Is cloud data secure? Would your data be more secure in the hands of Google or left where it is? Your answer to that depends on where you store business information at the moment and, of course, whether you feel Google can be trusted. We’re picking on Google here because it is the “cloud” player that, rightly or wrongly, receives the most criticism …
"We’re picking on Google here because it is the “cloud” player that, rightly or wrongly, receives the most criticism about security and privacy."
Given Amazon has recently and publically removed Wikileaks content from their cloud, I think you could have targetted them more far more legatimately than Google.
if the point were about reliability then amazon deleting customers would be a good point, however if the concern is privacy/security then amazon haven't (as far as we know) handed over any data merely deleted it
who would you use as an example of someone not to trust to look after your wallet, a thief or a murderer?
Let's be neutral here and remember Amazon rigging ratings for DVDs and books to sell more of them, and censoring negative reviews.
They then snuggled up to Obama to attack Wikileaks.
Google on the other hand took data that was readily available to anyone and got a telling off (which they deserved)
I'm not sure which is worse there, though i would point out Google's information theft may have increased web security by showing people why they need a password for their WiFi.
companies who have concerns about warrants store the evidence in their head offices, which are conveniently located in countries with high privacy and low taxation laws, but i don't think that's the sort of data the article is referring to
i think in this context security concerns are more about data leaks (black hats, poor isolation between customers data, etc)
Your data could physically reside anywhere in the world theorectically, where-ever your cloud provider decides setup their Data-centres - quite possibly a place that has the lowest-cost operationally speaking (given mediocre political stability and tech facilities). The thing is, if you logically protect your data with high-grade encryption, and have a decent standby set-of systems (with backups), chances are you don't really care - unless your organisation is a gov/mil/sec/political type.
And if your data is in Timbuktu (but secure as hell, and backups rarely are), what about your outsourced admins? why is this important? a UK admin might be approached with an offer of £50k for data/secrets the liklihood is that he'll turn it down and report the incident, offered £1m you might get a bite, a similar £50k offer to someone who has a fraction of the UK salary and living costs would be just as tempting as a £1m to someone in the UK, let's be straight here, UK workers are no more trustworthy than (say) Indian workers, however but you get more for your money in India, and that includes bribe money, it's basically cheaper in India to say "take this money for that data and you and you familiy will be set for life"
I think the main concern must be what rights you have/lose depending upon which country that data is deemed to be held in.
I think we can all expect the USA to mine data at will if they decide to, having decided the data is stored on a device physically in their jurisdiction.
Other countries may not be better. I think, though, the security should be better than your own, excepting the above. I'd expect Google to know more about network hardening and intrusion detection than I do, for example.
I suspect it's the difficulty of assessing the risks of migrating to a cloud that's holding organizations back, as much as anything else. We know how to do risk assessment of servers, data retention and archiving systems, data centres, firewalls, physical site access controls - we've done them in the past and there's plenty of advice and best practice available.
But - how do you identify and quantify the risks with the cloud model? No-one really knows.
A risk which is that difficult to assess and mitigate is by definition a high risk...
Use an appropriate standard that provides a higher level of assurance than your current processes.
It is highly unlikely that your current processes will pass PCI/DSS (Payment Card Industry Data security Standard), so if you out source your email scanning to someone that passes PCI/DSS you have given the job to some one that has passed a much higher level of vetting than your current operation and is thus lower risk...
PS If you look at most cloud systems they have all the usual stuff.
Data centres, firewalls , physical security etc. There is just a bit more investment in on demand flexibility and distributed storage which make sense for any one that wants 100% uptime.
You are just jumping on the back of someone else investment.
A more important issue is can you phone them up if it goes wrong.
E.g. At the cloud summit some one explained that support from Amazon and Google was similar (non existent) post in a forum and wait 3 months.
Ronald Duncan
@UK PLC
http://www.uk-plc.net
Using the wikileaks example : Your data could just go missing if some one somewhere decides it is inappropriate.
In our case, the terms of our funders state that our data has to physically reside on the premises. Never-the-less I still would be hesitant to put it all on the cloud. Just too much risk.
As individuals or companies, we're happy to keep our money in a bank. That has a lot of the same attributes as a cloud computing environment: we don't know, exactly where our money is (if it's anywhere at all), we trust the bank not to give it away to baddies - yet to let authorised people have access to it.
The question is: are cloud computing outfits as good at looking after data as the banks are at looking after money? Do they have tried and tested security regimes? Have they been accredited by a standards-setting authority? Do we have any redress when (as they are certain to at some point) things go wrong? Who has a big enough stick to give them a smack on our behalf, occasionally, when they deserve it - or are cloud providers too big or nebulous to hurt?
