In spring 2017, Apple’s iCloud service was held to ransom by hackers threatening to delete customer iPhone, iPad and Mac data. With this and several other high-profile hacks on cloud services, many structural engineers wonder whether it is trustworthy enough to handle their design projects. Here, Paul Comino, chief technology officer and co-founder of cloud engineering software provider SkyCiv, explains the measures taken to protect structural designs.
Since Adobe first launched its Creative Cloud suite of programs in 2013, there has been more than 198 million downloads of the suite’s mobile apps. This of course excludes the desktop editions and, since much of Adobe’s target audience uses desktop Macs, this means the actual statistic is likely significantly higher.
This uptake of Adobe’s cloud services gives us a clear indication of the overall adoption of cloud computing in modern times. Changing work habits and the advancement of mobile technology has meant that the flexibility of access to data that cloud platforms provide is almost a modern necessity.
However, with this adoption comes increased awareness of any attacks on cloud platforms. Incidents such as the 2017 ransom of Apple’s iCloud by hackers or the infamous attack on Sony’s Playstation Network in 2011 gained significant public attention, which has led many to question cloud’s security.
This is understandable and a particularly strong fear for structural engineers, whose design projects are often confidential. With cloud-based structural software such as SkyCiv’s becoming more popular among engineers, how can engineers be sure that their projects are safe and secure?
Three steps to safety
At SkyCiv, there are three steps we take to ensure the security of data. The first and most obvious is encryption, which we believe to be the cornerstone of data security. Almost every cloud service provider or company using the internet to handle sensitive data will use encryption to safeguard it, but it’s important that the provider understands developments in cryptographic algorithms.
For example, two of the most common cryptographic hash functions are message digest five (MD5) and secure hashing algorithm one (SHA-1). These two forms of encryption have existed for a decade and have extensive vulnerabilities, which means they are not secure enough for confidential or sensitive data.
In layman’s terms, a provider using these would be unable to ensure data safety as most hackers can decrypt the hashing with relative ease and decode user data. SkyCiv’s cloud services do not use these encryption techniques for this exact reason and instead use more recent and secure alternatives to protect user data.
Another process we have in place is access security. The benefit of cloud is that it makes software accessible from anywhere in the world with an internet connection, which means it’s important that users can track where they are logged in. Engineers must therefore have assurances that, if unusual activity is detected, they are notified in case it is an unauthorised infiltration.
Cloud software providers can address this problem by limiting the number of users that can be logged on to one account at a time. SkyCiv also monitors the IP addresses of these login attempts and, if attempts are detected from five different IPs within a space of three days, the account could be frozen to prevent potential misuse of the software.
The third key security factor is one that some providers fail to address. To ensure security, the servers housing the data must be kept regularly updated to minimise the risk of vulnerabilities or loopholes being exploited by hackers.
This is why software providers should partner with dedicated cloud hosting companies, whose job it is to maintain the servers. Often, software providers believe that hosting their own server will give them more control over updating the system, but this more often leads to delays or neglect due to other business obligations.
At the Black Hat USA conference in 2014, security researchers from Adallom explained that one of the biggest threats to web services is the users themselves. Although publicised attacks on cloud platforms have driven suspicion of the technology, by choosing to work with the right partner, engineers can ensure that the process is no riskier than using any other service and the benefits outweigh the risks.
