Consumer cloud storage needs to be enterprise class too: Ask Jennifer Lawrence

Consumer cloud storage needs to be enterprise class too: Ask Jennifer Lawrence

Summary: We treat consumer cloud services as if they are expected to be less robust and less secure than the clouds we use for mission-critical data. But that should not be the case.

SHARE:
j-law-jet
Image: Jennifer Lawrence/Facebook

Wow, what a holiday weekend. Labor Days are supposed to be relatively quiet, with hot dogs and sizzling burgers adding the requisite entertainment. At least, for most men celebrating our final summer hiatus, standing watch over our Webers lined with charcoal-grilled meat along with a few six packs of beer is about as exciting as it is supposed to get. 

Nobody was expecting a massive photo dump of extremely private moments from Hollywood's most famous actresses, as a result of what appears to be a targeted iCloud hack using "brute force" methods. Over a hundred nude photos, some extremely explicit, were posted in total on the infamous discussion board 4chan during the weekend.

Many of these were from "Girl on Fire" Jennifer Lawrence, among others including Kirsten Dunst, Kate Upton and Mary Elizabeth Winstead.

The hack that befell J-Law and the other actresses is regrettable. We all need to be extremely careful what we capture on our smart devices, and that we need better methods for controlling what should and should not be uploaded to cloud storage accounts and how they should be secured.

But I also want to add that we definitely should not be "blaming the victim" with this event. Rather, we all have the right to explore our sexuality, using whatever technology we have at our disposal providing that we use it between consenting adults and it is legal.

We could treat cloud storage accounts for consumers the same way we do for enterprises, such as those used by cloud-integrated storage appliances on Microsoft's Azure, Google's Compute Engine and Amazon's S3. 

Nobody should "slut shame" Jennifer Lawrence or any of those actresses for taking those photos. It was their right to do so.

However, I think all of us are now going to think twice about what happens after we hit the shutter button on a smartphone.

Let's start with the devices themselves and work our ways down the stack. All the mobile platforms -- iOS, Android and Windows Phone have default settings which allow them to back up your photo "feed" to your cloud storage account associated with that ecosystem.

Google's Android even takes this a step further by having "Auto Backup" which puts your photos on their Google+ social network. And if you have Google+ for iOS installed, it can do the same thing, but you have to turn it on.

It's probably safe to say that should not be the default setting for any of these devices anymore.

This is not to say that I don't think we should leverage cloud storage as photo backups. In fact, quite the contrary. But we need better management tools so that photos can be sent into a "queue" and we can bulk approve for what gets backed up, and set exceptions for what should not.

For the exceptions, one way to handle this might be the ability to store more private material (such as those containing photos of your children) into an encrypted folder. This methodology is already used in all the mobile operating systems when they are enrolled for Mobile Device Management (MDM) for enterprise-use in BYOD scenarios.

The time has come for MDM to be a service that all consumers can use to better control their technology. I've previously made the case that we need MDM for parents so they can protect their children. My ZDNet Security blogging colleague Larry Seltzer agrees.

On CNET

The guide to password security (and why you should care)

The guide to password security (and why you should care)

Find out how your password security can be compromised, and how to create and manage secure passwords.

After this recent fiasco, I'm now convinced we need this for every device we own, be it a smartphone, tablet or a laptop computer. As consumers, we should be able to enroll all of our stuff, encrypt the local filesystems (using technologies such as BitLocker or the Android/iOS equivalents) and set pin codes for unlock.

If this is good enough for the enterprise, then it's good enough for you and me.

As a secondary precaution, should the device get lost, we should be able to send a remote kill signal that erases the local storage the moment it is turned on and locks onto a mobile network. 

Now let's get into the security of the cloud storage itself. The actual communication between endpoint device and storage account using the various services is encrypted using TCP port 443, or SSL. This is true for Microsoft's OneDrive, Google Drive and also for Dropbox.

But while the end-to-end traffic between device and storage account is encrypted, we still rely on user accounts and passwords for the access control method to that storage.

