'The UK attitude is it is inherently less safe with a third party'
Wow, an outbreak of common sense at last!
A "fragmented" legal framework, the "attitude" of regulators and a naturally cautious approach to security issues are among the reasons why UK businesses have made less use of cloud computing than US counterparts, according to experts. IT law and cloud computing specialists Charles Park and Christopher Mann of Pinsent Masons …
Wow, an outbreak of common sense at last!
The UK attitude is that your money is inherently less safe in a bank than under your bed. It probably is these days, but we still use banks.
It simply is not the case that using a top notch third party to run infrastructure on your behalf is inherently less secure. I would argue that for the majority of businesses, their local physical and digital security is substantially weaker than the best service providers.
Businesses who embrace the cloud and manage it properly stand to gain a huge competitive edge. This is what will drive the transition in the end, and the job of the IT Director will be to make sure it is delivered securely and reliably.
"Businesses who embrace the cloud"
Sounds like a cult to me!
"top notch third party" -- and that would be....? Sure as hell isn't Amazon or the like, just ask Netflix.
The problem isn't the safety - it's the liability.
At the end of the day, no matter what service provider you use, you are taking on the liability and passing off the chore of actually doing the job. Sure, you can get contracts that pass the liability on, but you still have to go to court, those sort of agreements cost more for a reason and, at the end of the day, you still don't win. You still have to explain how your data got somewhere else.
It's not a question of whether I trust Amazon not to lose my data or disseminate it or not. It's a question of whose neck it is if I do that. And the answer, generally speaking with ordinary business contracts, is *mine*. Even if I can go to court and show I took reasonable steps and that whatever-provider failed in their contractual duty that they agreed to - it's still the hassle I have to endure, still the argument and cost of doing that, and - ultimately - still my neck.
"Oh, I gave all our data to this tramp in the street who said he'd look after it for me, but he didn't" is no different, in the eyes of data protection law and similar to "Oh, I gave all our data to this reliable multi-national in the street who said he'd look after it for me, but they didn't".
And while my neck's on the line - I'll take it upon myself to do what's necessary. And that means putting it only on systems under my control, as far as reasonably possible. "Cloud" junk and third-parties just confuse the issue in order to "reduce" costs (but the reduction never really filters back to give anyone any more money - Amazon or whoever still have to buy machines, put them in a datacenter, put my data on them, secure it, etc. etc. etc. AND CHARGE A PROFIT).
Well-presented! Particularly the "competitive advantage" and "embracing the cloud". You almost got me reaching for my (virtual) wallet, sir. Not.
I wonder what you do for a living?
No one is going to take such good care of your property as you will.
Not only 'inherently less safe with a third party' but inherently less safe trusting data to an unknown state ... for all you know your data may end up in a 'state snoopable' data centre in Libya, Burma, China, North Korea, perhaps even the US ...
No.. we are just less gullible that our US cousins!
As an IT Manager in the Financial services sector, I'd add the issue is much more diverse than security. There are other issues such as support, accountability and cost.
I'm currently managing an Infrastructure refresh project, our original design involved substantial use of cloud, but after running a 2 month evaluation (with Grid, IBM and EC2), the results were
1) It was more cost effective to buy our own tin
2) Getting support when a problem occurred was near impossible.
3) Account managers were only interested in getting the paper signed.. after which we couldn't see them for dust
Thats not to say Cloud is useless, its great for start-ups who don't have the cash to invest in infrastructure, who's scalability needs are unknown etc.
But our conclusion was, if you want something cost effective and know exactly what you need, want it to be reliable and well supported - do it yourself!
That sums up the general concern with outsourcing.
When you do something in house, your primary concern is value.
An outsource provider's primary concerns are margin and volume.
Who can you trust with your data?
Perhaps the 'problem' is stuff like the data protection act which says you're not allowed to ship data out to other countries with fewer safe guards than the UK like the US. If you're cloud is based in the US...
Our ISO has stated that using any US connected service would put our data under scope of the the Patriot Act, and that as a company we would be liable to the data subject (i.e. could be sued) for any breach arising from that. End result - very cautious use of cloud.
Remember - it's not just about snooping. Patriot Act allows the FBI to shut down any server farm anywhere in the world if it's under a US companies control. So you might come to work one day and find all you data has done a MegaUpload and disappeared.
He's correct. Patriot act = bad news, if you have regulatory obligations re: confidential information.
Let me educate a little - that is actually not true. Read up on the Safe Harbor framework - http://export.gov/safeharbor/
@k. Safe harbor is a framework that allows US companies to comply with EU regulations. This isn't automatic. They have to do work and apply for certification. Thismisma fig leaf since there is no safe harbour from the Patriot act.
SafeHarbor is a voluntary boon-doggle, it has no protection of law behind it.
It allows EU companies to deal with data holders in the US, but without the safe-guard of a legal framework behind it - it would be a straight breach of contract and require a civil case to sort out.
"I think there is a more conservative approach towards, for instance, security risk," Park said. "The UK attitude is 'it is inherently less safe with a third party' whereas there is a strong argument the reverse is true, if you opt for a reputable supplier with industry-accredited security levels. The industry has generated a lot of hype, so caution, if not scepticism, is understandable."
