“Cloud” Computing

Internet-connected devices, data & programs

About the “Cloud” | Security Challenges | Cloud Storage
Backup Services | Security Concerns

All trademarks, company names or logos are the property of their respective owners.

A large bank of servers with an overlay showing the cloud symbol.

The Cloud and related content are contained in these pages:

The way people talk about this “cloud” like it's a cloud.

It isn't a cloud! It's a load of hardware on an island somewhere, where anyone can access it, which is clear from the endless hacks that happen.

Let's call it “the hard drive island” because then, immediately, it tells people “Oh, it's not in the sky, it's not untouchable by people.” Someone is monitoring it every day.
— James Corden

About the “Cloud”

The “cloud” is the generic term given to any service providing interconnectivity to multiple devices wanting to access the same information everywhere.

Cloud services originally were mostly online storage and backup, but have since expanded into Software as a Service (SaaS), web apps, software subscriptions, online shopping, auctions, surveys, banking and email.

Productivity has moved from working with dedicated software on personal computers to online services. Windows, macOS, Android and iOS have all moved in that direction. Chromebook was designed specifically for online use.

The Move to the Cloud No Longer a Choice

As much as many of us would prefer to retain control of our documents and data, it has become virtually impossible to avoid it.

[C]loud computing services offer the promise of convenience and cost savings, but at a price of reduced control over your own content, reliance on third-party providers, and potential privacy risks should the data “hosted in the cloud” be disclosed to law enforcement agencies without appropriate disclosure or oversight.
— Michael Geist 2014

Software that used to run on our computers has moved to the cloud. Help and instruction manuals are seldom available without going online. Hard drives in laptops have grown much smaller.

As well, commercial and government services have moved to the Web. Even food delivery and similar services are web-based.

Working on Multiple Devices

Web apps like Google Docs and Microsoft 365 offer the ability for several users to simultaneously work on the same document. This is a powerful advantage for teams working remotely from each other rather than in the same office.

While convenient, this technology has issues with security and potential outages. The storage of your documents online has affected our privacy — many spout the “nothing to hide” mantra when you question the pervasive collection of personal data.

Cloud access means that your information can be retrieved from anywhere rather than sitting on a specific computer. The same information can be available at work, at home or on the go.
We expect to access our files quickly based upon the relative ease experienced on our computers. If the delay is too great, the benefits of cloud computing is diminished.
While many free services are vying for your business, expect to pay for premium security and performance as well as for more storage space.

Recent versions of Windows default to OneDrive for saving documents, partly because people want anywhere/anytime access across multiple devices. Storing your files online also allows you to start working on a document on one device (e.g., your computer) and finish it on another device (e.g., your smartphone).

Computers now come with smaller solid state drives (SSDs) installed. While these drives run faster, they store less because manufacturers assume that you'll be using online storage.

Return to top

The Cloud Faces Challenges with Security

The terms “cloud” and “in the cloud” imply a location that is inaccessible. Nothing can be further from the truth.

Online Services Are Vulnerable

The cloud is more vulnerable than the owners would have you believe.

Wherever you are in the world, if you're using Microsoft to host your emails, Google to host your documents, Amazon to provide your storage, and Apple to provide your personal cloud, it's open season on your data as far as the US government is concerned.
— ZDNET

In its simplest terms, “the cloud” is just somebody else's computer, comprised of:

large clusters of computers and storage devices;
running imperfect software;
managed by imperfect staff; and
accessible from anywhere in the world.

Cloud security is web-based, making it more vulnerable to being hacked precisely because it can be accessed from anywhere.

Cloud and virtualization technologies will be increasingly hit by attackers. While businesses often transfer parts of their data and operations to the cloud, they also often use partner services which may not be well configured or contain vulnerabilities.

Companies may not be aware of cloud infrastructure intrusions, as some cloud providers do not log important system events.
— TechRepublic

Microsoft 365 is one of the most widely used cloud-based productivity platforms today. Its widespread usage also means that a successful attack can potentially impact millions of organizations, making it a lucrative target for malicious actors. Cybercriminals can use various methods, such as phishing, brute force attacks and credential stuffing, to exploit weak points and gain unauthorized access.
— The Hacker News 2024

Hackers Target Cloud Services

Jessie James robbed banks "because that's where the money is." Cybercriminals now target cloud services because that is where the data has gone.

There's so much data stored in the cloud. If you breach the cloud, you're basically breaching a basket full of eggs. I can tell you firsthand cloud is really where hackers are focusing right now.
— Tektonika

Even a single cloud service provides so much more potential information to steal than the largest private networks, so hackers are going to exploit cloud services.

Microsoft 365 integrates various services, such as Outlook, SharePoint, Teams and OneDrive, creating a complete ecosystem for users. While this enhances productivity and collaboration, it also broadens the attack surface for cybercriminals with multiple entry points. If threat actors compromise one service, such as a user's email account, they could gain access to the entire suite.

On average, a terabyte of cloud storage contains over 6,000 files with sensitive information. Microsoft 365 stores large volumes of sensitive business data, including financial records, intellectual property and personal information, making it an ideal target for ransomware attacks.

