Forgot your password?
typodupeerror
Cloud Privacy Security

Ask Slashdot: Is Your Data Safe In the Cloud? 332 sponsored by: SourceForge

Posted by samzenpus
from the silverish-lining dept.
With so much personal data being kept on the cloud, including government and health records or your source code, do you have any concerns about it falling into the wrong hands? Do you think the cloud's benefits are outweighed by continuing security issues?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Is Your Data Safe In the Cloud?

Comments Filter:
  • Government action (Score:5, Informative)

    by OhHellWithIt (756826) * on Thursday December 08, 2011 @11:16AM (#38303028) Journal

    I believe that government seizure/examination of cloud data is even a bigger threat than hacking. With a court order or -- as we have seen in the past few years -- even without a court order, a trustworthy cloud operator could be forced to turn over our data. The article a few days ago about foreign governments being reluctant to sign onto cloud computing with an American company because of the potential for snooping into their data illustrates the point even further.

    • by GeckoX (259575) on Thursday December 08, 2011 @11:32AM (#38303280)

      Heck, never mind seizure, how about willfully providing this information? Twitter is now providing all public posts to the government.

      Bottom line, if it's in a cloud, you have zero guarantee as to how that information will be used and who will end up with access to it.

    • Re:Government action (Score:5, Interesting)

      by Dexter Herbivore (1322345) on Thursday December 08, 2011 @11:39AM (#38303392) Journal
      As soon as you supply your information to a 2nd party, it's no longer *your* information. It's a sad state of affairs, but a reality of life.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Actually you are very much on mark there. An article in Politico over the weekend talked about how the Patriot Act is a deterrent for companies to use cloud storage in the U.S.

      http://www.politico.com/news/stories/1111/69366.html

    • Re:Government action (Score:5, Interesting)

      by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @11:56AM (#38303614) Homepage

      Yes, to me this is a much bigger concern than something intrinsically secure/insecure about cloud computing. By entrusting my data to a third party vendor, I make it one step easier for the government to sieze it. With the kinds of legislation that's being debated even this week, I worry that any data I entrust to a vendor might eventually be subpoenaed, and I wouldn't have any recourse.

      And hosting that data elsewhere (ie, outside of my country) doesn't necessarily solve anything.

      On the other hand, the benefits of the cloud - a scalability that I can never achieve "at home" - enormously outweigh this concern in most cases. When it comes to confidential data, however, the question becomes much less obvious.

      • Re:Government action (Score:5, Interesting)

        by VortexCortex (1117377) <VortexCortexNO@S ... t-retrograde.com> on Thursday December 08, 2011 @12:36PM (#38304110)

        "Becomes less obvious"

        No it doesn't. Well, not to me. I just encrypt my data and store it in .JPG, .TGA, .PNG image's exif or "developer's area" data, then upload it to Sourceforge, GitHub, PirateBay, etc. and share it with the whole world. Since the images can't be transcoded in my open source projects (or else SHA-1 hashes don't match in the repositories), the data is pristine, verifiability tamper proof, and everywhere for me to re-download, decrypt, and use (so long as my projects remain popular).

        I didn't see anything prohibiting this practice in the EULA... Still, I thought it best if the data was actually used for something. Turns out encrypted data makes a really good and fast pseudo random number generator lookup table, although it does eat a bit of disk space.

        Now, if you want to narrow your definition of "cloud" to only services that do re-encode and compress my data, not allowing encryption or lossless images -- Well, I'd argue that those aren't storage solutions so much as storage problems.

        Lately I've been hosting my data with friends and family, and they host theirs with me. Altogether we've got quite a bit of redundancy and geographic coverage. While I may not be able to get as reliable a service "at home", at all of our homes, I've achieved even higher uptime over the past year than Sourceforge.org has had... My custom solution involving deduplication (hey, we're family we can ACTUALLY trust each-other with some things) and other FSYNC like features is not ready for prime-time yet, but when it is, I plan to TAKE BACK THE CLOUD -- For free.

