What the Equifax Breach tells us about cloud security

Equifax reports an intrusion into its system which “may have” stolen the data on up to 143 million Americans, including name, address, SS#, and Drivers license number. This is a terrible lapse in security, and, on paper, it should not have happened.

Equifax is a large and profitable company, whose central business is secure, trustable data management and processing. Preventing this type of cyberattack should be one of their most important goals. And yet, it happened. What can photographers and collection managers who use cloud services learn from this?

It’s impossible to know the real story from outside
The first thing to learn is that, as stated above, looking at a company from the outside can’t provide a guarantee. It’s hard to find a company that should have a better security practice than Equifax. They are not a startup prone to pivot, or running out of funds, or a company for whom security is a second tier issue. Yes, they make all kinds of mistakes in their reporting, but that’s an inherent part of gathering up trillions of individual transaction reports from many different sources.

If it’s hard for Equifax, it’s even harder for you
It’s getting reasonably common to hear that cloud service companies get breached, It happened to Adobe,  Yahoo (x3, at least!), and many more (click the link above for fun). But this does not mean you should just manage all your cloud security yourself. The vast majority of people (and institutional IT), simply have no idea how to fully protect from attack.

Cloud services have become essential in the creation, use, storage and management of photos and other media.  Unless you are going to go off-grid (start by throwing away your smartphone), you’re going to have to live with a certain amount of risk. The entry points for hacking are exploding. Now your fridge, car, connected camera, and smart lightbulbs can all be attacked by Internet of things (IoT) exploits. It’s going to get even harder to prevent cyberattacks as IoT grows.

So our best strategy is to become more resilient. Here are some tips.

1. Centralize all of the media you want to keep. Preserving your stuff starts with knowing where it is. If it’s spread between a phone, your laptop and across half a dozen hard drives, it’s impossible to really manage safely. You can now cheaply buy hard drives up to 12 TB. There is no excuse not to collect everything you want to keep.

2. Keep a local copy of any photos or other media you want to preserve. This means you need a copy of your photo archive on local drives, in your possession. Anything you have that is only stored in a cloud service is at some level of risk, and accurately determining that risk is beyond your ability.

3. Keep at least one copy of your data offline. For most people, that means copying your photos and other important data to additional hard drive(s) and unplugging. This is a backstop for all kinds of terrible things, not just cyberattack (lightning, theft, etc.)

4. Consider write-once media. While DVD and Blu-ray are fading from the media storage landscape, there is still a compelling reason to consider them. Photos stored on write-once media can’t be infected after-the-fact. If you think you have too much data for optical disc, consider the fact that Facebook has built a cold-data archive in North Carolina that employs Blu-ray (for the exact reasons outlined above).

5. If something is really sensitive and it needs to be stored in the cloud, you probably want it to be encrypted on the client side. (This means that software on your computer holds the encryption key, and the cloud service only has a scrambled copy of the data). Note that when I say really sensitive, I mean stuff that is life or death, or has a major financial component.

Backblaze is a service that provides client-side encryption. It’s not totally bulletproof, but someone would probably need to know exactly what to look for. Note that an encrypted cloud backup like Backblaze can also help to protect you against ransomware, like the May 2017 WannaCry attack, which is a growing problem.

6. Take a look at the cloud service providers you use. 
Even though you can’t remove all doubt about your cloud service providers, you can make some educated guesses. Does there appear to be a sustainable business model? Am I paying enough for this service to care about my security? Does a google search bring up anything hinky?

If you take these steps, you can help protect the integrity of your photo collection against growing hazards. You may not be able to prevent intrusion, but at least you can recover from it.

Facebook Comments

comments

Leave a Reply