Paranoid about the NSA? The case for dumping cloud's Big 3

Encryption

Encryption works if you use the "cloud" for data storage, say as an off-site back-up. And it is only trustworthy if you have control over exactly what software is doing it (and realistically that means a well regarded open source system) and you are the only one holding the key.

Where it all falls down is if you are using the "cloud" as a computing-on-demand service, or for document sharing and web-based editing, because then it has to be decrypted on the servers of the host, so they have access to your key.

Sure, the data at rest (i.e. stored on disk) may be encrypted, but they could snapshot the running VM or whatever and then poke through its memory for the key.

Really if you are concerned about privacy then run everything on a local machine, with multiple layers of firewall/VPN style protection depending on who/where access is needed, and only use an off-site provider to keep encrypted backups. That you encrypt before they move off-site.

If a company is headquartered in the US, then they may be beholden to American law, regardless of where their data centres live

Isn't it possible for UK companies that do business in the US to also fall under US law?

You could potentially be doing business with a UK business in the UK with data that never leaves the UK, but because it is either a subsidiary of a larger US corporation or has sufficient dealings on the other side of the pond they could still face demands from the US government.

For that matter, where does that leave domestic ISPs here, such as Virgin Media, since they have US based owners?

It's like running your own IT still makes sense...

If you own the infrastructure, you are far better protected if you own your own assets and data. Yes - security and patching are an overhead, but the benefits far outweigh the costs.

The Cloud - your data on someone else's computer.

Even if you store your data outside of the USA, I would still not put it past them to try and get hold of your data. For one thing, a lot of governments are so beholden to America that they will quite happily sign agreements allowing America to access your data either directly or indirectly.

Evidence? Just look up FATCA. I fear that it will not be long before a data version of FATCA happens along.

There are probably some countries (Switzerland for example) who are trying to set them selves up as data secrecy jurisdictions, similar in concept to financial secrecy jurisdictions. Places to go where you want to hide things from the prying eyes of overbearing governments.

We do live in interesting times.

Fun ...

"How can a small business look a regulator in the eye and say "yes, we're compliant" when in all honesty even the regulators don't have the foggiest clue whether or not storing our data elsewhere is legal."

Easily solved: if the company with whom the customer has a contract is Canadian, Canadian law applies. US courts can stay within US, EU national courts within their nation states, and none can over-ride Canadian law or access that data. To use US as an example, Any data access by US agencies at local, state or federal level is fruit of poisoned tree, and any judge allowing it should be required to eat said tree for dinner. If the Canadian company has a foreign parent or outsources any of its functions to any non-Canadian entity (even indirectly), it should be required to state that in customer contracts and get customers to explicitly accept that term, with all jurisdictions named; if that changes during the life of the contract, customer can back out at no cost to themselves.

Of course, that's far too simplistic.

It doesnt keep megabucks lawyers in jobs for years, for a start.

Keep ISP & other services separate

I've changed ISP twice due to the original companies being bought up by other companies who were either cr@p or whom I didn't trust. The first time round I had ISP-provided email so I had to find another provider which, of course, meant changing my email address. Now I have separate email providers & ISP. That means less upheaval when changing ISP if that were to be needed again.

If I were to keep data on someone else's computer I'd apply the same approach: why have the hassle of migrating data because the ISP loses its ISP competence? Come to that, why have the hassle of changing ISP because they lose their competence to manage storage?

I've always thought that a cloud infrastructure dominated by the oligopoly of the big three providers presents unacceptable risks beyond the threat to data security for a particular user. Think what might happen if a terrorist or state-sponsored actor should somehow inject some kind of system-wide disruptive malware into one of these systems. Microsoft brags about how their security apparatus depends on a single global Active Directory instance. What if it became corrupted somehow? These systems present single points of failure and therefore attractive targets for all kinds of problems, both intentionally malicious and accidental. The mind boggles!

The only thing cloud providers have to offer is the competence of their staff.

Otherwise, a beat up old computer with an external usb drive in the 1-2 terabyte range is all the cloud storage anyone needs, and you can put that in your basement cheap.

No competent staff ? Don't waste my time. Computer hardware is dirt cheap these days.

Consider this : Rasberry pi computer - 35$

4 gigabyte ssd card to run the OS : 16$

1 x 2 Terabyte external hard drive (usb) : 120$

1x Cat5 network cable 10$

Thank you and good night to any expensive "cloud solutions" I'll do it in my basement.

Encryption ???

Why would you use dead storage on a server anyways ? Do you have any idea how cheap a couple of usb terabyte drives are ? Do you have any idea how expensive a terabyte of data transmitted over the internet is ? And now you want to talk encryption to defend an already economically indefensible business plan.

If security is your concern , then you must run a high speed connection to your basement and set up your own server or two. Renting from anyone else is a total fail on the security front. They can all be supenaed , sued, the door kicked in by police , or just plain hacked.

And if the computer farm is strictly for internal use, the high speed connection should be skipped entirely , and no internet connection at all should be permitted. (lock all the usb ports , floppy drives, cd roms , on all the computers. And set up the routers so that people can't just pull a network cable out of a computer and plug it into their lap top)

wtf cloud ?

Cloud is a solution looking for a problem.

I mean really , we all now pay by the gigabyte for uploading and downloading , and they're trying to get us to store gigabytes of data in the cloud ? WTF is up with that ?

I look at a terabyte back up drive and it comes with software to back up the whole terabyte into the cloud. WTF ? Do I look like I have the money to transfer a terabyte of data to the cloud ? Let alone bring it back later ? no ! That's why I'm buying the terabyte back up drive in the first place ! Duh !