access to the data. Some companies, such as Uber, have allowed broad access to the data in the past. Google and Microsoft both have similar privacy statements, stressing that the customers owns the data.
"G Suite customers own their data, not Google," the provider states in its Google Cloud Security and Compliance Whitepaper. "The data that G Suite organizations and users put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties."
Meanwhile, government requests have become increasingly common, with 43,683 requests from various governments in 2018, up a third from the 32,877 requests made of Google in 2017, according to the company's semi-annual transparency report. For the past two years, the company has produced data in more than 81 percent of requests. Microsoft fielded a similar number of requests — 44,655 — in 2018, but only two-thirds of requests produced some data, according to its transparency report.
Countries can apply significant pressure on companies to censor speech, or turn over data.
Researcher Shelton recommends that users occasionally conduct a privacy audit to see what data they are storing on cloud services and whether any of the data is sensitive enough to need offline storage.
Companies that want to increase the security of their data can use a third-party encryption service, such as Virtru, which allows the keys to be stored in a third-party server. While Google will still have access to all the telemetry and some metadata, such technology can protect the content on the server from any unauthorized access, says Will Ackerly, chief technology officer and co-founder of the company.
"You don't have to trust Google with the content or the content of attachments," he says. "We can help companies store content beyond what Google is certified to stored."
Overall, cloud services can typically provide better security than most individuals or companies can manage, and cloud providers have become more transparent about government requests and how they handle data internally. Still, cloud-service users need to evaluate their own threats and determine whether some data is too sensitive to store in the cloud, researcher Shelton says.
"[A]s a user of these systems, it's nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to," he wrote.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"
About the Author
You May Also Like