LinkedIn - Reply On Security Of Cloud-Based Services

November 24, 2014

There was a discussion in a LinkedIn group I'm a member of about the security of cloud-based services, and I wrote a reply to it, only to find the discussion had been deleted/removed/whatever by the time I had finished typing. I'll paste my reply to it below, since I can't post it as a reply to a discussion that is no longer available:

I find it interesting that everyone is concentrating on "cloud storage" in this discussion. Perhaps that's because of the popularity of that sort of "cloud" service?

Anyway, when I saw this, my mind first though about "cloud" anti-virus scanners and "cloud" applications (basically applications that launch/load over the Internet, such as Google's office and calendar applications). As Lynn already stated, "cloud" simply means it's on the Internet, and is just a marketing buzzword, so we're basically just dealing with applications that load from some remote server via the Internet or which send data to a remote server via the Internet to perform some sort of function.

I'll talk about "cloud" anti-virus first. Is this trustworthy? My understanding is that most "cloud" anti-virus scanners will take the MD5 or SHA1 hash of a file and a little information about it (such as the name and path, the file information such as company name and creation date, and the digital signature if the file is signed) and send that to a remote server that then checks it with a database that supposedly has a newer threat database than what you could have on your computer for your anti-virus scanner. There are a few issues with this. Firstly, the remote server that is doing the analysis doesn't have access to the contents of the file, which means that there are certain infections that cannot be detected (PE file infectors such as Virut for example). Secondly, it can slow down the deployment of new heuristic detection methods being added to the software, as in order to add new heuristic detection techniques that require extra information to be sent from the scanner on the user's computer to the remote server the anti-virus software company has to update both the scanner that end users run and the backend on the server that does the analysis. And lastly, it adds the potential for more things to go wrong that could prevent the scanner from doing its job, especially since a lot of infections do disrupt Internet connections and hijack DNS settings.

As for "cloud" applications that load from the Internet, there is of course the concerns with where the data is stored and whether or not that is secure (as others have discussed), but there are other issues that you could be concerned about. Since the applications load over the Internet, there is always the possibility of a service outage cutting you off from essential applications that you use on a daily basis. There is also the concern that certain companies may be tracking how you use their cloud software in order to sell that information (such as for "targeted advertising"). And, of course, there is always the possibility (even though it may be remote) that the company providing the service may experience some major security breach, and the application could become compromised in some way (such as malicious code being added to it).

Obviously some of this can't be considered major issues, but it's still some interesting "food for thought". Whether you choose to use cloud services is, of course, entirely up to you. I prefer to be skeptical about them, especially since they relying so heavily on buzzwords and confusing marketing nonsense in order to sell them to people who don't understand what they actually are.