Is user data safe in the cloud?September 24, 2010: 3:00 AM ET
Thousands of websites and millions of pieces of private data are increasingly in one big cloud, where some of the old rules of data security are out the window.
With the rise of cloud computing companies, and the ferocity with which tech's biggest companies are snatching those firms up, it's no secret that a good chunk of our user data is already stored in the cloud. Our emails, our documents, our social network profiles and hundreds of thousands of tiny startups already rely on cloud services like SalesForce.com to be more productive and cost-effective. But one concern that remains constant is that of security. By off-loading more data to the cloud, are companies increasingly opening themselves and their users up to hacking, data loss, and privacy compromises?
What's at risk
Take the example of credit card data. Most of us don't think twice about saving account numbers and security codes into our online shopping profiles. The Payment Card Industry (or PCI) is a global information security standard established by a consortium including Visa Card, MasterCard, American Express and Discover, that places specific requirements on the operational infrastructure that handles high-risk data like credit card information. If an infrastructure doesn't conform to any and all PCI regulations, then it's not PCI compliant. And because cloud infrastructure is so vastly different than that what PCI was written for, most cloud service providers are in fact, not PCI compliant.
How a cloud service provider encrypts client data is also key to security. According to Forrester cloud analyst Chenxi Wang, cloud data encryption can be scattershot. Some services encrypt their data; some don't. For those that encrypt, it's worth figuring out whether the encryption is strong enough, whether the physical server that stores your data is entirely encrypted (ie. is all client data encrypted the same way?) or whether the service provider offers applications that encrypt your data separately and with different keys than other stored data.
That last concern stems from a popular cloud practice: some cloud providers store data from multiple clients on the same physical server. So, Client A may be running one "virtual machine" and Client B can be running on another "virtual machine," but both could be physically running on the same server. If an experienced hacker gains access to Client A via a security hole, it's not outside of the realm of possibility for the hacker to gain access to Client B's data as well. Even Client A, if they're up to no good, could become the culprit.
"The risk of that, depending on how the cloud provider, may be minimal, or it may be quite substantial." admits Wang. "From the absolute security stance, there is a risk that the other company who happens to rely on the same infrastructure may be able to utilize some covert terminal, or some kind of interface that's available to actually hack into your part of the infrastructure."
Another concern is the use of the third-party companies for various components of a cloud service. While Amazon's cloud services are entirely in-house, other cloud services are relying on third parties more and more.
Wang brings up a recent example where third party usage has gone horribly awry. For back-up purposes, client data is often written to tapes or drives, but after a given period of time, most back-ups need to be destroyed. Recently, an unnamed cloud provider sent their back-up tapes to a data disposal company. Wang says the data disposal company lost all the tapes, and thus all the cloud client data on them.
"The cloud provider was put in a very bad situation because they don't have any assurance the data was actually destroyed," says Wang.
Minimizing cloud risks
To reduce the chances of a nightmare scenario like that from happening, potential clients shopping around for a cloud service provider need to do their research.
The only way clients can fully understand and control their data is by learning as much as possible and being firm throughout contract negotiations. In the absence of standards like PCI, it's not enough to trust providers to protect your data or take their word for it: companies need to get details on how data will be physically stored, how well it will be encrypted on physical servers that share storage space with other client data, whether the provider employs third parties, and what those companies' operational procedures are. Clients need to be crystal clear in understanding how their data is handled and who within the company or outside the company will have access to it.
In the case of the lost back-up data situation, it almost sounds like a no-brainer that the provider would turn around and notify affected clients about compromised security, but in reality, the company is under no obligation to do so unless their contracts say otherwise. So, requirements for client notification, whether a good or bad situation arises, is a must.
Also worth inquiring about during contract negotiations? "First right of refusal" when hiring third parties, separate physical servers and cabinets, and/or separate data encryption services. Clients won't necessarily be granted such demands -- that depends on their history with the provider and how much they values the business -- but the price of not asking and subsequently suffering a security breech could be immensely high. Of course, some of the worst losses of private data over the last few years have come from the "stolen laptop" syndrome, where data that should've never been on personal computer ended up in the hands of petty thieves (or perhaps worse).
All of this, of course, is vital for companies who are setting up cloud based businesses and do right by their users. Average users generally have no way of knowing how their data is being treated, outside the boilerplate privacy policies that companies post on their websites. Which is to say that short of creating a total information blockade, we are already living in the cloud.