Go to the Globe and Mail homepage

Jump to main navigationJump to main content

Web Strategy

Moving to the cloud? Pack an umbrella Add to ...

This the final chapter on Internet security, how to monitor and prevent threats to the computers and networks of a small business, and how to combat breaches when they occur.

Most of us already have our heads in the cloud, without even knowing it.

"The cloud" is a new term for an old concept: using the Web to run applications and store information, instead of keeping it all on your personal machine. Applications that run through Web browsers - like Google Apps, SalesForce and Zoho - have made cloud computing a growing alternative amongst consumers and small-business users.

The reality is, many people have been working in the cloud for years. After all, even Webmail sites like Hotmail and photo-storage sites like Flickr - to say nothing of Facebook - are cloud services. Google Apps and its ilk merely take the next step.

But as the cloud expands, so do security concerns.

"It does introduce additional risks, but it takes others away," says Richard Reiner, CEO of Enomaly, a Toronto-based software company that helps companies provide cloud services.

On one hand, cloud services take responsibility for all the IT duties that your business would otherwise have had to handle; so long, of course, as you're keeping your operating system and web browser up to date. This lets small businesses focus on doing business, rather than on their computers.

"On the other hand," says Reiner, "your data is now up in the cloud somewhere and accessible from anywhere. So there are things you have to pay more attention to."

So you've decided to move to the cloud. What should you keep in mind?

Passwords, passwords, passwords: Make them strong, and don't re-use them. Sarah Palin had her Hotmail account hacked because it was a password she'd used elsewhere. Password security is especially important in the cloud, where more often than not, a password is your one and only form of authentication. You might consider password-vault software like Keepass, which generates gibberish passwords, and then keeps track of them on your own machine. Or - as Mr. Reiner suggests - take a phrase you're familiar with, and use the third letter of every word to make a memorable, yet undecipherable, phrase.

Watch out for WiFi: Coffee shops are nice places to work, but lousy places for keeping your work protected. Most people put passwords on their WiFi networks at home, but it's another story on the road. Most hotspots at airports and coffee shops are wide open, making them notoriously insecure.

Over an unencrypted WiFi connection, it's not too difficult for ne'er-do-wells to listen in on traffic that's flying through the air; going so far as to hijack the Facebook and Twitter accounts of people using the same network. In fact a recently-released little program called FireSheep - an extension to the Firefox browser - has proven itself capable of doing just that. FireSheep was initially created as a demonstration of online security flaws but has already caused quite a stir.

How to tell if a network is unencrypted? If you have to key in a WEP or WPA password to your operating system - like Windows or Mac OS - when you connect to the network, your data is probably fairly secure. However, if you only plug in a name and password when you open your Web browser, then you're vulnerable.

If you're working with sensitive data and don't want to chance it, skip open WiFi completely and use a 3G connection - like a tethered iPhone, or a 3G USB stick. These are significantly more secure.

Be mindful of the cloud: Remember that the cloud has certain properties. For one thing, while the processing and data storage seem to be taking place in a nebulous location, those servers really do exist in a physical location and they're subject to the laws of that jurisdiction.

"As a consumer, that's not a real concern," says Ben Sapiro, research director of security practices at TELUS Security Labs. "In some jurisdictions, when your business is in the cloud, it becomes a business record, and not personal data."

Also keep in mind that your data is not under your custody, and as long as it's out there, it's possible that someone could get his or her hands on it. This is especially true if you're using a site that enables (or encourages!) collaboration and data-sharing, in which case unauthorized access is a much smaller risk than inadvertent disclosure.

"If you're going to put content online, you need to ask yourself two questions," says Mr. Sapiro. "Is this something I want absolutely everybody to be able to see? And, if not, am I correctly granting people access to it?"

To that end, a regular, top-down review of who has access to which online services is a good routine to get into.

Consider two-factor authentication: One emerging form of secure authentication has recently adopted by Google Apps as an option, and it's worth keeping your eyes on. It's called "two-factor authentication," and it usually works by supplementing your login and password with a constantly-changing access code that arrives via your smartphone. The idea is to supplement the security challenge of proving something you know - like a password - with something you physically need to have. (The system can also work with special USB keys.) This makes it harder for your service to be accessed by someone who's not actually you.

Obviously, you can't just add two-factor authentication to a cloud service yourself; you have to wait for the service provider to offer it. But Google's on-board, and there's increasing interest in the idea as both cloud services and smartphone proliferate, so watch for it to become more widely adopted.

Special to The Globe and Mail

The series continues with a new post every Monday for the next three weeks. Stories can be found on the Web Strategy section of the Your Business website.

 

In the know

Most popular video »

Highlights

More from The Globe and Mail

Most Popular Stories