Keeping data safe in the cloud

Data security and the cloud has been in the news recently, following high-profile links from Sony and other companies. How does this affect you, if you’re an ElasticHosts customer? How secure is your data really? The good news is that cloud servers you manage yourself – like ElasticHosts – should be a lot less vulnerable than cloud data or applications managed by third-party firms. If managed correctly, your database on an ElasticHosts server should be rather more secure than, say, your Gmail. The key words in that sentence are “if managed correctly”. Using an ElasticHosts server gives you a lot of control over your data, but with great power comes great responsibility. So in this post, we’ll explain firstly why cloud servers should be more secure than cloud applications, and secondly give you some tips for keeping your ElasticHosts servers safe.

Data risk with cloud applications

First of all, let’s look at cloud data and applications. If you store your email in the cloud with Gmail, then there are four possible ways it could be compromised:

  1. Service provider. In theory, Google’s sysadmins could access your email. (Last year, a former Facebook employee made allegations that Facebook sysadmins had a master password allowing them to access any account.)
  2. Lock-in. In the unlikely event that Google goes bust, your data could vanish. A more plausible scenario is that Google starts behaving in ways you don’t like. Whenever you use cloud applications, always make sure you can export your data if needed.
  3. Jurisdiction. Google’s servers are in the US, and in theory, if they hold private data on you or your customers, this could break the EU Data Protection Directive on personal data. It also means that the US authorities could order Google to hand over your data.
  4. Hackers. You’re reading your email over the public internet, so it’s vulnerable to compromise, including hard-to-detect ‘man in the middle’ attacks.

Data risk with cloud servers

In the case of cloud servers, only one of these areas is still a real vulnerability.

  1. Service provider. Not an issue – we don’t have root passwords to your VMs, so even if we wanted to, we couldn’t log in.
  2. Lock-in. Not an issue – it’s easy to move your data off your ElasticHosts servers, and you control your own backups (we’ll write about avoiding lock-in in a forthcoming post). We don’t tie you in to a monthly contract, so you won’t even lose financially if you leave.
  3. Jurisdiction. Not an issue. You can choose ElasticHosts servers in the EU or the US, as you prefer. If you are a UK company using UK servers, then you are complying with the EU Data Protection Directive, and your servers are subject to UK law.
  4. Hackers. Still an issue – your server is available via a public IP address. We’ll discuss how to reduce hacking risks in the remainder of this post.

Good security practices for cloud servers

So an ElasticHosts cloud server minimises service provider, lock-in and jurisdiction risk – but you can still be hacked. How can you keep your ElasticHosts server safe from hacking attacks? Firstly, use strong passwords. Make sure your ssh, VNC and control panel passwords are all highly secure. Change them regularly. And don’t forget human error — make sure you follow a good password policy. In addition, we recommend using some combination of the following on your servers:

  • IP restriction. Restrict IP login to ensure that login isn’t allowed from any IP address other than your own.
  • Firewalls. Set up firewalls on your sites.

If properly protected, cloud servers should actually reduce risk compared to physical servers, by removing the need to move and protect physical hardware – many high-profile data leaks have come from flash drives!