    • by drpimp (900837) on Thursday December 08, 2011 @12:12PM (#38303798) Journal
      If they are in fact able to get a court order, what is the difference WHERE the data resides? Assuming you are not talking about hosting your data in some government "non-accessible" nation. Unless of course you're planning on destroying or "getting rid" of it. And in that case if they could prove that you destroyed evidence you could have potentially a bigger issue on your hands.
      • by b4dc0d3r (1268512)

        The problem is a court order does not specify that one client's data is in scope and another is out. Usually it would be a seizure of all computers so they can find the records they want.

        Hosting companies have had their entire racks seized, putting all of their customers out of service just so they can find 1 user/client who is causing problems (usually copyright MAFIAA raids). Offsite backups and service restoration aside, the feds have your data and you aren't even the target of the warrant. A bit of s

    • Re:Government action (Score:4, Interesting)

      by jellomizer (103300) on Thursday December 08, 2011 @12:21PM (#38303908)
      So if you store information on your own computer and you get a warrant to search your data you have to show your data. Chances are most companies being much smaller then could companies will give up and not put much of a legal hassle anyways.
      So your data isn't really that much safer out of the cloud from the government.

      The fear of the cloud is like the fear of taking the train vs. driving.
      Like taking a train if there is an accident, one accident could have a big effect and a lot of people get hurt. While people are getting hurt every day (more then then a single train accident)
      You are usually safer in the Cloud computing or taking the Train... However you loose control so you need to trust someone else with your data or your life. We don't like doing that even if they are better at keeping you safe then you are.

      We as IT folk who take pride in our work really don't like the idea that some snot noes kid is handling data. However for the most part we are the Snot Noes Kids too, and we are in an organization who isn't as committed to keeping everything protected and operational.
      • by johanw (1001493)
        > So if you store information on your own computer and you get a warrant to search your data you have to show your data. No, in most EU countries (except the UK AFAIK) we do have functional laws against self incrimination and you can tell the government to go find the data itself. If they can't find it or can't decrypt it they are out of luck.
  • by Anonymous Coward on Thursday December 08, 2011 @11:17AM (#38303038)

    And what's a cloud, really?

  • Data safe? (Score:5, Funny)

    by Anonymous Coward on Thursday December 08, 2011 @11:18AM (#38303046)

    not a bit

  • No. (Score:5, Insightful)

    by plopez (54068) on Thursday December 08, 2011 @11:18AM (#38303052) Journal

    No one is going to care as much about your data as you do. Next question please.

    • Re:No. (Score:5, Insightful)

      by ironjaw33 (1645357) on Thursday December 08, 2011 @11:25AM (#38303138)

      No one is going to care as much about your data as you do. Next question please.

      This. My employer only backs up one of several disk partitions on my work computer. The non-backed up partitions were hosed during a routine system upgrade last summer. Fortunately, I had backed up the data using my own resources but others hadn't and lost months of work.

      The lesson: only you can ensure the integrity and persistence of your data. If even your employer can't, then who can?

      • Re:No. (Score:5, Insightful)

        by DaveWick79 (939388) on Thursday December 08, 2011 @12:56PM (#38304420)

        And frankly, if your employer allows you to create your own data partitions on your hard drive, and doesn't require you to sync or store data on a file server, then they deserve to lose their data.

      • by plopez (54068)

        Answer: you. USBs are large and cheap these days. As are other devices. Pick a backup method. Even Google docs as a backup is ok. Caring about data is part of being a professional. If you don't cover yourself you are failing in your duty.

    • Re:No. (Score:5, Interesting)

      by timeOday (582209) on Thursday December 08, 2011 @11:47AM (#38303494)
      Keeping money in a bank is really just keeping data in a cloud. It seems to work for most.
      • by pmontra (738736)
        Much as I don't trust putting my data into clouds, you're right on spot.
        That's another case for convenience trumping safety, but might I point out that bank runs [wikipedia.org] happen when people don't trust the bank anymore?
  • maybe more secure (Score:4, Insightful)

    by roman_mir (125474) on Thursday December 08, 2011 @11:20AM (#38303062) Homepage Journal

    In many cases maybe your data is even more secure in a cloud than on your own servers, especially if you choose your 'cloud' carefully (outside of your country/jurisdiction).

    The real threats to your data are your own employees and your government. The outside 'hackers' come as a very distant third.

    • by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @11:21AM (#38303078) Homepage

      Yes, exactly.

