How does Cloud security work?
We looked last time at the security troubles we face when we host services for our home network. It’s a simple trap we all fall into if we are not careful: we assume that all devices in our home network are safe, un-compromised, and always work as expected. We default to this thought model because we want to believe that we have a safe haven in our home network. We don’t want to accept that the devices we own and we spend months configuring, going through every small setup and detail could possibly cause a complete breach of security and privacy.
Unfortunately, this is rarely so. New vulnerabilities are found daily, we get bombarded by phishing email each doing a better job than the last, and worst of all we have a black box in our pocket, the phone, which uses an operating system we cannot really dissect and configure as best we could. If we could protect our home network from the flaky security of “smart” vacuums, washing machines and refrigerators by isolating them into a guest WiFi network, phones cannot obey this rule.
Of course it’s not just the phones. No matter how well our setup is, we live in the day when sadly we should treat each device as potentially already compromised. Gone are the days when a network was hacked by getting straight into the main server. Today the security breach is much simpler: target any network device. Any device at all: phone, vacuum, laptop, tablet or anything else. If you get there, documents, photos, calendars and contacts thought to be safe, protected by the fully closed home network, are free to grab. What is the solution to this? How can we consider each home device already compromised and where does this get us? Let’s find out!
The compromised-by-default thinking
What would you do if you could not rely on the security of any device in your home? Or, let’s put it the other way around: what would you do if you had to bring a compromised device into your home network? But we know how to handle this situation already. We already consider our “smart” devices as potentially compromised and we isolate them into a guest WiFi. The guest WiFi not only isolates the compromised devices from the main network where we have our files and personal data, it also isolates devices in the guest WiFi from each other. There is no possible communication between them.
If we think about it, this is how the cloud infrastructure works. What we did essentially is that we cut off all access to all those ports we have open on our home server, used to provide services to the home network: calendars, emails and files. This huge attack surface has been closed. Cloud services operate in the same way: there is only one port, the HTTP or HTTPS port open. We want email? We access outlook.com in our web browser, on the HTTPS port. We want calendars? Same. The cloud services provide APIs that don’t use the traditional service ports anymore, they all use HTTPS.
Even better, if you use a third party email server like outlook.com, the whole security responsibility is on the cloud provider, not on the client. The client doesn’t even have the HTTPS port open: it cannot receive requests, it can only make requests. So it cannot be contacted randomly from the Internet and caused to behave erratically. The control is clear and simple: the client is fully closed to any incoming connection and it only makes requests to cloud services over HTTPS. The HTTPS part is important because it ensures that during the communication process, there can be no snooping around: the server and the client are the only legal participants in every transaction. But even this is not enough.
The separate-service-account strategy
When using cloud services there is another important security step we take and which we usually ignore: each service we use has it’s own account. I have four email services, each connecting to a different cloud service provider. I have two calendar services, each connecting to different cloud service providers. I have a cloud file storage, separate from the calendar provider and separate from the email provider. You see where this is going?
The more cloud accounts I use, the more cloud service providers I use, the better because I have a separate account with each. Separate account means separate personas, separate passwords, separate meaning and usage for each. This allows me not only to stay secure by distributing my files to many cloud services, it also ensures that in case of a breach I won’t lose everything. I may lose access to my personal calendar, but I won’t lose my family calendar. I may lose my music files, but I won’t lose my photos.
Having separate personas and passwords is called segmentation in fancy cyber-security jargon and is essential to handle the compromised-by-default scenario. Yes, my phone may be compromised but even though it has access to my contacts, I have them in three places and the phone only uses one. Segmentation also stops a malicious behavior into getting too far once it has access to private data.
The home network without the network
By spreading information across several cloud accounts, a few things get cleared: security is no longer an all-or-nothing subject as my data is spread between many services, I no longer need open ports on my devices as I am no longer getting incoming connections at all, and I am able to segment my private data into many accounts and sort them in a way it makes sense for my daily usage.
This looks very close to that home guest WiFi, doesn’t it? Each device is safely separated by everything else, and it communicates on its own only with the needed services. In this case, the services are in the cloud, protected by separate accounts with different passwords, HTTPS and two factor authentication.
But even though we solved the security issue, we stumble upon a favorite secondary issue: privacy. Yes, you spread all your information across two or three cloud providers, maybe more and you feel safe. But do you feel private?
I am not claiming to have a final complete solution to balancing this equation. On one hand you have security, and you need security when you think about how damaged the current digital world is and how poorly this subject is handled, and on the other hand you have privacy. There are cloud solutions to privacy, like the OneDrive vault where you encrypt your personal data and nobody has the key, or the iCloud Advanced Data Protection which encrypts everything you store and throws away the key so that only you can possibly have access to it.
There are personal solutions to security too, such as the isolating guest WiFi and password protected home services. I won’t even add convenience to this balance because then you have to juggle three plates. But instead of screaming in agony and throwing away our digital devices, what we should do is keep informed, keep things separated by using multiple accounts and multiple services, keep extra private data locked on an external drive in a drawer, and think positive. It’s not paranoia that will keep you safe, but your own education on security and privacy.
Education on privacy and security is exactly why I want to write this blog. I linked a few of my previous articles throughout this one to point you to some extra resources you can use to keep this security, privacy and convenience balance in check.
Keep in mind that there is no silver bullet: turning fully to self hosting everything, or moving everything you have on a single cloud service provider, are not the proper solution. Just shouting Linux in the air is again a foolish direction. Balance is the solution, and we will have time to talk about it further in future articles. Thank you for reading and see you next time!