Steven J. Vaughn-Nichols notes that we should strongly consider 2-factor authentication for securing cloud storage accounts. I think that for celebrities like Jennifer Lawrence as well as the others targeted by this hack and other high-profile people who may end up being potential targets for this kind of cloud-based data theft in the future it's a good option.

But I'm not going to sugar coat it, 2-factor auth is a hassle. I use a variant of this every day for work and it's an extra pain in the neck. But I fully understand why my employer makes me use it, as I have access to some very sensitive stuff that could result in major intellectual property loss and have severe business impact to the company if someone were to steal my laptop and get access to our internal network or even my own OneDrive for Business storage on Office 365.

For the rest of us, there are other ways to deal with this besides 2-factor auth. We could treat cloud storage accounts for consumers the same way we do for enterprises, such as those used by cloud-integrated storage appliances on Microsoft's Azure, Google's Compute Engine and Amazon's S3. 

Microsoft's StorSimple backup appliance, for example, uses an access key -- essentially, a very long randomly-generated password -- to connect to each Storage Account that holds the Azure Blob containers storing the backup data for the connected appliance. This is in addition to the ID of the storage account itself that the containers live in.

Now, one would think that a very long randomly-generated password would be enough. For my own personal Azure blob storage, which I use from my PCs at home, I'm pretty confident that nobody is going to get in.

But the StorSimple appliance goes even further. It actually encrypts the data within those storage accounts into machine-unreadable chunks using an encryption key locally stored on the appliance itself.

Should anyone manage to get past the access key and into the Storage Account on Azure, the information they'd find would be completely unusable.

Now, StorSimple isn't the only cloud storage product that can encrypt using local keys on storage accounts. CloudBerry Backup, a $29.00 product I use on my home PC to vault my most private data on Azure (and I'd trust it to back up my naked pictures as well) uses a similar encryption methodology.

While it would add an additional layer of end-user administrative burden, I think we should be using at a bare minimum local access keys for every cloud storage connected device that we own, so that only the devices we permit should be able to have access to those storage accounts, and each device's access key should be unique, because unlike typical cloud-integrated storage which never leaves the datacenter, mobile devices by definition are carried around.

Consumer cloud storage providers should provide portals and apps for managing these access keys, and ultimately, we should be encrypting the blobs themselves at the device level, even if it is at a cost to battery life and CPU performance.

Given the shift towards 64-bit processors in mobile devices, such as those already in the iPhone 5S and the iPad Air and on certain Samsung smartphones, that CPU hit shouldn't be as serious going forward anyway. 

Should we be treating consumer cloud security the same way we do it in the enterprise? Talk Back and Let Me Know.  

Topics: Cloud, Data Management, Security, Storage

About

Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Not slut shaming, just tech shaming

    I don't argue with the idea that people can and should take nude photos of themselves or any other willing participant. I do think that it is shocking how many people then send those photos to someone else's server, and are surprised when they are exposed.

    People need to understand that not just "the cloud", but ANY form, digital or analogue, of handing over something you want kept in confidence risks that confidence being broken because it is immediately out of your control. The fact that mass-marketed, high-profile people do this is even more amazing.
    wantoosevin
    • Not slut shaming......

      You have to understand that peoples that do this type of picture taking and then send them somewhere to be saved, never took the time to learn.....that you can save (burn them) on your
      own personal CD (CD-R, CD-RW, DVD CD's and more), not to forget you must have an optical rom that burns CD's.
      frog27A
  • security must be for real

    security must be for real or it doesn't work. No back-door keys can be allowed.
    suggested reading:
    http://www.wired.com/2014/09/eppb-icloud/

    if there is a back-door key they bad guys will get it.
    Mike~Acker
    • Security is available, just not widely used

      Apple does provide two-factor authentication, but not everyone uses it.
      spstanley
      • For that very reason, it should not be optional!

        nt
        M Wagner
      • And it's so easy to set up... not

        As it is now set up, the average user would never find it or figure it out. And if they did somehow get in there, they would most likely just lock up their account so it would never be recoverable.
        NameRedacted
        • flying a plane is difficult too

          but you still have to take the time to learn how before you can get a license. If these people were brute-forced then they probably had short and/or guessable passwords. If you can't be bothered to learn about good passwords or two-factor auth, then maybe you shouldn't be using these services. It's too hard' isn't an excuse. Why do people find it so abhorrent to just spend some time and, you know, get a little smarter?
          frylock
          • flying a plane _is_ difficult...

