Cloud storage

The IT security team at the University of Vienna has compiled a list of practical tips for students and employees to make the use of cloud storage services, such as u:cloud, Dropbox, Google Drive, Microsoft OneDrive or iCloud, more secure.

Employees

The ZID does not offer support for external cloud storage services, as the data stored with these services are located outside the University of Vienna's infrastructure.

Therefore, we recommend employees of the University of Vienna to refrain from using external cloud storage services for important, confidential or delicate information (for example, research results, contracts, personnel data). Instead, we recommend using the services u:cloud or online storage space, provided by the University of Vienna.

 Note

If you only want to share files for a short period of time, for example because they are too large for an e-mail, you can also use the ACOnet FileSender. With this you can share files up to a size of 250 GB for up to 2 weeks. Only one of the parties involved must have a u:account.

Checking technical requirements

Check the following requirements before storing your data in a cloud service:

  • Are you allowed to store data in a cloud storage system, i.e. on a server outside the University that may even be located abroad? This is particularly important in the business and academic context.
  • What type of data storage does your preferred cloud provider allow? Read the details specified in the terms of use.
  • Check with colleagues, friends and on the Internet whether your preferred provider is trustworthy. Have there been any security-related incidents with the relevant provider in the past? Are there any other negative reports questioning the reliability of the provider?
  • If you cannot find any information about the provider, it could be an alarm signal as well. Use only cloud storage services that are well established and commonly known.

 

Accessing the cloud storage securely

  • Only use the software or app provided by the cloud storage provider or a current browser to access the cloud storage service.
  • If necessary, use the incognito or private mode of the browser. This means that the session is no longer directly available after you leave the incognito mode, even if you do not log out.
  • Physically protect all devices connected to the cloud service (desktop computers, laptops, smartphones, tablets) from unauthorised access.
  • Make sure that any software on your working devices is up to date. This applies both to the software you are using to access the cloud service as well as to the operating system.


Via locally installed software or as a mapped network drive

Access the cloud storage via locally installed software or map it as a network drive.

To do so, please save the data you would like to store in a cloud in a special folder on your computer. The software automatically synchronises the folder and the cloud storage.


Risks

Storing your data in a cloud does not protect you from data loss through ransomware, as malware can still manipulate your computer.

For example: A malware deletes the original version of a file on your computer and in the cloud. It uploads another version of the file to the cloud that you cannot access. The scammers demand ransom to release the data again.


Measures

Most cloud services allow you to recover the original version of an affected file from the trash (for a limited period).  This is an advantage in comparison to data that are stored only on the computer. Check the regulations for recovering files in advance and familiarise yourself with the procedure. This allows you to react quickly in case of an infection.

The storage quota of many cloud services also includes file versioning and the trash, in addition to the original files. If you have reached the limit of your storage space, the system may independently delete old file versions or files in the trash.


Via the provider's app

If you use the app of a cloud service on your mobile device, you usually see a list of available files. Download the files you need. The cloud storage does not automatically synchronise with your mobile device.

The ZID is currently not aware of any cases in which files in a cloud storage were manipulated directly via an app by malware and without a user’s action.

Make sure that your app is always up to date.


Via the browser

Accessing the cloud service via a browser is definitely the most secure, albeit least convenient, way to access your data.

The cloud storage does not automatically synchronise with your computer. You have to upload and download the files manually. Some cloud services allow you to edit files directly in the cloud via the browser. However, not all files are suitable for this procedure.

Do not pass on your log-in details to third parties and make sure that your browser is always up to date.


Risks

The ZID is currently not aware of any cases in which files in a cloud storage were manipulated directly via the browser by malware and without a user’s action.

Even if you edit files directly in the cloud, it is highly unlikely that your data are manipulated through an infection of your computer.


Measures

If possible, activate multi-factor authentication (MFA) or two-factor authentication (2FA).

