A Lesson in Cloud Security for SMBs

Paul Mah
Slide Show

IT Plays Catch-up with Cloud Application Security

In the ongoing war to gain more users, many web services have adopted simplistic landing pages designed with the sole purpose of getting users signed up as quickly as possible. In most cases, the security aspect of the service is typically related to a minor footnote, or a vague assurance that it is “safe and secure.”

The marketing hyperbole and lack of detail on such pages means that it can be difficult for those in a smaller business who likely don’t have the security expertise to properly understand and appraise what they’re really signing up for. With this in mind, I outline two key points for SMBs to decipher the security message for cloud services in order to help prevent possible data loss.

SSL Encryption


Secure Sockets Layer (SSL) is a cryptographic protocol that makes it possible to conduct secure communications over the Internet. Without SSL or the use of a similar encryption system, data transfers will be conducted “in the clear” and are completely open to being snooped upon by any system that the data passes through while on its way to the destination system.

There are two key parts to SSL: the asymmetric portion is a 1024-bit digital certificate; the latter is a 128-bit symmetric encryption key. The asymmetric component offers the ability to validate the authenticity of a remote website and transmit a secret symmetric key used for subsequent data transfers between the two parties. Increasingly, though, sites such as Google, Microsoft and Symantec have already moved to 2048-bit digital certificates, while the use of 256-bit encryption keys are also becoming more common.

While considered robust, SSL pertains only to the data transfer aspect and has nothing to do with how it is stored when at rest. Unfortunately, many web services refer only to SSL when touting how good their security is.

Cloud Encryption

Fortunately, not all cloud vendors leave data in an unencrypted state. To be clear, encrypted data have to be decrypted on the fly in order to be displayed on a website. So the effectiveness of such encryption in protecting your data may vary widely depending on their security architecture and implementation.

Similarly, while online storage services such as Dropbox and SugarSync store data in encrypted form, they also hold the decryption key to facilitate data access across multiple devices or on the Web. There are also cloud backup services that encrypt data prior to it being uploaded though, such as SpiderOak and Mozy.



Add Comment      Leave a comment on this blog post
Jul 30, 2013 4:27 AM Joe lazer Joe lazer  says:
Good advice. Organizations are investing more in cloud technology as it is cost effective and more efficient. Importance should be given to security and privacy issues of data on cloud. Came across this interesting whitepaper @ http://bit.ly/ZFPu1l on cloud security that might interest a few readers “Cloud risks striking a balance between savings and security” Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.