Security → Why I don't use cloud apps.

»www.esecurityplanet.com/ ··· ted.html

Could never figure out why people would even consider using this for sensitive data.

"...just one third of all sensitive corporate data stored in cloud-based applications is encrypted" ...by the corporation storing the data

Do you know whether any companies that you do business with, which have data about you, do or don't use "the cloud"? do or don't use encryption?

I use the cloud and greatly enjoy the flexibility of having our data available when we aren't at home in cases where a VPN into the home subnet is not viable. Also, such as the case recently when my sons phone broke, I had his data all backed up in the cloud, including photos. So there was a near-zero loss of data. In the case of a computer that needs a reset, since most things are stored on NAS or in the cloud here it's a simplistic matter to reset a PC. The benefit of the 'cloud' are many, no question about that.

However I will state for the record, anything I put into the cloud is 'heavily' encrypted. I make sure to use services/products/features where encryption is active in transit and at a rest. In my case one of the services I utilize is Sync.com which has fairly ridiculous levels of zero-knowledge controls and encryption.

»www.sync.com/your-privacy/

Also, as the previous poster pointed out. You can ASSUME a vast amount of companies you do business with don't effectively secure your data. That's unavoidable right now so in effect, you cannot avoid the cloud unless you live in a cabin somewhere and refuse to use electronics.

 

Do you know if sync.com has a warrant canary along the lines of:
»www.rsync.net/resources/ ··· nary.txt

Trouble with warrant canaries is that the warrant can include canary life support order.

 

I agree. If you read the one I cited, they mention that.

However, the canary life support order is a bit more difficult to get, as it is not prescribed by default in the law (yet).

With that in mind, I have seen warrant canaries work as intended, so there can be value there.

Nonetheless, I take your point.

I'm also a fan of the cloud for the same reasons you mentioned.

With the possible exception of things such as family photos etc...
Looking at your posting history I'd bet you also store any PII/sensitive customer data on your local servers in encrypted form, not just when it's on cloud servers.

My point being that if best practices are in place on the local servers then chances are using the cloud isn't going to bring any additional issues should a compromise occur.

Sauce?
--
Opera reborn -- »vivaldi.com

Exactly! As you state, even in the unlikely event of a compromise of a secure, encrypted cloud service, I have systems in place to protect against that.

How about when your router manufacturer pushes a firmware update that forces its consumers into cloud based administration?

Remember this, »www.zdnet.com/article/ci ··· d-chaos/

Unfortunately I'm reminded every time I log into my EA4500.
--
Stop The Mindless Killings, Stop Overfishing

Hosted Hardware Management is growing. FortiAP S series. Meraki, etc. I personally don't care for it but it's a method for people without a WLC to get WLC features and a single pane of glass management. But it also opens up a whole new level of potential security issues. Fortinet has already had a compromise with their Fortimanager/Fortianalyzer where their 'support' was tired of having customer service calls to login to those devices so they hard coded a 30 character password for Super-Admin into the management portal. Ouch? Stupid.

Untangle likely will never have a cloud-based management for their system. They do have a third AV that's cloud based pinned into their v.12.1 version but that's probably as far as they will go. Security vendors need to be super careful on this.

A few weeks ago I installed a WiFi Thermostat, the only one that I found was totally secure. All of the other ones I tested were garbage and totally insecure. The device I put in has a 15 character security key, requires a master password you create to alter the settings/account, and a secondary account password for management/control. Transfer of thermostat data is through an app that IPSEC VPN's to the device to poll for current data only when you enter (and/or choose to save) the 25 character master key. Very impressive security and I wish more companies took IoT security seriously. With that level of security I cannot see why I wouldn't have it in my home to be honest as the level of control and management it provides is exceptional.