I really get annoyed at this. Look...our data is more secure where it is, thanks very much. I do not *need* cloud, and I need no reason go through all the due diligence pain for a service that adds no real value where my data security is concerned. Why is this worded to make it look like cloud is something we *must" be using?
The cloud is mainly lauded and hawked by those seeking to make a buck from providing a service to the gullible and clueless. Same old attempts at centralisation which comes around every few years and then goes away again when people realise yet again that spreading resources around is better.
Everyone who can keep and manage their own data, will do.
Have to agree with the general consensus here.
The cloud is being positioned as a cure-all but in reality it is just sliding a layer of ambiguity between you and your data. If you run your own data-centre and things go pear-shaped you can use a multi-layered approach up to and including building or hiring a temporary set of servers to get you back and running. If you want a restore of a single file you can pull the relevant tape and just do it.
If you go to the cloud then you are reliant on your provider meeting the agreed SLA and if they have a major issue then you just have to take your place in the queue. You could try renting one of those funky trailer-based data-centres but who has your backups?
When it works it is great.......but our job is to plan for if it doesn't
US companies are already under US law and jurisdiction, so it makes no difference to use the mostly US-based clouds. For a non-US company there is an inherent risk in exposing your data to US law and, most importantly, seizure.
in all the grown up discussions I've heard over this, people leave their tin foil hats at the door. Main concerns are data *theft* from a cloud (which can be mitigated by encryption) and data *loss* because the FBI have decided that a server somewhere in your cloud providers inventory is "rogue" and the company needs to shut down ALL it's servers. The latter can only be mitigated by having multiple providers, which ups the complexity - and cost.
No, main concern is the DPA which makes outsourcing your data to somebody who is not subject to the DPA, er, illegal.
...and data *loss* because the FBI have decided that a server somewhere in your cloud providers inventory is "rogue"...
Or perhaps sometimes the concerns include a different type of data loss - and theft - thanks to the incompetence of the FBI and those working for them? Admittedly this article is not new, but I wonder if things have really changed that much since 2007?
From the article:
While the OIG applauds the work that the Bureau has done so far, they still raise questions about the loss rate and about the FBI's procedures for handling such events. Losing guns isn't a good thing, but losing laptops can be just as bad, especially when they contain classified information. Unfortunately, the OIG determined that the FBI doesn't even know which of its computers contain such information.
First, US agencies getting access.
Second, outage - even Aamzon had this.
That's how I'll describe them. I won't ever use the fucking word "cloud". Jesus Christ.
Yep, enjoying the irony-laced posts that state "I'm not trusting a cloud, I'll just stick with my trusty (3rd party maintained) data center and hire (3rd party) temporary servers if it goes tits up."
The main issue appears to be regulatory - countries like the US where your US-based 3rd party service is subject to government seizure on a whim. Otherwise many companies are already using it - just not calling it that.
CloudTM is a marketing term for providing a shiny, manageable GUI for this well-established industry norm.
Dear Pinset Masons,
You may talk about EU regulations and rules, however what it comes down to is that companies in these parts are much less willing to store important (perhaps mission critical/trade secret) data on server in a country where data is available for examination on the most tenuous of grounds, a country that has repeatedly demonstrated favouritism, and all bound by a legal system that seems to increasingly defy logic.
American companies aren't so worried as this is their own way, perhaps they just don't know any better? International companies will do something called a trust assessment. Do you trust the provider? And do you trust the country in which your data will be held?
The results speak for themselves.
This thread sounds like it is populated entirely by people who have never heard of back-ups or encryption.
Obviously, none of them have ever used anything as terribly risky as proper hosting for their web site or similar third-party services.
"This thread sounds like it is populated entirely by people who have never heard of back-ups or encryption." - What good is encryption when you can be compelled to provide encryption keys? [remember: the law applying to your data in the cloud may be very different to the law in the country in which you are currently standing]
Backups are irrelevant. If you have important sensitive information in a "cloud" and it leaks or is otherwise appropriated (with or without your knowledge), then, cool, you have backups. Good practice. But said sensitive data is still on the loose.
"Obviously, none of them have ever used anything as terribly risky as proper hosting for their web site" - The primary difference being that my website is intended for public consumption, the things I put there are things I am happy to share. My MP3s, my bank statement PDFs, other private/confidential information...that stays on my local system and doesn't get shared. So, please explain the "terribly risky" part as I don't think I understand your point...
So they are bitching that the people running SMEs in this country can see through the smoke and mirrors. Might also have something to do with the fact that when running such a business you pretty soon realise you're surrounded by sharks.
I don't believe that all that many Yanks are interested in using the "cloud" either, contrary to the hype.
Significant use of the cloud implies a lot of data moving between the cloud-based servers and the client devices. That's not so bad when you have a fixed line but when using mobile communications it can amount to a considerable cost for rather disappointing speeds (and very patchy coverage), at least here in the UK. That's certainly one reason I don't regard it as a serious option ... though the implications of the Patriot Act are certainly another.