      Servers "in the cloud" are installed, secured, and maintained, by sysadmins like you and me. Some of those sysadmins are good at what they do, and some of them aren't. "The cloud" is not intrinsically secure or insecure, because "the cloud" is not a definable entity, as much as the tech press wants it to be. This is a misnomer perpetrated by the poorly-informed press, and not really something that's based in reality.

      Every time we read an article about "the cloud", it's useful to take a moment to consider what it actually means in that particular scenario.

      Although "the cloud" means "I don't care where my servers are", there are in fact actual servers somewhere, and there's an actual person or team of persons responsible for maintaining that server or servers, and they are either good at their job, or they aren't. Talking about "the cloud" as though it's one homogeneous mush of data is nonsense, and leads to all sorts of false conclusions.

      • by TheSpoom (715771) <slashdot@@@uberm00...net> on Thursday December 08, 2011 @11:27AM (#38303178) Homepage Journal

        Really, I just hate the term "The Cloud" in the first place. It's so vague as to be unusable. Virtualized servers? OK, I get that, and it's specific about what it means. But "on the cloud" tends to just mean "on the internet somehow". Maybe it's on a physical box, maybe it's virtualized, maybe it's run by your company (but probably not), maybe it's managed by a third party. It means I have to ask additional questions, meaning the term is a waste of time.

        • by Terrasque (796014) on Thursday December 08, 2011 @11:45AM (#38303478) Homepage Journal

          I feel it's more about paying someone else to do all that server'y stuff, and gives you the freedom to go "I need $foo for $bar time" - and the provider(s) goes "okay" and magically pulls it out of the cloud for you. When you're done with it, it goes back to the cloud, no extra cost to you.

          At least, that's the impression I've got from the non-technical people's understanding of it. For techies there's nothing new, per se. It's just that hardware / software have come to a point where large companies find it useful both to sell and to buy, and marketing have managed to find a way to explain it to non-techies.

        • Re:maybe more secure (Score:5, Informative)

          by Martin Blank (154261) on Thursday December 08, 2011 @04:14PM (#38307176) Journal

          NIST published SP800-145 [nist.gov] (PDF warning) in October with their definition of cloud computing:

          Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

          There is an expanded section covering an additional 1.5 pages describing:

          • Essential characteristics
            • On-demand self-service
            • Broad network access
            • Resource pooling
            • Rapid elasticity
            • Measured service
          • Service models
            • Software as a Service (SaaS)
            • Platform as a Service (PaaS)
            • Infrastructure as a Service (IaaS)
          • Deployment models
            • Private cloud
            • Community cloud
            • Public cloud
            • Hybrid cloud

          OK, so it's not the best-formatted list (I blame Slashdot), but it makes the point. The document is short and abstract, but it at least tries to give a coherent response.

      • I Disagree (Score:5, Insightful)

        by eldavojohn (898314) * <[moc.liamg] [ta] [nhojovadle]> on Thursday December 08, 2011 @11:37AM (#38303344) Journal

        Servers "in the cloud" are installed, secured, and maintained, by sysadmins like you and me. Some of those sysadmins are good at what they do, and some of them aren't.

        I don't get it then, what makes the sysadmins and employees at these companies that run "the cloud" any more or less secure than my own employees and sysadmins? And what makes the government where "the cloud" resides any more respectable of my privacy than my local government? My own reaction is that there's just another layer of security risk here. At least if they're my employees or sysadmins and I find out data is being leaked, I can fire them and do an internal investigation. If some sysadmin is dumping databases at a "cloud" site, then who is ever going to know and how is that ever going to be rectified?

        I'm not arguing against "the cloud" and I don't have a good example on hand of where "the cloud" has failed but to me it seems like a lot of these are virtual machines sitting on physical hardware running more software. And every layer is just another potential weak point in the chain of software. Is that not true? Isn't it possible that employees of VM farms are simply cloning and dumping memory or hard disks (or entire VMs for that matter) for their own personal use?

        There was a paper a while back about encrypted computing just to address this very fear.

        "The cloud" is not intrinsically secure or insecure, because "the cloud" is not a definable entity, as much as the tech press wants it to be. This is a misnomer perpetrated by the poorly-informed press, and not really something that's based in reality.