Although Microsoft 365 is a robust platform, certain end-user shortcomings can make it vulnerable to security risks.
— The Hacker News 2024

Online Services Suffer From Outages

Online services suffer from unexpected outages during which time you won't have access to your documents.

Yesterday, February 8th, at 12:30PM PT Instapaper suffered from an outage that has extended through this morning.

After spending multiple hours on the phone with our cloud service provider, it appears we hit a system limit for our hosted database that's preventing new articles from being saved. At this time, our only option is to export all data from our old database and import it into a new one.
—Instapaper February 9, 2017

During an outage or if your account is compromised you won't have access to your documents. Canada has current and pending legislation which could see your access denied or your social media accounts cancelled.

Online backups could be compromised by an infected computer, a data breach, a successful phishing exploit or even a company unexpectedly going out of business.

I recommend keeping current backups of critical documents on a thumb drive in case of either data loss or inability to access your files in a timely manner. A backup on a local USB drive could allow you to restore your data — provided it is current and not infected.

iCloud Insecure

Your iPhone is secured by your unique password. That's why the FBI had difficulty breaking the encryption on the terrorist's iPhone.

iCloud doesn't have the same security. U.S. law enforcement agencies demanded access to iCloud accounts so Apple had to have access to the encryption on iCloud when a warrant is issued.

So what's the difference between iCloud and the iPhone?

The iPhone, as DOJ puts it, is “warrant proof”, whereas the data stored in iCloud is warrant friendly, and was designed with this in mind.

Data in the iCloud is encrypted and heavily protected by Apple, but the encryption is escrowed in a way that Apple has complete access to the content so that they can service law enforcement requests for data.
— Jonathan Zdziarski

That weakness was exploited by hackers to gain access to iCloud accounts and steal private nude photos of celebrity women. The Exif location data embedded within those photos endangered their safety by revealing their location.

The User Pays for Security Failures

Unfortunately, like with computer security, the end user bears the cost of failure.

Companies seldom provide the same level of security for your data as they do for their own data.

Critical company documents are seldom lost when your passwords and credit information are leaked. Companies rarely report these incidents until much later, if at all.

The LastPass Breach

One example is the 2022 LastPass breach.

The first notice on August 25th was relatively quick, but the company waited until December 22nd to report the loss of backups of users' password vault even though that was accomplished between August 20 and September 16, 2022.

It wasn't until March 2023 that users learned the full story — more than six months after their data was stolen. Given the critical nature of that data (all the passwords used by most LastPass users) that was far too late.

This lax reporting standard will not change until the cost is too high for the cloud service to bear (i.e., more than “a cost of doing business.”)

Breach Costs Yahoo! >$1 Billion

Verizon reduced their offer for Yahoo! by more than $1 billion after learning about its 2016 breach:

Verizon (VZ) agreed to buy Yahoo's core properties for $4.83 billion in late July, just days before the hack was first reported. The deal is expected to close in the first quarter of 2017.
— CNN

Return to top

Cloud-based Storage

With high speed access from anywhere and the move to multiple portable devices (smart phones, tablets, laptops, etc.) combined with the need to securely access the same information everywhere, you need to have a central remote storage facility for these files.

Remote Backup & Recovery

Online backup services provide recovery in cases of computer disasters such as catastrophic damage, theft, etc.

However, bandwidth limits can make larger backups inconvenient, lengthly or costly, especially in countries like Canada.

Compared to other nations, Canadians suffer terrible upload speeds, with Canada ranking 53rd in upload speeds worldwide, according to CBC. Upload is critical to making use of public cloud solutions, especially storage.
— Tektonika

People use the cloud for both storage (or file sharing) as well as offsite backups.

Considerations

There are some considerations to choosing a service such as where it is located and the encryption used to protect it, particularly in the wake of what Edward Snowden revealed about spying by the NSA and other governments. Privacy is more important than most people realize.

Even if data isn't stored in a US cloud service, if it's been emailed or transferred online in some way, it may be collected by the US government as it's estimated that 90% of Canadian internet traffic is routed via the US.
— TechSoup Canada

Online backup services depend upon a reliable and speedy connection (and may become expensive if you're facing crippling data caps imposed by your ISP).

Many of the big companies offer cloud storage solutions, but these are generally accessed through a common account (e.g., Microsoft or Google account).

Storage Services

As we become more mobile, people are looking to store their documents, emails and other content so that so that it is accessible anywhere and from any device.

Microsoft built Windows 10 and Microsoft 365 (formerly Office 365) with this in mind. Using OneDrive as the default location for stored documents, a cross-platform Office cloud-based Office (providing lots of extra OneDrive space) and interconnectivity between Windows and mobile devices, users can start with one device and pick it up with another.

Additionally, online storage can free up space on their devices which has resulted in smaller, faster SSD drives in today's consumer laptops.

These services offer limited free storage but you can purchase storage for an additional monthly or annual fee:

Google Drive (15GB; this space is shared with Gmail files)

Box (10GB)

IDrive (10GB)

Microsoft OneDrive (5GB)

Dropbox (2GB)

— PCMag

Recommended Cloud Storage Services

The following are my recommended cloud storage services:

SecureSafe is the most secure.
Dropbox is an excellent, cross-platform solution providing support for Windows, macOS, Linux, Android and iOS.