I don't know whether cellular data use is cheaper or more reliable in the USA than here ... but if so that could help to explain why the cloud is seen as more acceptable in the US market.
As a good number of Cloud Companies are divisions of US parents who are subject to US law even trumping local law and said divisions will comply with every request from Uncle Sam for a 'full and total' disclosure of what you have stored in the cloud, is it any wonder we (naturally cautious and reserved brits) feel a bit cautious about putting our data crown jewels in the cloud?
I won't be putting my shit in any could system anytime soon. Ok, so you have encrypted your data. Don't you think that Uncle Sam has enough computing power to crack and encryption in a few hours thus making your measures totally useless?
Keep your data to yourself and don't let any 3th, 4th, 5th etc party have access to it.
Don't use the same alias on more than one site.
Do regular google, bing searches for yourelf.
Keep safe, it is a war out there. There are people/comanies fighing to get to know everything there it to know about you. It is up to you to stop them.
Searching Google for info on me reveals nothing. I aim to keep it that way thank you very much.
No, I don't believe he does. Anyway, what would be his motive for going to such lengths to look at your e-mails and accounts data?
"Anyway, what would be his motive for going to such lengths to look at your e-mails and accounts data?" And that's the point - from a UK-centric p.o.v., there seems to be neither rhyme nor reason to why the US legal system does anything, and the shamefully uneven extradition process with it's highly-publicised lack of anything approaching proportionality does not help to shed any light.
The US legal system seems capricious and spiteful - more so than our own, which is not something to be proud of sometimes. At least UK judges seem to be independent, which can't always be said for their colleagues in the US.
"Keep your data to yourself and don't let any 3th, 4th, 5th etc party have access to it." - this makes sense.
"Don't use the same alias on more than one site." - ummm... how is this relevant to SMEs on the European side not embracing the cloud?
"Do regular google, bing searches for yourelf." - no, dumbass, that will give away your identity! ;-)
Also, be sure to use only Google to look for yourself, for Bing's SSL uses an invalid certificate (akamai), and when you get there you are redirected back to plain non-SSL Bing. Google, on the other hand, does SSL correctly so your looking for yourself is known only to you and the search engine.
"Keep safe, it is a war out there." - why stop there? Where's the advice to use a battery powered acoustic modem hanging off a payphone? [Rule Of Cool here guys, it just looks better - why d'you think TheMatrix used old-style telephones? In reality, it is a lot faster/simpler to cruise around until you find an open WAP and then piggyback (but never the same WAP twice)]
"There are people/comanies fighing to get to know everything there it to know about you." - two people with markedly different interests use the same IP address. It has made Amazon's auto-suggest come up with some interesting stuff in the past. Right now it seems stuck on punting that goddamn Fifty Shades rubbish, how many times can a person say "NO!"?
"It is up to you to stop them." - you can't. When we, the users, sign up for a service there are pages and pages of Ts&Cs. I skip the lot (don't know any of the YouTube Ts&Cs, I never bothered to read it though I imagine it is mostly common sense expressed in legalese) as I note that advertising companies (some owned by YouTube's parent company) feel free to attempt to track, to profile, and to collect information without: identifying themselves fully, providing terms of service outlining what they do and do not do, provide the right of access to the collected and extrapolated information about you, decide to ignore your local law (DPA, anybody), and to bitch&piss&moan when somebody comes up with an idea like a "do not track" request. Which is now to be willfully ignored since a helpful browser wanted it turned ON by default. And, last but not least, OBTAINING OUR CONSENT TO DO THIS IN THE FIRST PLACE. Oh, wait, they didn't. And they could care less...
With a mindset and attitude like that, do you really think we can "stop" them? A better approach is to randomise and/or randomly delete related cookies and LSOs, plus actively block adverts and blacklist domains related to advertising or analytics. There are clearly no morals in on-line advertising, so don't get upset if I say STFUAD and actively disable advertising. I don't want to hear any SEO whinge, things could have been consensual - most people will tolerate small subtle advertisements (which is why those Google text adverts are not blocked - they don't annoy). But it was not to be, for some saw it as a GetRickQuick and it just went downhill from there.
"Searching Google for info on me reveals nothing. I aim to keep it that way thank you very much." - searching Google says some rather unpleasant things about Anonymous Coward. You might want to consider suing for libel...
Googling me shows some chick with a fancy bonnet. I'm in the list, but most of the links are not me. If you should find the correct me (hint: I'm a geek that like cute Japanese
girlsthings) you might notice certain specific things are missing from my blog. This is because the best way not to worry about your secrets being public knowledge is simply not to put them on-line in the first place. If anybody reading happens to know my real name (or gets it from my site), don't bother looking for it on Google. I'm not in the first page of results, and I didn't bother looking any further because page 2+ is like the void at the end of the universe where useless things accumulate... Maybe my ego matches my perception of self-importance? I don't check for myself on Google because I don't expect to see anything worth looking at.
Better still, avoid the use of Google at all wherever possible.
Biting the hand that feeds IT © 1998–2018