Data Storage Security In Cloud Essay Example
Would it be prudent to trust a stranger with a social security card if there were terms and conditions both parties agreed on? While that may seem different from using a cloud storage service to hold personal or private information, it might be a good idea to reconsider that thought. Any information that passes beyond a local network has the potential to be misused or stolen altogether. Even with proper encryption and better security advancements over time, there are still uncertainties that come with using the cloud for convenience. Therefore, storing sensitive data on cloud storage services is bad risk management because they are susceptible to insider threats, social engineering attacks, and ownership of data after storing it is not guaranteed.
Data stored on cloud storage services is vulnerable to insider threats. According to the article Detecting Insider Threats: Solutions and Trends, insider threats are difficult to mitigate because of their access and usage of systems and data they may exploit (Zeadally et al., 2012). Every day operations are exceedingly difficult to differentiate from malicious ones because of how similar they are in action. Most security infrastructure in place is designed to keep outside threats from getting in, but it is almost impossible to detect insider threats while they occur. The Security Journal also states that only 32% of all data breaches are due to insider threats but their impact is the same as all outside attacks (Zeadally et al., 2012). Because this attack vector only accounts for about 1/3rd of all attacks, it is possible that insiders are skeptical that they can get away with this form of attack. However, because of their knowledge and access, it is probable that they know exactly how likely it is that they can succeed. It is also possible, for whatever reason, that they will attempt an attack no matter what their odds of success are. Due to this possible threat, using a cloud storage service for storing sensitive information is a risk not worth taking.
Through the use of social engineering, accounts or information stored on cloud storage services can be accessed without knowledge or consent. As described in the peer reviewed research article On the anatomy of social engineering attacks—A literature-based dissection of successful attacks, social engineering is “a technique that consists of using social influences to convince people that the offender (e.g., social engineer) is whom he or she claims or pretends to be” (Hendrik Bullée et al., 2018, p. 21). This means social engineering uses deception to gain access to otherwise secure systems. The data analysis of this study gives an indication that it is possible to mitigate this threat but would require major changes to how access is monitored and granted. Therefore, this is a problem for anyone working for the cloud storage service as well as the consumer for this service. Through social engineering, a normal employee could become an insider threat by accidentally complying with a social engineer without even knowing the damage they are causing. This is supported in the article by stating, “Social engineering constitutes a security risk because it can be used to bypass intrusion detection systems, firewalls, and access control systems” (Hendrik Bullée et al., 2018, p. 21). Even if data is encrypted, it is possible for a social engineer to manipulate the owner into granting them access without even knowing. Social engineering stretches well beyond cloud storage but is no less relevant and should not be underestimated.
Because of certain Terms of Service agreed to when establishing a relationship with cloud storage services, full ownership of the data stored there may not be guaranteed. In the peer reviewed article Lost in the Clouds: Cloud Storage, Privacy, and Suggestions for Protecting Users’ Data., Eric Johnson establishes that users have a right, under the fourth amendment, to privacy against unreasonable searches and seizures. However, content that is deemed to be against the terms of service that were agreed to are not protected (Johnson, 2017). This leads to the question of how much control does the service provider have over the data that is stored on its servers. Unless the entire legal documents agreed to are read and understood, the answer to this question is impossible to know. Reading the terms of service is possible but doing so does not even guarantee comprehension, since they are typically written to be intricate, and they change often enough that keeping up is too much of a hassle. Therefore, the data stored on these cloud storage services cannot be reasonably considered private, which is troubling for anything of a sensitive or private nature.
The common theme in these issues is the human element of data security and ownership. It is often overlooked even though it is one of the greatest weaknesses of any system. A chain is only as strong as its weakest link after all. With all the benefits of cheap storage offered by cloud storage services it can be easy to miss all of the issues associated with them. Insider threats being some of the unlikeliest of attackers but accounting for the same amount of damage done by all other attacks (Zeadally et al., 2012). Social engineering making it difficult to trust who is legitimate and who is not. Almost incomprehensible legal documents that would require unreasonable amounts of time to understand. These threats only make up a portion of the possible ways data stored on these platforms may be unsecure. The cloud is a valuable tool so long as the data provided to these services is non-essential or general in nature. It is important to remember that cloud services are centralized databases of servers that can be taken advantage of in many ways, especially those described in the articles referenced. Therefore, the easiest way to protect information is to keep it as close to the chest as possible.
Bullée, J. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. (2018). On the anatomy of social engineering attacks-A literature-based dissection of successful attacks. Journal of Investigative Psychology & Offender Profiling, 15(1), 20–45.
Johnson, E. (2017). Lost in the Cloud: Cloud Storage, Privacy, and Suggestions for Protecting Users’ Data. Stanford Law Review, 69(3), 867–909.
Zeadally, S., Yu, B., Jeong, D., & Liang, L. (2012). Detecting Insider Threats: Solutions and Trends. Information Security Journal: A Global Perspective, 21(4), 183–192.