Other Cloud Storage Services

Although some of these cloud services are integrated with a specific operating system, they have opened up access to remain competitive:

Be aware of potential privacy issues when storing sensitive data online without very strong encryption.

Reviews

Return to top

Cloud-based Backup Services

Online backup services provide an alternative to local storage media and protect you from circumstances where the recovery media has been damaged or lost.

Recommended Cloud Backup Services

The following are my recommended cloud backup services:

iDrive is strongly recommended by reviewers like PC Magazine, Wired and TechCrunch.

Other Cloud Backup Services

While not my recommended cloud backup solutions, these may work better for you.

Box is one of the oldest cloud services.
CrashPlan offers subscription plans for individuals and businesses.

Acronis True Image is recommended only if you either have no security software installed or if you install only the backup software by running a custom installation and unchecking the security options.

Reviews

Return to top

Security Concerns

Like other services that are accessed online there are significant security concerns. Over time these can be minimized by taking care to use adequate security precautions and in selecting security-conscious vendors.

[In spite of potential] alternatives that might address Canadian concerns, including encrypting all data and retaining the encryption key in Canada (thereby making it difficult to access the actual data outside the country), the [Canadian] government insisted on Canadian-based storage. The reason? According to internal U.S. documents discussing the issue, Canadian officials pointed to privacy concerns stemming from the USA Patriot Act.

The privacy concerns raise a bigger question for millions of Canadians that use U.S. cloud services as well as organizations such as Canadian universities that are contemplating switching their email or document management services to U.S.-based alternatives. Simply put, if U.S. cloud services are not good enough for the Canadian government, why should they be good enough for individual Canadians?
—Michael Geist

We also need to trust who has access to our data, and under what circumstances.

One commenter wrote: After Snowden, the idea of doing your computing in the cloud is preposterous.

He isn't making a technical argument: a typical corporate data centre isn't any better defended than a cloud-computing one. He is making a legal argument.

Under American law — and similar laws in other countries — the government can force your cloud provider to give up your data without your knowledge and consent. If your data is in your own data centre, you at least get to see a copy of the court order.
— Bruce Schneier

Log-in Required

You need to use a user name and password to log into these services. In most cases your user name is your email so only your password is truly private.

If your data is being stored “in the cloud” — where anyone can access it — they only need to break your password. Make your passwords long and strong.

You Don't Control the Software

More significantly, you no longer completely control what happens to your personal information and data or how it is used.

Running a piece of software on your computer means that you can see what it does using various utilities and via your firewall program. Parts may be hidden, but you can see what is happening if you have the right technology. Many folks that have such capabilities write about their experience.

Once you move that control to a remote server you no longer see the process. The result of that product is delivered to you, but you don't know what is shared or retained for advertising or other profiling.

How Real Are Security Concerns?

So far many of those experiencing security failures have been reluctant to release the details of those security breaches. The loss of customer data by major retail chains is seldom reported.

You have the right to know if the vendor is incompetent because it affects your privacy.

Until we are told exactly what caused the failures that resulted in unauthorized access to customer credit card and password data we cannot state categorically that the cloud is safe.

Roadblocks to Security

Too many sites insist on password restrictions, usually because they are saving the data unencrypted on their servers. Many are lax in monitoring their network for suspect activity or lack the expertise to notice irregularities.

Data breaches make us all less safe. Vigilance is required to avoid increasingly sophisticated attacks and the economics are seldom favourable.

Equifax is Corrupt

Equifax was hacked sometime between May and July 2017. Executives sold off $3 million dollars worth of Equifax shares before the news was released in September.

Equifax's response? An insecure site asking consumers to provide even more sensitive data. The company lacks credibility and was permitted to get away with insider trading.

Class Action Lawsuits Ineffective

Corporations are too busy gathering everything they can about you to worry about securing the content they collect (except to keep it away from competitors).

That's because it is less expensive to risk lawsuits than to pay for improved security.

Even if a class-action lawsuit is brought against the company, the settlements seldom provide significant compensation for anyone but the lawyers.

Misplaced Priorities

All software contains vulnerabilities. Rather than patching known zero-day vulnerabilities, the NSA and other agencies use them to spy on other nations as well as their own citizens.

They have infiltrated U.S. technology firms without outside oversight.
The back-door access they demand from encryption software has been used by criminals to hack celebrity private photos and more.
They insist that encryption protects criminals, yet our e-commerce system cannot work without the security of encryption.

The Cost of Unpatched Software is High

When vulnerabilities aren't fixed, hackers use them for phishing attacks, ransomware and data breaches.

Now the U.S. and other nations are being attacked by well-funded nation-states as well as organized crime (often referred to as “malicious actors”) using the same vulnerabilities that government agencies use.

We Need to Demand Accountability

Until we educate ourselves about security and demand better privacy, we are unlikely to see any action taken.

Return to top

Related Resources

On this site:

Found this resource useful?