        Just like the title to this Ask Slashdot encourages us to debate the security of something that cannot be intrinsically secure or insecure? If you're telling me that "the cloud" is not intrinsically secure or insecure why are we having this conversation? I mean, I think it's worthwhile to consider what a lot of "the cloud" services are that are out there (the big few that exist) and to debate their security success or potential holes. You can always deflect my arguments by saying that they're just "implementing the cloud wrong" and we won't go anywhere. But it is my opinion that sensitive, personal and secure information should not be handed off to yet another third part for computation or storage unless your trust with them is enough to risk litigation against yourself from all of your customers.

        • Re: (Score:3, Interesting)

          by gl4ss (559668)

          we are having this conversation to promote SourceForge, if you didn't notice.

          heck, I would have missed this "article" but it was laced on my post history page - in a different color too.

          I thought I had ads disabled. guess not...

      • by GeckoX (259575)

        Not only is this dependent on the quality of the sysadmins, it is dependent as well on the policies and actions of those governing any particular cloud. The sysadmins do not create these policies, they merely implement them. Bottom line is that when you put data in a 'cloud', you are trusting the corporation or entity in control of that cloud with your data. Their policies could change at any time. Or the government could do so for them. Or another entity could take ownership and again change the policies i

    • by youn (1516637)

      let's say cloud provider security is brilliant and you place the cloud on the moon just so that no human can get there... CA hack and MITM can make efforts worthless within seconds

    • Right, because there are no employees/government/hackers in the cloud. Whew!
  • by Anonymous Coward

    then store it to the cloud w/ you just knowing the keys/passphrases

    • by youn (1516637)

      remember not to reuse the passwords you give to journalists writing books about you especially if the data is leaked in the wild :)

  • by cmv1087 (2426970) on Thursday December 08, 2011 @11:21AM (#38303080)
    It's still someone else's servers holding my data and I still have to go through some hoop(s) to get at it from other devices. What is so special about it?
    • by Xugumad (39311)

      Someone re-re-invented mainframes, and therefore everything is new and no-one understands it any more.

    • by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @11:45AM (#38303480) Homepage

      I would like to believe that when I host a server at Slicehost (oh, yeah, it's Rackspace now) that they have server administrators who are better trained than I am. That they have backup procedures that are better executed than I would do. That they upgrade their hardware more often than I do.

      Likewise, if I put my data on a "cloud" service, I am paying for the assurance that they have secured those servers at least as well as I would, in addition to whatever it is that they specialize in (scalability, availability, redundancy, etc). So, in theory at least, that's what's special about it - that they can do a better job at those things, for less money, than I can.

      The reality can be less clear cut, and so, as with any vendor selection process, you have to do your homework and find the ones that seem to do a good job.

      I think the press has done us all a disservice by making the cloud into, as you say, a mysterious relic with mystical powers. Hopefully those of us actually making these decisions understand what it really means and can be sober about evaluating options.

      • by Samalie (1016193) on Thursday December 08, 2011 @12:16PM (#38303856)

        The key phrases of your entire post are "I would like to believe..." "In theory..." "....seem to do a good job"

        The reality of it...really...we, as sysadmins turning to "The Cloud", have no real bloody idea how good the people there are. And lets face it...there are rogue sysadmins everywhere (just like rogue accountants, etc). Sure, its a serious minority of people, but they exist.

        If I have a rogue sysadmin at my office, my data is in danger (whether by accidential/intentional destruction, leaks, theft, etc). At aq major cloud provider, hundreds, if not thousands of company's data is at risk.

        There are definite cases for The Cloud...I have my antispam services in the cloud for example. The economy of scale meant that they could do a better job for the same price as I could internally. If you are a retailer with an e-comm presence, having the ability to instantly scale up your processing power based on need at a given moment (ie..Black Friday/Cyber Monday) without having to buy hundreds of thousands of dollars of equipment that is rarely used is a good thing.

        But throwing my day-to-day operations and database to the cloud? I have no need, and I can provide the services to my company far cheaper than any external provider. Last time I priced it out, I could entirely re-do my entire computer infrastructure (Servers, desktops, switches, routers,etc) every 2 years for the extra cost of having it hosted for me. I'd be a fucking retard to do that.