            That's why everyone sits down, straps in, and lets someone _else_ fly the plane.

            The carrier is supposed to supply the container, the rules, the security, the pilot, the fuel, a safe landing...

            You're calling the entire world idiots because they can't build a car...but they drive one anyway.

            Elitist. Perhaps just snobbish if you really know how to build a car, a plane, fly it, and perhaps construct the airport.

            Otherwise, why don't you just take the time time to, you know, get a little smarter?
            alegh
          • Absurd...

            That was an absurd analogy. Next week I'm becoming a heart surgeon so I can practice surgery on myself.
            Rickochet
  • Apple

    It's incredible that Apple allowed unlimited password attempts in this day and age. Apple has moments of genius and then the rest of the time they are absolutely clueless.
    CoyoteC
  • Well, ok, but...

    Multi-million dollar talents are brands in themselves. I'm a consumer. Jennifer Lawrence is a brand. She should operate exactly as if she had the Coca Cola logo stamped on her forehead.

    Rookie mistake.
    TaxNerd
    • This isn't just about her indiscretion. Consumers are too lazy to pick ...

      ... strong passwords and service providers are too lazy to make them. Some service providers provide two-factor authentication but most don't. Not even a lot of financial institutions use two-factor authentication. Few even use encryption.

      Lazy, lazy, lazy. No wonder no one trusts their institutions these days. Apple should be ashamed of themselves for letting this happen.
      M Wagner
  • First and foremost, we should all remember, just as e-mail is more like ...

    ... a postcard than it is a letter (everyone handling it can read it), photos in the cloud might as well be in a shoebox in the middle of the shopping mall. In other words, don't put anything in electronic format that you wouldn't want your mother to see.

    More directly though. Microsoft has had two-factor authentication for one drive for quite awhile - and more recently, they have started encrypting everything in their cloud to try to keep the NSA out of your private lives.

    Meanwhile, Google admits to "reading" your e-mail and will even turn you over to the feds if they so choose.

    Why in the world would Apple, that "bastion of innovation" (according to some), not have the same kind of personal protection for its loyal fans?

    Yes, indeed, if these vendors are providing enterprise-class services anyway, they should be able to provide the same level of security to all of their customers.
    M Wagner
    • shocker

      you think microsoft is immune? please, for the benefit of all of us, do not post any naked pictures on your microsoft device lest it be hacked.
      jasona93
    • Turn you over to the feds........

      .......only if you need turning over to the Feds. So that's a good thing.
      johnafish
    • if MS still has the encryption key

      then they can be compelled to turn it over to the feds. And there are recent examples of MS turning over email users to law enforcement, so don't pretend they're not reading your mail too. The only way to protect yourself from that is to encrypt with a key that only you hold.
      frylock
  • skip the cloud

    I'll repeat it again, putting any sensitive information into someone else's hands is plain dumb! Be it person photos or company secrets. Just don't do it.
    Al_nyc
    • I put stuff there...

      ...but I encrypt it locally first (whether or not the cloud storage service says it encrypts data stored on their servers).
      MikeR666
      • yup

        If it's sensitive, encrypt it yourself *before* you put in in the cloud. No matter whose cloud you use.
        frylock
        • Encryption works only to a point

          Encryption of data communication protocols is one thing and encrypting data at rest works well however, if they data is live encrypting may not add benefit. Whole disk encryption for example provides no advantage until you shut the server or SAN down. Encrypting online databases also offers little advantage until that database is taken offline. If a hacker tunnels through and accesses a database with admin privileges, the database is vulnerable.
          SaltedCrypto