Do you think that your
personal information in your electronic messages belongs only to you?
Do you still think that your enterprise data is safe in widely
advertised “cloud” infrastructure because you keep you login &
password in safe? You might be deadly wrong if...
- your personal information once have got on the Internet without your-only-know private encryption key; PGP signature is a good example of that key.
- you do not encrypt with a personal encryption key your personal files in the “cloud”.
- you encrypt your personal or enterprise data and keep the encryption key on the same server / cloud or you do not have root privileges in your server.
As you may see the
encryption has the key importance in all these “clouds”. SSL can
make your conversation with the “cloud” private to some degree
only. With SSL your private passwords and logins may prevent 3-rd
side intrusions (hackers) in your e-mail box or e-banking. But can
you be sure that the data in the “cloud” servers?
Every IT professional can
confirm that “cloud” services without private encryption
that provided for personal use is fully opened to the “cloud”
company. All unencrypted files and messages are accessible by “cloud”
system administrators. Pictures and all that stuff you upload. There
is no need to invite advanced hackers. System administrators in the
“cloud” company have access to the company's servers and they
have 'root' passwords and privileges.
More over: the opened by
Edward Snowden NSA scanning shows that private
“cloud” data and world information communications (including
enterprise top secrets and non-US government private phone talks) are
not private anymore. Now you may think that it is impossible to build
a unbreakable walls for your data in these “clouds”. Partially this is
the truth. To some degree and to some degree you can keep your data secured. That is why Google
is taking steps to shut down the door for NSA to Google
server-to-server data communications. And there are some simple but very important steps you can make to protect your private (or
enterprise) data:
- Always use PGP encryption for your sensitive e-mails; it is easy to install and use:
Wikipedia article: http://en.wikipedia.org/wiki/Pretty_Good_Privacy
Open source PGP tools (MacOS, Windows, Linux/Unix): http://www.pgpi.org/
Symantec commercial tools: http://www.symantec.com/products-solutions/families/?fid=encryption - Encrypt your data in the “clouds” (DropBox, iCloud etc.) with strong encryption algorithms and password. You can encrypt a large file and use it as “cloud” drive without problems and worries:
Wikipedia on TrueCrypt open source tools: http://en.wikipedia.org/wiki/Truecrypt
Open source TrueCrypt tools for MacOS, Windows and Linux/Unix: http://truecrypt.org/ - Have “root” password to your enterprise servers and change the password often. The “root” user (Administrator in Windows systems) is the real owner of your server and the data in it. If you do not own “root” rights – you do not own your server system.
- Keep you passwords (e.g. root passwords, encryption keys) away from your ”cloud” servers and e-mails. Other highly secured server, USB flash drive in the safe or private peace of plain paper are OK.
- In case you need instant messengers for private communications then avoid all these fancy Skype/WhatsApp/Viber/Hangout/Facebook etc. messenger applications. These apps work with “clouds” and nobody but you can protect your sensitive messages. Set up your own instant messenger service like open source “ejabberd” service (http://en.wikipedia.org/wiki/Ejabberd and http://www.ejabberd.im/) on your own secured server (see 3 and 4 above). Use open source instant messengers only (Xabber for Android OS for example).
You might think that all
these things are not worth the time and money you must spend to make
them “up and running”. It may be so if you do not have any
private information or enterprise secrets. Hire good system
administrator (open source fan is the best choice), set the task and
get the feeling that your data in the “clouds” is truly yours.