ISTM, these questions have not really been answered satisfactorily. It could well be argued that "clouding" our data is no worse than tossing it over the wall to an outsourcer - although they may not exactly be people the cloud providers would want to be associated with.
At least keeping our data in house, the equivalent of a hiding our cash under the bed, means we are in control of it and know how it's being looked after (even if it's not that well). I think the cloud-computing industry needs to have successfully survived a few crises before we can categorically say that they're safe enough to entrust with our companies most precious assets.
First the author assumes that you will respond based on where you currently host your data.
This is true. If you already host it in the cloud then you already made your risk assessment. If not, then you're not a good IT admin/director because you failed to consider the value of your company's data. So its a moot point.
Second the author assumes that smaller companies are incapable of securing their own data. This is patently false. There are a myriad of ways one can secure their data, each with a cost/benefit analysis attached to it. This assumption is also that a corporation can't properly secure their own data centers. This may be true, but if true, then it also shows a flaw in the argument that the larger data center providers can also secure your data, or in fact do a better job.
Third, the assumption is that the 'large' providers are going to do a better job because your company is cost cutting and stretching their IS people to the limit. This too is true of the providers like IBM who's profit margin is based on how well they contain costs. There is an increased risk with using a hosting provider being susceptible to 'social engineering' hacks. (Just ask Captain Crunch ;-) )
But the author also ignores issues like data protection laws that are circumvented by companies like Google who ship your data around the world. Suppose a breach happens in a country that has weaker laws protecting one's data, if any at all? Depending on the contract, you may be stuck holding the bag.
Suppose a bank off shores their data center and work to India where there are less stringent laws protecting your data. Someone in India, steals your identity and credit card information... (Like that hasn't already happened...) Who's responsible? Who's data laws are going to be used? The breach occurred in India, not the US or the UK. The point is that it becomes difficult to know the legal ramifications of the breach.
'Clouding' your data is in fact tossing it to an outsourcer because the keeper of the cloud is now managing your infrastructure for you.
The bottom line... if you are responsible for securing your data... keep it in your own data center in your own secured buildings.
One other point not mentioned is security by obscurity. Google warehouses are a large target. Just look at the "China" hacks vs Google, et al. Does anyone even know the IP to my data? Doubtful. A decent firewall and Snort should provide enough of a probe-deterant for any passers-by.
As for physical security, small/mid biz can protect their data well enough to sleep at night. Sure, there's no key-card access logging nor eye/palm scanners (sometimes!), but a key that only 1 guy has is sometimes all you need.
Security by Obscurity has been proven to be no security at all.
The point is that if someone hacks in to Google, then they can get at your data.
The other thing to consider... how Google uses your data and has access to your data which you gave them permission to access.
So if you want to use 'the cloud' and before putting your data out on the cloud you encrypt your data... That may be a valid method. Its one that a company has to make before 'going to the cloud'.
As a small business, I can protect my data several different ways. I could lease disk space and store encrypted copies of my data as my off site. I could lease space in two different data centers and control the servers and keep encrypted data at those centers.
The real issue is that we (IT professionals) need to determine the value of the data and how much effort is required to protect that data. Because of things like Truecrypt, it may make sense to store sensitive data in off site premises that are not controlled by the company itself.
There is a statement about how much data is on laptops, desktops, portable HDs, etc. How is that going to stop when you move the data from your own server room to the cloud? It won't, so the same security will apply.
As for moving your servers to someone elses datacentre, we know the costs of Gb fibres from the servers to the users routers. How much is Gb connection to the cloud? We survive at the moment with somthing like 512Mb to the web. How do we replace 10x 1Gb fibres with 512Mb and still be able to work? Especially for the CAD stations which just close if they loose the connection to the database which stores every single element of the design?
If all you have is email and a few files, or a simple transaction based DB, then OK, but if you do serious work, I think no.
I don't know that I'd call the cloud more or less secure than stuff stored outside of the cloud. Maybe "differently secure", with a slight hint of "less secure". (I almost hate myself when I talk like that.)
You look at a cloud, and what you see is a hopefully strongly secured data center that's putting check (or "tick") marks in all the right boxes...strongly secured facilities, a responsive attitude to pushing out security fixes and encouragement to use good security practices.
But...that's not all of it. A data center from a big name like Amazon or Google can't help also being a big target...anyone planning a physical, legal or "vigilante" (think DDoS attack) attack on one of those has a fairly large target to hit, and the odds (at least so far) of their being successful have been demonstrated to be pretty good (at least for DDoS, which is usually effective enough).
You also don't know how old disks and servers are being handled when they are removed from service...was your data properly scrubbed off of these devices, if it was ever written in cleartext to start with? What about employees working for the cloud provider, even ones that are just doing their jobs?
Software security issues must also be considered. When your service faces something as large as the Internet, many people are trying to pry it open and look at things they shouldn't.
