I was recently asked to comment on the top 5 ways to protect yourself (as an individual) when using the cloud. Obviously I brought a very identity-centric slant to it, but it was an interesting exercise as I tried to put down on paper (!) the steps I take to protect myself daily. I thought it would be worthwhile to share what I put together with the broader community, and get your take on additional steps that you believe people should take.
Establish Your Fundamental Security Posture
Part of the allure of cloud-based services is the whole access from anywhere aspect of it - at work, on the road, in a coffee shop, in a public park, in your hotel room. As public, often free, wifi becomes something we (especially road warriors) start to rely on more, make a checklist of things you do in order to secure your interaction with cloud services, which should include (but isn’t restricted to):
- Make sure you secure your communication with cloud services by using HTTPS instead of HTTP. I highly recommend installing the ‘HTTPS Everywhere’ plugin that the EFF have released
- Use a Virtual Private Network. It lets you route all your activity through a separate secure, private network, thus giving you the security of a private network even though you’re on a public one. A lot of people can get it through work, but if your job doesn’t come with one then get your own, like CyberGhost VPN or WiTopia (Check out this Lifehacker article)
- And watch out for shoulder surfers
Don’t Reuse Your Passwords
It’s an all too common phenomenon: when setting up an account with a cloud service, users are forced to come up with yet another password, and they choose a familiar, well used one. Especially when signing up for services for work, people will often use the same password they use to access services internal to the enterprise (like their email system, or their corporate CRM system). Reusing those passwords definitely helps you remember it for next time, but it’s the equivalent of leaving your house keys in the mailbox – someone else will eventually see it and figure out how to use it.
Better Still, Use A Password Manager
As our usage of the cloud increases and we battle password fatigue, that last point becomes increasingly harder for us. But there are tools like LastPass and 1Password that can help us greatly, not only by remembering the passwords for us (in the cloud, of course) and providing simple plugins to autofill those pesky login forms, but by also generating random string passwords that are stronger than your average password. Just remember to follow all their recommendations: create a really strong and unique Master Password, configure the settings to recognize trusted locations (like your home network), make sure to read their ToS and security policies, and use common sense in trusting what is still a cloud service.
Bring Your Own Identity
But those last two points still rely on having multiple passwords, which is recognized widely as an insufficient approach to security. Federation technology has matured to the point where we can now rely on federated login to cloud services. Most enterprise service providers will support federation with your corporate identity, eliminating the need for passwords to log into these services. And on the consumer side it is becomingly increasingly easy to sign into your services like Tripit or Flickr using your Gmail, Facebook or Twitter identity, using mechanisms like OpenID and OAuth that do not share your password with the relying site. The goal is not to go down to one password for one account that is your key to your online life, but rather have a manageable number of identity providers that you then use to access your various services. And use common sense to evaluate the sensitivity of a particular service before setting up a relationship between it and an external site.
Review Those Service-to-Service Relationships
The concept of a periodic review of user access is a cornerstone in enterprise governance programs. Why should our personal life be any different? As you rely increasingly on the federated model, set up time to periodically go into your services and review which Mobile Apps and 3rd Party Services you have granted access to. Did you grant some twitter ranking site access to your twitter account months ago, but have never gone back and used it? Reviewing the access grants will remind you to sever that relationship, removing any possibility of abuse or exploit.
Are there any other steps you take that help keep you safe? Practical suggestions only please, unlike this (hint: see second last bullet).
[Cross-posted from the Identropy blog]