My favorite definition of the (public) cloud is “It’s someone else’s computer.” That is really what any external cloud service is. And if your services, data and other assets are located on someone else’s equipment, you are at their mercy on whether you can access those assets and data, at any time. It isn’t up to you. It’s solely determined by them, and any service level agreement you agreed to. And you can lose everything stored there permanently. You should have multiple backups of your data no matter where it is stored, especially including if it is stored using a cloud service.
This was recently again brought home by the following story. A disgruntled ex-employee, months later, gained access to her previous employer’s Dropbox files and deleted them all, permanently. She was caught, arrested, and sentenced. Didn’t change the fact that her previous employer had to close up shop and is no longer in business. And many consider her sentence, 18-months community service with 80-hours of unpaid work, inadequate for the damage she caused. Many people lost their job and a promising, budding small business is no more. And a backup could have prevented it.
Many people and small businesses are under the mistaken impression that a cloud service, especially one that stores their documents, is their “backup”. It isn’t. And even if the service claims they can be trusted to be your backup, you can’t completely trust them. They can be the most well-meaning organization and you can have an ironclad service level agreement that promises that they are your trusted backup vendor, and you can still be at risk of losing everything. If you want to decrease risk, be your own backup or use another backup service separate from the primary service to back up your data, whether it is stored on the cloud or not. Your data should always be backed up in at least two places, if not more.
You must recognize that that when you store things on another entity’s equipment, that data is not your own. Many cloud services explicitly state in their End-User License Agreement (EULA) that they are ultimately not responsible for the accessibility of your data. You should take that legal disclaimer seriously. I know of many people and organizations that have suddenly, irreversibly lost their data forever.
Many times, you will have great difficulty in recovering your data even if your cloud service is physically able to recover it. Have you tried sending an emergency help desk request to a very popular cloud-based service in your time of need? Often, there is no phone number you can call. If you can find the right tech support email address or portal location, you send off your request and pray that they respond. So many people send me stories about how the only response they got was the immediate auto response and after that nothing, nada, zilch!
I have even tried to a “local news “On Your Side” tactic, and tell cloud vendors I’m an “international journalist with a big following,” to help get back lost data for people. It doesn’t work. I’ve called my senior contacts at the organizations involved, and they have reassured me that they would get my request to the right people. Rarely has it worked that the people I was advocating for got their data back, or back any faster. I apparently don’t have enough pull.
6 reasons your cloud data may go away
So, remember this, your data stored in the cloud is not perfectly safe and you cannot trust others to always have it or to give you access to it. Why?
1. Disgruntled ex-employee
As covered above, a disgruntled ex-employee can ruin your organization. When someone leaves your organization, you need to change all account logins they knew and had access to. This includes your cloud provider accounts. This includes the recovery information belonging to those accounts. I know of an organization that knew they had an aggrieved, aggressive employee on their hands who threatened to hurt them. They changed all the necessary passwords and even instituted required MFA where possible on the involved, at-risk accounts. They thought they were safe.
What they didn’t change was the recovery information. Most cloud providers with MFA enabled allow customers to “recover” the account if something happens to their MFA login or existing login information. The ex-employee’s alternate email account was still listed in the recovery information, so the ex-employee just put the account in recovery mode, got login privileges through the link sent to their email account and started deleting. Make sure you change any account recovery information, too, when you change passwords and logins. Better yet, get new accounts and remove the old ones.
2. Malicious account takeover
The largest cloud service providers get millions of malicious account takeovers a day. It’s usually accomplished by social engineering the victim to get the cloud account’s login credentials. The intruder then takes over the account, changes the login details, and the account is theirs. The average victim, when they finally notice they can’t log in and possibly have a malicious hacker involved, takes a minimum of several hours to days to get the account back into their control. I’ve heard of several people who never got back control of their accounts no matter what they did.
