June 01, 2011 CLOUD COMPUTING, CLOUD SECURITY

Security Issues in Cloud Computing

After managed security services, handing off the security of your data to someone else must be the single most important worry for anyone involved in securing a company’s data.

Since this topic encompasses several different aspects, dealing with the various issues of security; I will try to offer thoughts around each of them in the weeks ahead, to ensure each topic is examined as needed.

Security Issues in Cloud Security

The first topic we will analyze this week is data control.

Many companies are moving their email to cloud based hosted solutions — Google, Microsoft, and many others offer this. Your workstations will connect to a remote server using an encrypted channel to download emails. Virtually, you have your own server and your own disks. But physically, your data is stored in the same disk with many other companies’ data and emails.

Some consideration must be given to how this data is protected, and not only from hackers.

Assume you have your own server in house. When the email is stored on that server, it’s under your complete control. Assume that one of your employees does something that requires law enforcement investigation and for that reason you need to hand out your data. If a law enforcement officer shows up at your doorstep without a court order, you can (and likely will) decline to hand over any data. You are not obliged in any way until there is a court order.

Assume now that you are hosting that data in the cloud; say your email is hosted with Google. Do you really think that they will take care of your data the same way you would? I would hope so, but I must be skeptical; after all, why would they anyway?

Boy drawing cloud network on the wall
 

Now think of that same data stored on that same disk, sharing space with another company. Someone at that company is investigated and their data needs to be given to the authorities. Law enforcement does not take “copies”. They take originals; so they show up and take the disk. So now your data is on a disk that is being used in a legal case against another company you have no ties with whatsoever; it is no longer stored in the privacy of that data center. You don’t even know where it is and who is reading it anymore!

And what if the legal case if coming from another country? What if that disk is being handed over to Scotland Yard? Now your data is not only on a disk used in a legal case that is not yours; but is not even in the US anymore! And you have no control at all!

Is this something you should be worried about? I guess it depends on what type of business your company does, how sensitive that data is, how damaging it would be if it ends up in the wrong ends – be that the competition or the public! The answer can’t be the same for every company; this is a consideration each company needs to make based on several parameters, but ultimately the most relevant of all is “what happens if the data ends up in the wrong hands”?

That question is the general question of security and is the reason why we have security in the first place. Moving your data to a hosted solution only adds to the uncertainty surrounding the security of your data, as it adds another layer of possible loss.