Losing Control

Written by

I saw this recently and it really drove home on the key truths about cloud computing when it comes to control over your information.

Here's a great quote:

"Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities."

The point of the article is that information in the possession of a US-based company, even if housed outside of the US, could be handed over to the government under the USA PATRIOT Act.  This probably comes as a shock to non-U.S. businesses, the fact that it causes any surprise is rather telling.

The discomfort over the fact that the U.S. Government could demand access to a customer's information indicates that those same individuals are being hopelessly naive.

Let me be clear here. When you move information into the cloud, anyone's cloud, you should expect certain things.  You should expect that they will provide the services for which you have contracted. You should expect that they will do their best to keep those services available, and that they will meet their SLAs and you should expect that they will do their best to keep you information private. In fact, you should not only expect it, you should demand it.

But you shouldn't assume that they will. Because you can't.

With all due respect to the many fine organizations who provide cloud services, to assume that information moved out of your data center and into a third-party cloud will remain entirely under your control is to ignore anything and everything we have learned about computer security for the past several decades. Once that information is inside the datacenter of your provider, it is subject to their processes and policies, their personnel, and their capability to avoid (or not) mistakes. There's no middle ground. SLA's don't stop a breach, nor do they prevent some higher authority pre-empting your rights to privacy.

Put another way – either you have control over your data or you don't. And if you don't, then you should expect that there will be times when that loss of control comes back to haunt you.

It really doesn't matter if it's a U.S. government national security letter, a criminal hacker, a disgruntled insider, a misconfigured server, or a pre-owned hard drive turning up on eBay.  Whatever flavor the breach comes in, the root cause is that the data left your ability to control it, and was entrusted to someone else.

There's nothing wrong with using cloud services. In fact, I think there are good reasons to hope that cloud services may end up being more secure than many other approaches used by businesses. But what they won't do, what they *can't* do, is replace your personal and organizational responsibility to maintain control of the data.  And if that's surprising to someone, they clearly haven’t been paying attention.

What’s hot on Infosecurity Magazine?