Using cloud storage in a working group


Risks

After a successful phishing attack on one member of the working group, the attacker can pull any data stored in the cloud working group, using the captured log-in details.  The risk increases with the number of users authorised to access the data of the working group.

The use of synchronisation software or the mapping of the cloud storage as a network drive by WebDAV involves the risk that the data of all connected computers of the working group are automatically downloaded and the original versions are deleted. Most cloud service providers enable you to recover data that was manipulated for a short period of time. However, the associated effort is particularly high for working groups.
 


Measures

  • Inform all members about the security risks related to the working group and how they can reduce these risks.
  • Depending on the area of application, it may make sense to access the cloud only via a browser.
  • If your cloud provider offers multi-factor authentication, you should use it.
  • Grant permissions according to the actual need. Users who only need read access should not be granted write access.
  • Use a password and, if possible, an expiration date when sharing data with persons outside your cloud working group. This makes the uncontrolled distribution of data more difficult.
  • If data of the working group are only shared with third parties in exceptional cases, it could be an advantage to give only administrators the right to share content.
  • Please note the storage quota. If the working group has reached the limit of its storage space, the system independently deletes old file versions or files in the trash. They cannot be recovered.
  • Make sure that you revoke former members’ access permissions within the working group as soon as they do not need them anymore.


In the worst case

If data of a working group were manipulated through an infected computer, you should remove the infected computer from the working group immediately and disinfect it.

Inform all members of the working group as soon as possible and urge them to be careful.

Then, you can recover the data from the cloud storage.
 

Additional security measures


Multi-factor authentication

If your cloud provider offers multi-factor authentication (MFA) or two-factor authentication (2FA), you should use it. This means that, in addition to your user name and password (the first factor that you know), you will be asked for a second factor that you have during log-in. This prevents unauthorised parties from logging in to your cloud storage, even if they get hold of your user data.

Most cloud providers offer different media as a second factor. For example:

  • A PIN that is generated by an app
  • A PIN that is sent in a text message to your mobile phone
  • An app that confirms authentication after biometric verification
  • Special USB devices for authentication

Many cloud storage services only ask for the second factor when you log in from a new device for the first time. This device is then classified as trustworthy. This increases convenience and, at the same time, ensures that no unauthorised party can add untrustworthy devices as long as other persons are not in possession of your user data and, for example, your smartphone and SIM card.

 

Encrypting data

All well-established and commonly known cloud storage services transmit data between your device and the cloud storage in encrypted form. This way, unauthorised parties cannot intercept, read or change the data during transmission.

In the cloud storage, data are usually unencrypted. Therefore, attackers who manage to access your cloud storage could download and manipulate the data.

Consequently, it makes sense to store data in the cloud storage in encrypted form in some application scenarios. For this purpose, you can use different tools in the form of software products by special providers.

To encrypt entire synchronised folders, the Cryptomator software is recommended. This saves encrypted files individually. This has the advantage, especially in the context of cloud services, that after a change, only the files that have been edited need to be transferred. Instructions for Cryptomator can be found on the Cryptomator website.

Container-based encryption solutions (such as VeraCrypt) are very often not suitable. These products are usually based on an extremely large container file. Most cloud storage services would require you to transfer this container file again every time you change its content.

Encrypting data rules out some application scenarios or greatly complicates them. Check in advance whether the product you selected fulfils your requirements.

There may be restrictions in the following areas (among others):

  • Sharing data with other persons
  • Accessing data from different operating systems (Windows, macOS, Linux, Android, iOS)
  • Accessing data via the browser
  • Recovering data you deleted by accident is possible if the encryption solution obfuscates paths and file names.

Encrypting data may result in extra effort:

  • You may have to take additional steps, such as re-entering your password, manually establishing a connection or updating the software.
  • Keep key files and passwords for the encryption safe for a long period of time.
  • You have to ensure that you can migrate your data to another encryption tool if the encryption software you are using is decommissioned.

 

 Note

For more information on encryption in general, see Kryptographie (cryptography, in German).