3. Ransomware
Ransomware 2.0 is a very savvy beast. Today, ransomware gangs break into organizations and do everything they can to disable or corrupt backups before going on to steal and encrypt the victim’s most important data. Many people are too late when they find out that when the ransomware program encrypts their local copy, the malicious changes are automatically propagated to the other cloud-based copy. The same thing occurs with virtual machine backups. You can have the best mission-critical, hypervisor-protected VM infrastructure and a ransomware gang can crumble it all with a little handy work. Don’t trust online, immediate replication mechanisms to save you from ransomware and other types of malicious occurrences.
4. Bogus/real complaints get you banned for life
I’ve read that several people who posted a breast cancer awareness picture got permanently, lifetime banned from social media for rules intended to stop pornography. It only took one complaint, or one rogue bot. AI is horribly inefficient at making precise determinations of what is and isn’t allowed on a platform. Most platforms warn you and give you a second chance, but I’ve read enough of the horror stories where a person’s online life (e.g., 10 years of pictures and stories) was wiped out overnight and never seen again. Most cloud providers do not have to be “fair” to you when a complaint or overzealous bot gets you banned. It’s you against the mega organization, where they hold all the power and cards. And you can rarely actually get a human being from their side involved to help you. You’re really fighting tech support bots, which keep telling you the same stupid thing over and over and not really helping you.
5. Government or legal takeover
Depending on where your provider and data are located, it is very likely that government or law enforcement services have the right to copy and/or seize your data. It happens all the time. The entity copying your data is often under no obligation to tell you that they requested and received a copy of your data, and often times, the service provider is legally prevented from telling you it was copied. Your data can also be seized, and you prevented from accessing it. There are a lot of stories of organizations accused by the government or other law enforcement agency of some tremendous legal infraction, that five to 10 years later, after a long and expensive court battle, got their data back. Good luck that it would even be useful five to 10 years later.
6. Normal service interruption
On top of these potential issues, there is the regular, run-of-the-mill, service interruptions, crashes, and mistakes. It happens. No cloud provider promises 100 percent availability all the time. There is a possibility that your data can be accidentally overwritten or deleted. And if you read the fine print of the EULA, they are not responsible for it beyond some predefined guidelines that favor them. I can assure you the financial payment you might receive is rarely worth the data you lost. I’m not blaming them. If I did what they do, I’d have the same legal language. But these types of non-malicious events do happen and need to be part of your risk calculation.
I’m sure I’m missing some other causes. And I’m not trying to say that all cloud services or providers are bad. Most aren’t. Just realize the power differential of a recovery event is in their hands, not yours. The more you pay for the service, the more power you might have back in your court. Many commercial services go out of their way to help you in crisis events; but not all. You truly can’t even completely trust the most trustworthy, friendly, responsive service with your digital life. Or more to the point, you don’t have to. Do a backup, or maybe three.
Backup
So, back up your data, whether it is in the cloud or not, whether it is protected by online, automatic propagation. You want at least three current copies (known as the 3-2-1 rule), and one of those copies truly offline. Truly offline means you cannot access it online. If you have an online backup console, if possible, protect it with MFA. Computers accessing back up and restore portals should be among the heaviest, best protected in the organization.
I don’t care how you do it, whether it’s software or a service, local or an online service. I don’t even care if is a cloud service provider. Cloud and service providers are often among the best backup choices. But do a backup. Do three. And if you can find a reputable backup vendor that understands the risks above and has mechanisms to prevent them, it’s much better. There are good, great and bad backup vendors. Check with existing customers when considering a new backup vendor. My favorite question to ask is, “What would you change if you could?” or “What feature do you wish this backup solution had that it doesn’t?” You’d be amazed at what you will learn from that type of question, even after they previously gave you a glowing review of the vendor and their product.
Test restoration
Lastly, and this is super important, test your backups regularly. I don’t just mean one file or one server or one service. Think about what a successful ransomware program might take out your crown jewels or dozens of servers, etc. Think about the worst-case scenario and then do a test backup and restore. Almost everyone says they do it…at least they tell their IT compliance auditors they do it, but they don’t really. Don’t let a huge ransomware attack be the first time your data backup restoration is tested across your system.
This advice really applies to any data, but make sure if you use a cloud storage provider like Microsoft OneDrive, Dropbox, iTunes, etc., that you have the data regularly backed up to another location. There are a lot of people who wish they did.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.