In the not-so-distant past, my main employer, the Canada Border Services Agency, considered the possibility of moving our data stores into the cloud. The reason was two-fold: not only would it cost less, but we would also spend less time managing it ourselves. It sounded like a good idea, but ultimately, we abandoned the idea because cloud storage was deemed as too risky for our liking.
There were just too many implications created by having a third-party hosting our protected and confidential data. Implication brought about by troubling questions that no one could answer to our satisfaction. For instance, if a security breech were to occur, who would be responsible and how much of a guarantee could the provider give us that our data would be safe from prying eyes?
As more and more companies look to the cloud for their data storage needs, these same questions are being asked over and over again. Now, with new hacking and theft incidents on some of the largest players being reported on a weekly basis, everyone is taking a step back and re-evaluating their risk tolerance. If you can relate, then read on to find out where we stand right now on the issue of cyber-security and who you should trust with your sensitive data.
Risks vs. Rewards
For many businesses, the lure of cloud computing is hard to resist. It’s many benefits include instantaneous 24/7 access to data, anywhere the Internet is accessible, scalable – practically unlimited – storage capacity, improved collaboration, and the cost benefits associated with the elimination of a data center IT team required to manage it.
As tempting as these niceties may sound, one must consider all of the potential risks that come along with them. The one at the forefront of the industry’s collection consciousness right now is cyber theft. It seems that every time we turn on the TV to watch the news, the anchorman/woman tells us that we had better change our passwords because of the new vulnerability and/or hacking incident. That’s an annoying occurrence to be sure, but what happens to personal information that is stolen, such as credit or debit card account details, or social security numbers? Remember when hackers managed to get their hands on 40 million credit and debit cards belonging to Target shoppers who bought merchandise in its stores between Nov. 27 and Dec. 15 2013? The compromised cards wound up being marketed online along with information on the state, city and ZIP code of the Target store where they were used. That allowed them to be used illegally longer without raising the usual alarm bells that would go off due to activity being registered outside of the genuine account holder’s geographic location.
Cyber Attacks, Security Breaches and WikiLeaks
Almost as prevalent as cyber attacks, security breaches from the inside are steadily garnering more and more headlines as well. Edward Snowden is the former NSA contractor behind one of the biggest leaks of classified intelligence in American history. According to Snowden, his motive for leaking the documents was “to inform the public as to that which is done in their name and that which is done against them.” Those words bear a strong resemblance to WikiLeaks founder Julian Assange, who also sought to expose government and corporate wrongdoing through “ethical hacking”. Some may argue that their hearts were in the right place, but in airing the dirty laundry of the powers-that-be, there is inevitably collateral damage. In the case of WikiLeaks, government agents were put in harms way as a result of being named in the leaked documents. The ramifications are that you and the company you work for may be in jeopardy just by virtue of being documented somewhere that you have no control over.
Other groups or individuals may be less interested in leaking the data but focused on the partial or total destruction of the cloud facilities of a particular company.
Once an incident has occurred, in its aftermath, lawsuits are inevitably filed by or against you. At that point you’ve not only lost data as well as your customers’ trust, but now your finances are going to be hit hard.
How to Protect Yourself
Once you’ve entrusted your data with a third party, its safety is pretty much in that provider’s hands. Therefore, your best defense is to be diligent in assessing potential data storage and service providers.
Encryption is Essential
Since the earliest days of data protection, when Julius Caesar used a substitution cipher to protect his private correspondence, encryption has played a key role in keeping data contents unintelligible to all but those who knew how to unlock it. Today, encryption is an essential component of any data security and management strategy. Luckily, finding a data hosting service that utilizes encryption is easy; even those who cater to the general public – such as Dropbox and Google Drive – employ encryption.
Some companies go even further by promising “100% private” cloud storage. An extra level of privacy is achieved by adopting a zero knowledge policy whereby even the folder and file names are stored as meaningless strings of obfuscated text.
Companies who want to go even further can seek out cloud services that don’t store passwords anywhere on their servers. That would essentially force a data thief to break the encryption algorithm – a herculean task that, while not impossible, could take a very long time to accomplish. The price for the added security is that if a client of the service (that’s you) ever forgets his or her login credentials, the onus to break the encryption algorithm falls on you because that’s the only way that you’ll ever retrieve your data.
Finding a Balance
Information security, whether within your own organization or in the cloud, has always been about finding a balance between ease of access and information sharing versus data which is completely locked down and virtually inaccessible to anyone. In this post 9/11 world, it’s become painfully apparent that the more you have of one, the less you have of the other.
This article was originally published on June 05, 2014