  • by Joe_Dragon (2206452) on Thursday December 08, 2011 @11:23AM (#38303106)

    Now this story shows that the hosting company's can get mix up and do you want to take that risk with your data??

    http://thedailywtf.com/Articles/Remotely-Incompetent.aspx [thedailywtf.com]

  • ...that the first outing of the sponsored Ask Slashdot is a Geeknet company.

    In any case, as usual, it depends on the kind of data. I believe medical data has be encrypted though, no?

    • by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @11:25AM (#38303130) Homepage

      ...that the first outing of the sponsored Ask Slashdot is a Geeknet company.

      Yes. I'm called the guinea pig.

      • by TheSpoom (715771)

        Looking good so far. It'll be interesting to see what kind of posts actual sponsors make when we get there.

      • Re:A little telling (Score:5, Interesting)

        by Hadlock (143607) on Thursday December 08, 2011 @11:35AM (#38303320) Homepage Journal

        Well, we were pissed about the experts not being expert enough -- so here goes nothing -

        What does Source Forge do that is above and beyond the call of duty to protect user information? Have you guys had any data breaches that you haven't disclosed, or fully disclosed? What would you have done differently in hindsight?

        • Re:A little telling (Score:5, Informative)

          by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @11:52AM (#38303558) Homepage

          What does Source Forge do that is above and beyond the call of duty to protect user information? Have you guys had any data breaches that you haven't disclosed, or fully disclosed? What would you have done differently in hindsight?

          When we have attacks, and compromises (which has happened in the the past) we report in detail on it in the blog. Here's one example: https://sourceforge.net/blog/update-sourceforgenet-attack/ [sourceforge.net]

          As with any company, these sorts of things have a procedure that we have to follow, and I'm checking with the people along that trail to see what I should say in response. There haven't been any compromises or attacks during my time at SF, so I don't have any personal experience as to how we respond to this, but I've asked some of the guys on our engineering team to help me put together a response to this question.

        • Re:A little telling (Score:4, Informative)

          by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @03:38PM (#38306626) Homepage

          Here's a little more information from our legal folks:

          A: Earlier this year, we went through a pretty robust process to receive our Truste certification which covers privacy, security and safe harbor (our privacy policy is located at ADD LINK). We are continuing to look for ways to improve our security controls and protect user personal information. We did fully disclose an incident early in 2001 and the details and what we did about can be found at: http://sourceforge.net/blog/sourceforge-attack-full-report/ [sourceforge.net]

          They also recommended that I point you to our corporate privacy policy, here: http://geek.net/privacy-statement [geek.net]

          • Re: (Score:3, Insightful)

            by Anonymous Coward

            (our privacy policy is located at ADD LINK).

            I think you forgot something, like making the effort to read the marketing material someone handed you before you copied and pasted it.

      • by Cylix (55374) * on Thursday December 08, 2011 @11:41AM (#38303418) Homepage Journal

        Excellent,

        I was told by a very powerful source that the only way to protect my data was via a contract for my soul. Among the things needed for the incantation a guinea pig was cited.

        Look at Paragraph 367 Subsection 32... "Satan will personally hover over your data with an army of undead ghouls.^3214"

        I'm still trying to find foot note three thousand two hundred fourteen.

        These deals with the devil are almost as bad as FCC mandates.

      • by Trepidity (597) <delirium-slashdot@@@hackish...org> on Thursday December 08, 2011 @12:11PM (#38303796)

        Not to tell y'all how to run your campaigns, but as a humble suggestion, wouldn't it increase your legitimacy if you paid some nice money to someone with a low UID, say 3 digits or less, to help out?

    • by identity0 (77976) on Thursday December 08, 2011 @01:37PM (#38305028) Journal

      What would you prefer?

      Ask Slashdot: Is Google Evil? Sponsored by Microsoft
      Ask Slashdot: Is The Kindle Fire Better Than iPad? Sponsored by Amazon
      Ask Slashdot: Why Do Charletans Believe The Global Warming Myth? Sponsored by The Republican Party
      Ask Slashdot: Is Your Data Safe In Anuses? Sponsored by Goatse
      Ask Slashdot: Do You Want To Hear A Personal Message? Sponsored by Jimmy Wales

  • by HTMLSpinnr (531389) on Thursday December 08, 2011 @11:24AM (#38303118) Homepage

    ::rimshot::

    No, seriously - depending on the cloud service, aren't buckets of data encrypted in such a way that only the owner of the data can access them? Cloud service providers may be required to hand over data, but do they have the means of handing over the encryption keys along with it?

    For certain cloud services where you're uploading via browser, they may be encrypting your data post-upload, so the request to decrypt may be more trivial. However, if you manage your own (like S3 backups) - or simply use a service that encrypts BEFORE uploading, I'm not sure there's a whole lot Amazon or some other provider could do to hand over the data in any usable form.

    Those who are concerned about security of their data should ensure that the backup is encrypted in an acceptable method, or simply stash it in an encrypted container before storing it "online" (I realize there may be limitations of scale with that suggestion).

  • by MalleusEBHC (597600) on Thursday December 08, 2011 @11:25AM (#38303136)

    Unlike all other Ask Slashdots, this question is not prededed by "$USERNAME writes", so who actually proposed this question? A user that didn't get credit? A Slashdot editor? Someone from Sourceforge? The post introducing sponsored Ask Slashdots says that "the sponsors don't pick the questions", but that's still ambiguous. Many people are skeptical about this being thinly veiled astroturfing, so it's important to be as transparent as possible.

    • I'd like to know too.
    • by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @11:29AM (#38303210) Homepage

      I didn't get to pick the question, if that's what you're asking. Presumably, if I had, it would be more about Open Source. I believe the question was chosen by the Slashdot editorial team.

      • by Anonymous Coward on Thursday December 08, 2011 @11:52AM (#38303566)

        I don't know if they're taking constructive criticism from anonymous users, but...

        Slashdot might get more mileage out of a question that people can have several different takes on. "How should I archive data long term?", or "How do you secure a small business website on a tight budget?", or the like. This one is a bit of a dud because it's basically two yes/no answers. It's just chumming the waters to throw something like this into a user community that's already on to your synergistic marketing plan; they need something that geeks can't help themselves but participate in.

        For a SourceForge topic, I'd love to read more details about what's involved in providing and effectively securing the type of service they provide (which must be a bit of a rolling nightmare for you folks with hundreds of thousands of projects and the level of exposure that entails), and maybe a solicitation of anonymously-submitted stories from other users about website break-ins they've had to clean up and how things went, both with the software and with public relations.

    • by Jeng (926980)

      My question is why can't I exclude stories by category now? I went to block Ask Slashdot from my list of stories I'll accept and it just plain didn't work.

    • Re: (Score:3, Funny)

      by Threni (635302)

      Find out...right after this message from our sponsors!

    • by samzenpus (5) * Works for Slashdot

      We wrote the question after being told that cloud security was the topic to be covered. When the editors write a story there isn't a "username writes" at the beginning. Here are a couple of examples from yesterday [slashdot.org] and Tuesday [slashdot.org].

      • by guanxi (216397)

        We wrote the question after being told that cloud security was the topic to be covered.

        Thanks samszenpus. Just for clarification: Who is the "we" who wrote it, and who chose the topic?

    • by tgd (2822)

      Unlike all other Ask Slashdots, this question is not prededed by "$USERNAME writes", so who actually proposed this question? A user that didn't get credit? A Slashdot editor? Someone from Sourceforge? The post introducing sponsored Ask Slashdots says that "the sponsors don't pick the questions", but that's still ambiguous. Many people are skeptical about this being thinly veiled astroturfing, so it's important to be as transparent as possible.

      Well its refreshing to see them at least trying to thinly veil it. That's a step up from the last few years on here.

  • Encrypt First (Score:2, Insightful)

    by Anonymous Coward

    I would encrypt any sensitive data I may have before storing it in the "cloud". It would be irresponsible to assume the data can not be read or copied by others.

  • by RobinEggs (1453925) on Thursday December 08, 2011 @11:26AM (#38303148)
    Note to slashdot: It'll be hard to maintain whatever shred of journalistic veneer and integrity you have left if you start posting advertisements for sister websites as 'sponsorships' of semi-legitimate discussions or stories.

    The fact that everyone else does it is still no excuse.
    • by mikeroySoft (1659329) on Thursday December 08, 2011 @11:33AM (#38303284)
      I'm glad at least comments are enabled. Most other sites disable them for sponsored articles.

