Cloud security

Securely Using Data in the Cloud

March 20, 2015 by Dejan Lukan

In the world we live in, having unencrypted data is not considered very secure, as unencrypted data can be easily viewed and tampered with. Whenever we want to share some data with a friend or only transfer the data from one computer to the other, our data can be viewed in transit. Since there are multiple ways of transferring the data from one system to the other, there must also be different techniques that attackers use to view and modify the data.

In this article we’ll talk about how an attacker can get access to the data we use in our daily lives as well as offer recommendations that will help users to protect themselves against attackers gaining significant information when the data has been stolen. We’ll also take a look at the data stored on the following locations, which are used by most users in every day lives.

  • USB device
  • Hard drive in a PC or laptop
  • File synchronization in the cloud like Dropbox/SpiderOak
  • Server database stored somewhere in the cloud
  • Mobile phone

The dangers of online and offline data storage

Let’s imagine that we want to copy some data from our computer at work to our computer at home. In most cases, we would have to copy the data to a USB device and carry it home to do some work over the weekend. Nevertheless, we can lose the USB drive on our way back home, which can be picked up by an attacker and plugged into a computer to view the data. In order to protect against data theft, we must properly encrypt the USB device with a secure password. In doing so, an attacker will first have to determine which encryption algorithm was used for encryption and afterwards bruteforce the password in order to be able to get the unencrypted version of the data.

On the other hand, we can transfer the data from one place to the other over the network, but the security of the data in transit depends on the algorithm used to encrypt the data. When transferring the data over an unencrypted channel, an attacker can easily see the data being transmitted over the wire. In order to protect against such attacks, we have to use secure protocols like HTTPS or SSH that properly encrypt data in transit.

How much data do you have on your PC at home or on your laptop? Quite a lot I would presume. Now, if an attacker manages to steal your laptop while you were looking away, he/she could easily boot up the system in order to get access to the hard drive. Even if your computer is password protected, which (let’s be honest) it isn’t on numerous occasions, an attacker can easily mount the hard drive from another environment, like a live-cd. The password used to protect the user from anybody logging on only helps against others using the computer under the user’s name, but it isn’t much of an obstacle in an attacker’s eyes. In order to protect against this kind of data theft, we have to properly encrypt our hard drives – even the operating system itself needs to be encrypted in order to provide maximum security.

We often synchronize the files from our hard drives to the cloud by using one of the following file synchronization services (note that only a few of the services are listed but many more are available and ready for consumers to use):

  • Google Drive
  • Dropbox
  • SugarSync
  • Amazon Cloud Drive
  • Microsoft OneDrive
  • SpiderOak
  • Wuala

Whenever using one of the listed services, the chosen files will be synchronized between our local computer and the chosen cloud service. Depending on the service being used, the files stored in the cloud might or might not be encrypted. For example, Dropbox doesn’t encrypt files when they are stored in the cloud, but SpiderOak does encrypt them – in order for this to be possible, the SpiderOak client has to encrypt the files on our local machine before sending them to the cloud. Therefore, only the encrypted version of the files are actually send through the network to the cloud data server.

System administrators often have to setup an SQL/NoSQL database, which will be used by some applications to store data. Most of the time, usernames and passwords are also stored in the database, which means the database includes sensitive information. There is also myriad user provided data like comments, pictures, and videos as well as other user data that is stored in such databases. Therefore, ensuring the databases are secure is of utmost importance in order to provide secure application workflow and operation. The problems gets somewhat larger when those database are stored in the cloud. There are different cloud services like Google Cloud SQL, Amazon Relational Database Service (Amazon RDS) that provide setting up, operating and scaling relational databases in the cloud a breeze.

Last but not least, the data stored on mobile phone should also be considered. How many times have you heard the story of a user losing his/her phone and all the data that was on it. I’ve heard it a million times already and the repercussions are always the same: the user loses the data that was on the phone. The majority of users are worried only because the data like pictures, videos, text messages as well as numbers are lost and they won’t be able to get their hands on it any more – at this point I would like to point out that keeping data backups is an important consideration that you have to take into consideration before something bad happens, but that is a story for another time.

On the other hand, the minority of users are actually worried that their data might get into the wrong hands. If a user has private photos/videos on a mobile phone that shouldn’t be leaked into public, and the phone ends up in a wrong hands causing the data to be leaked to the public, the person’s life may be destroyed overnight. There were, are and will be many examples of this happening. There was an incident not long ago, where a video about a principal and a teacher leaked to the cloud; the principal first denied it was him, but after a few days his wife confirmed his identity and also left with their children – this was heartbreaking for him. At the same time he was also fired from his job and was ridiculed online, which later led to him committing suicide. It was a heartbreaking story, which proves the point that data leak can be painful and life ruining.

Securing online and offline data storage

Now we’re going to take a look at how we can secure the data previously described in order to prevent an attacker from being able to read leaked or stolen data. We won’t be talking about how to prevent an attack or even how to prevent an attacker from stealing our data, but merely how to protect the data in such a way that even if the attacker is able to get his/her hands on it, he/she won’t be able to make any sense of it.

To properly encrypt USB devices, we can use the following software: DiskCryptor, VeraCrypt, BoxCryptor. On the other hand, you probably shouldn’t be using TrueCrypt, whose development has been discontinued and is not actively developed anymore, and its use is considered insecure.

To encrypt a hard drive, we have to use software products relative to the operating system that we’re using. In Linux, we can use DM-Crypt LUKS, while in Windows we can use BitLocker.

When synchronizing the data to the cloud, we have to ensure the service being used supports zero-knowledge and the data uploaded to the cloud is encrypted. We shouldn’t use DropBox, but should rather switch to an encrypted synchronization alternative like SpiderOak. For safe storage of database data in the cloud, we can use ClearDB.

Most of the Android mobile phones already support encryption out-of-the-box. All we have to do is go to the Android settings and encrypt the phone, but we have to be aware that encrypting the phone requires us to input a passphrase every time we want to access it. Therefore, for the phone to be encrypted, we can’t use pattern or PIN, which are also two alternatives for protecting access to the phone.


In this article we’ve seen that properly encrypting the data that we’re storing on various devices is of utmost important when we want to secure our data. The data on an offline device like a USB is equally important as the data stored in the cloud, on DropBox for example. Therefore, we have to encrypt the data whenever storing them to a media, whether a USB device or a cloud service. An attacker able to get his/her hands on the data won’t be able to decrypt the data, since it has been properly encrypted.

We must remember that when storing the data in the cloud, there’s a chance it might get stolen by a malicious attacker. The most important thing is being aware of the fact that data can be stolen and take appropriate steps to secure the data the best way we can. There may be times when we won’t be able to secure the data against any kind of attack, but by following the best security standards, we can make the restoration and decryption of data very difficult for the attacker.

At the end of the day, it comes as a trade off between security and the time we’re willing to sacrifice to ensure proper security measures. We have to keep in mind that there is no use crying over spilled milk, which is why we must take the time to investigate what kind of security disadvantages the technology brings and how to best secure against them the best way we can. Therefore, saving the data into the cloud with an actual understanding of the technology is much more beneficial in the long run.

Posted: March 20, 2015
Dejan Lukan
View Profile

Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering. He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD. He also has his own blog available here: