When Using Cloud, Paranoia Can Pay Off

Journalists are increasingly concerned about what cloud providers may access or share with governments - and companies should worry as well.

Cloud business services — from document collaboration to spreadsheets to e-mail — are now ubiquitous, with more than eight out of 10 companies using cloud productivity platforms such as Microsoft Office 365 and Google G Suite.
Yet, as reported incidents of privacy violations have increased, the concerns of businesses and individual users have grown. Many journalists, for example, worry that data kept in the cloud could be accessed by a hostile government or by the service provider. Workers worried about their employers, government agencies, or the service provider themselves, should think hard about the information they store in cloud services, Martin Shelton, a principal researcher with the Freedom of the Press Foundation,
stated in an Oct. 9 column
.
If you can see it, the administrator can likely see it, he wrote. If the administrator can see it, Google can likely see it. And if Google can see it, its likely subject to requests from government agencies.
The concerns are not new, but a reminder of the world which technology has wrought. Ever since intelligence contractor Edward Snowden leaked classified information about the degree to which the US government surveilled and collected information on US citizens, digital-rights groups and many technology companies have warned about potential access that third parties have to cloud data.
The concerns have only piled up as journalists have become
increasingly targeted worldwide
, but data and privacy concerns have become a worry for businesses as well. With
81% of companies using cloud productivity applications
, both businesses and workers should understand the risks of using a cloud service, experts say.
While Google has locked down G Suite with encryption, two-factor authentication, and its emphasis on a
culture focused on security
, concerns still remain about situations where government can compel data disclosure, as well as whether automated scans or collected metadata can leak significant private details.
The short version is that, theoretically, Google can see anything that you can see in G Suite, says Jeremy Gillula, technology projects director with the Electronic Frontier Foundation. Whether or not they actually do, is a totally different story.
Users of any cloud productivity software generally have three threats to worry about: hackers, providers, and governments.
Because both Microsoft and Google encrypt data at rest in their cloud, the information is protected against direct online attack. Steal the data, and it is still unreadable. However, online attackers have increasingly focused on
stealing credentials
and accessing the cloud by impersonating the authorized user. To foil such attacks, companies and individuals need to add multi-factor authentication, experts say.
Finally, providers also have access to the data. Some companies, such as Uber, have allowed broad access to the data in the past. Google and Microsoft both have similar privacy statements, stressing that the customers owns the data.
G Suite customers own their data, not Google, the provider states in its
Google Cloud Security and Compliance Whitepaper
. The data that G Suite organizations and users put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties.
Meanwhile, government requests have become increasingly common, with 43,683 requests from various governments in 2018, up a third from the 32,877 requests made of Google in 2017, according to
the companys semi-annual transparency report
. For the past two years, the company has produced data in more than 81 percent of requests. Microsoft fielded a similar number of requests — 44,655 — in 2018, but only two-thirds of requests produced some data, according to
its transparency report
.
Countries can apply significant pressure on companies to censor speech, or turn over data.
Researcher Shelton recommends that users occasionally conduct a privacy audit to see what data they are storing on cloud services and whether any of the data is sensitive enough to need offline storage.
Companies that want to increase the security of their data can use a third-party encryption service, such as Virtru, which allows the keys to be stored in a third-party server. While Google will still have access to all the telemetry and some metadata, such technology can protect the content on the server from any unauthorized access, says Will Ackerly, chief technology officer and co-founder of the company.
You dont have to trust Google with the content or the content of attachments, he says. We can help companies store content beyond what Google is certified to stored.
Overall, cloud services can typically provide better security than most individuals or companies can manage, and cloud providers have become more transparent about government requests and how they handle data internally. Still, cloud-service users need to evaluate their own threats and determine whether some data is too sensitive to store in the cloud, researcher Shelton says.
[A]s a user of these systems, its nonetheless important to understand that the documents we access, and the things we write in each document are potentially visible to the organization’s administrator, and whoever they answer to, he wrote.
Related Content:
Web Attacks Focus on SQL Injection, Malware on Credentials
Why Privacy Is Hard Work
How Cybercriminals Break into the Microsoft Cloud
Google: G Suite Now Alerts Admins to Data Exfiltration
Ubers Response to 2016 Data Breach Was Legally Reprehensible, Lawmaker Says
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Works of Art: Cybersecurity Inspires 6 Winning Ideas

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
When Using Cloud, Paranoia Can Pay Off