In that vein, I think there is greater security to be had in, say, Unexpected Bill's "little" computer installation, mainly because it's not a big name service. I don't have man traps and 24 hour cameras or a security service, but who cares about the piddly little amount of computing I've got going on? Someone might steal my computers on general principle, possibly to fence or strip them for components, but they probably wouldn't be very interested in the contents of them. I also know what I'm doing when I retire old equipment, and I'm in control of how my data is secured when it is being stored. I also know what I'm doing to make backups, and how to test them.
Don't get me wrong--I don't think the cloud is useless. It does have its merits. Whether or not it can be made into a satisfactory solution for those who demand the ultimate in security...I don't know. It's plenty good enough for "a lot" of things.
then it can only be stolen / lost through my own mistakes or incompetence.
However if it is stored in the Cloud then not only am I risking losing it through my own mistakes but also through those of other people.
It doesn't really matter how secure the online system is: If files are stored on an external device kept in my cupboard then not even the greatest hacker or most incompetent network admin on the planet can cause it to get taken.
Moving to the cloud has several concerns for me. In no particular order:
1. Requires network/Internet access is required to get at the data. We're fairly centralized here, so putting the data across even a private network entails additional risk of both inaccessibility during a network outage and interception on the wire as it travels through my ISP or the Internet.
2. The laws in the area where my data is stored are the laws that will determine how it is treated.
3. I have little or no control over what physical location (which country) my data is stored in. This may violate legislated controls as required by my own country.
4. Inability to share data between different "clouds". If I decide that I want gmail to be my email "cloud" provider, but want Oracle to be my database "cloud" provider, I have a limited ability to make the two systems share data - largely controlled by how each company feels about the other.
5. Exporting the data if I should decide to leave my provider is almost certainly going to be hideously complex and expensive.
6. Usage rules. Nearly all of these cloud providers has rules around how you store and use your data. If you go outside of those rules, you pay extra, usually through the nose.
Just what I can think of off the top of my head. While security is certainly a part of why I don't want my data in the cloud, there are a host of other solid reasons not to put it there that are more practical than anything else.
Of course your/our data is insecure and secure at the same time (it tends to be relativistic notion than absolute).
Use a networked computer then your organisation has duties and responsibilities and rights to check what one does.
Store on the cloud? Well that merely depends on the access chain to your data and what notions of trust one might have with the provider.
My best analogy is that there is no such thing as security as far as general use computers and computer users are concerned. One's data might be analysed anonymously with varying degrees of trust or it may be analysed directly (profile building anyone?) or it may be accessed directly.
So? What to do?
Carry on regardless. Whether cloud or not your data are also our data?
Inspired by this article, I wrote a little blog post on PTPT and why we took the route to not host our services in the cloud. And the author is correct: it's not about the security, it's about trust. We want to leave the power of control in the users hands.
We have over 1 million users on a PCI/DSS certified cloud platform based in the UK.
There are different sorts of cloud platforms, so a system that focuses on ecommerce and eprocurement is likely to be more secure than one that focuses on broad casting text messages.
There are different sorts of security standards.
Government standards e.g. Everything above impact level 3 is prohibited from connection to the internet. (If you are serious about security do not connect to the net).
Commercial standards
PCI/DSS (Payment Card Industry Data Security Standard) PCI/DSS requires a good information security policy and has a large number of mandatory controls that go right down into how applications are coded, scans and penetration tests. (Best practical security we have come across).
ISO 27001 make up your asset list, think of the associated risks, evaluate the risks, and choose if you want to mitigate or not, then document all the above, and be audited on if you follow the documentation. (It works well with PCI/DSS which ensures that you have appropriate controls). Otherwise you have no idea if the controls are something that are acceptable to you as a customer.
The bottom line is that most cloud platforms have a much much better security record than any normal commercial company, since it is much more important to the cloud platform.
In terms of our user base, our customers accepted that we were secure about 5 years ago and it is only new customers that we have to explain how we keep their information secure, and it is a lot less of a concern to our customers.
Privacy - is straight forward, our customers information is private end of story, so we have not had any issues with privacy.
Ronald Duncan
@UK PLC
http://www.uk-plc.net
Read an article that made me think of this today:
http://www.wired.com/threatlevel/2009/04/data-centers-ra/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%253A+wired%252Findex+%2528Wired%253A+Index+3+%2528Top+Stories+2%2529%2529&utm_content=Google+Feedfetcher
Considering how we are moving to centralized storage, this is becoming a more likely event every day. If company A has data pertaining to a crime stored on a SAN with my data, what are the authorities likely to do? Wait for some nice administrator to pull that data off for them? I don't think so. It will all go into the truck and they'll sort it out later.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