      Further, I imagine that the bandwidth and hosting costs of /. are quite high, so they need to get a return somehow.
      I mean, with so many people here probably using AdBlock etc, or disabling ads because they're registered users who can, they have to get their ads-to-eyeballs ratio back up to somewhere that it's actually worth it to advertize here (this ensuring that our geeky community can continue to have someplace to live!)
    • by Hatta (162192) on Thursday December 08, 2011 @01:05PM (#38304538) Journal

      Slashdot is a geek tabloid. Don't expect journalistic integrity. Do expect entertaining discussion.

  • by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @11:31AM (#38303250) Homepage

    I used to be a security "expert" (at least according to my business card), but that was long enough ago, and things have changed sufficiently since then, that I no longer make that claim. However, back then, most of our customers happened to be in healthcare in some form or another, and I was appalled, on a daily basis, how insecure their data was. Any high school kid with some tools could completely own their network servers with very little effort. We hired one of those high school kids, and he frequently did.

    Furthermore, with a little sweet talking, or looking under keyboards, we got access to all the stuff that he didn't. Granted, this was in the days immediately before HIPAA, and in the first days after HIPAA when people were trying to figure out how to implement the requirements. I naively hope that HIPAA has corrected some of the most glaring of these problems.

    It's hard to imagine that putting data "in the cloud", whatever that happens to mean in the particular case under discussion, could be any less secure than where they're already storing your data.

    • by savanik (1090193) on Thursday December 08, 2011 @12:14PM (#38303824)

      It's hard to imagine that putting data "in the cloud", whatever that happens to mean in the particular case under discussion, could be any less secure than where they're already storing your data.

      Exactly. The amount of risk that is introduced by putting your data into the cloud is infinitesimal compared to the risk that already exists in your network due to your company's cultural lack of top-down focus on security. If your CEO has domain admin privileges to the network and does not actively manage the active directory structure, you probably have more serious security issues to worry about.

      I am a current security expert, working at a security-conscious company. So far, I haven't seen any hypervisor exploits, so the largest source of failure from hosting your business in the cloud probably rests on being unable to access data because of your ISP or network outages. Shop around by comparing SLAs.

      When hypervisor exploits do become known (and they will), the PCI council will likely put the hypervisor into scope - they're waffly about it right now. As soon as that happens, kiss your PCI-compliant cloud goodbye - the third-party compatibility for security tools used for PCI compliance in the cloud are abysmal. It will become very difficult for any cloud-based application to live up to the PCI standards. That's your real risk.

  • Absolutely not (Score:4, Insightful)

    by KlomDark (6370) on Thursday December 08, 2011 @11:32AM (#38303262) Homepage Journal

    These days your data is your wealth. Putting it somewhere as vague as 'the cloud' is as dumb as keeping your life savings in a car belonging to someone you don't know and have no idea where that car might be located. (Probably in some trailer court.)

    It's a marketing trap - don't fall for it.

  • by salparadyse (723684) on Thursday December 08, 2011 @11:33AM (#38303288)
    No.
  • I use cloud storage for a good deal of our small business data. The question is do the people who work at the place my data is stored at do a better job than I would protecting that data? probably. Am I worried about about most of that data being obtained by a hacker? No. 70% of it is actually public record, and the other 30% is really boring financial stuff. Could someone steal my identity if they got this information? Most likely. if this happens, have fun blackhat; the IRS is after you, and so is
  • that's the question. where do they store their internal email and data? in another cloud? in their own systems?

    if they store it locally then why should i send my data to them?

  • by carbon_tet (596725) on Thursday December 08, 2011 @11:39AM (#38303382)

    I am a lawyer, and the thought of trusting my data to the cloud makes me very nervous for several reasons.

    1. Government access. If you trust the government to keep its hands off of your securely stored data, you are living in the 1960s. Federal and (most) state governments are too tempted by the possibility of using your data for good purposes to actually keep their hands off it. Employees (like the FBI) will peek at it, especially if you're famous. They will run "searches" to see "what comes up" and get a feel for whether the government needs to do something. Data should never be stored -with- the government, and government should be expressly forbidden from getting access to it after it is generated. They should be required to give you notice each time that they access your data and describe to you what they are looking for in it when they inevitably -do- access it.

    2. Outside threats. I'm thrilled every time I read about botnet attacks and Anonymous hacks that get into some individual's or company's private data. (Sarcastically...) "Yes, I believe that my externally stored data is safe from outside intrusion and will not be stolen by criminals." No, I don't believe that. There is no routine requirement for encryption in business environments. If there isn't a robust, national / industry-wide data encryption plan that makes it easy for the end-user (the person whose data it -is-) to protect and access the data, I think that the cloud is too risky for storing really important information, rather than just having my music collection stored in iCloud or Amazon's service.

    Also, email security, to me, seems to be a joke. Here, I don't worry about breakins to get at my information, although that has happened at many email providers. Rather, I worry about internal inspection of my information. I use Gmail, but I don't believe for a minute that Google, (or Facebook, which I don't use) doesn't sometimes run statistical analysis of the email stream or the google search bar terms I use to learn more about me. It's their business to know more about me so that they can make money advertising to me. You can be sure that they test their AdSense algorithm improvements on my data to enhance the chances that I'll click on an ad and make them a few per thousand clicks.

    I will use the cloud as a backup with services like MozyPro, but only if I can have assurance that my information (my clients' information, really) is locked down tight. To my mind, "ease of access" from storing information in the cloud equates all too readily to "ease of theft" where the thieves don't even have to leave their desks in Mountain View or Moscow to "reach out and touch someone" (apologies, ATT). I much prefer to make the thieves go to all the bother of getting up and coming to my house or office to steal my data.

  • by 1s44c (552956) on Thursday December 08, 2011 @11:44AM (#38303450)

    Is Your Data Safe In the Cloud?

    No. Next story.

  • by Tridus (79566) on Thursday December 08, 2011 @11:59AM (#38303642) Homepage

    Ars actually just covered this for anybody not in the US - the Patriot Act is a huge barrier that is making it hard for US companies to do business. Nobody in their right mind trusts US cloud providers with their (subject to non US privacy law) data.

  • by Ralph Spoilsport (673134) on Thursday December 08, 2011 @12:03PM (#38303690) Journal
    Between the patriot act and the value of the data itself for mining purposes, no. To argue otherwise is naive.
  • by sco_robinso (749990) on Thursday December 08, 2011 @12:05PM (#38303726)
    I was recently at a VMware luncheon with a VMware "clould" expert. He was probably the first person from a big could-services type provider that openly admitted the cloud isn't for everyone, and in many cases, it just doesn't make sense. He went on to explain that it's VMware position that you deploy your own "private cloud" at your own pace, and whether or not you move to public cloud is entirely up to you. Their whole sell was that their products make the transition from private to public cloud easy, hence you can stay private or move public at your own pace.

    This contrasts to some recent Microsoft events I've attended, where they were pushing Azure so freakin hard that one of the Microsoft guys was almost literally said, quote for quote, 'if your next SQL project isn't on Azure, you're making a BIG mistake'. Microsoft seems to be of the mindset that between Azure and Office365, it's a hole-in-one business case for every company on the planet, which it's not. They went on to sell their Intune service the same way - 'If you're not a big company that has your own SCOM/SCCM solution, then you're making a mistake if you don't use Intune'.

    Bottom line, much more cloud snobbery from the Microsoft guys.
  • by rbowen (112459) Works for SourceForge on Thursday December 08, 2011 @12:17PM (#38303860) Homepage

    I've long thought that government software should be software of the people, by the people, for the people (to be a little over-poetic). If I pay for the development of software that's used to run, say, the TSA, then I should have access to that code. And if the IRS is using software to store my data, I should have access to that code so that I can verify that it's secure, and is calculating my tax refund correctly.

    I'm not sure, as a non-lawyer who has never worked as a government contractor, whether such demands are at all realistic or probable, but I still think it's worth making the demands. While I'm confident that *my* congress critter didn't understand the letter I sent him on the subject (at least, based on his content-free response), I would encourage you to contact yours, and maybe there's one out there that would understand.

    The medical data issue is a little less clear-cut, depending on whether medecine is socialized in your particular country.

    Putting medical data in a shared data pool *promises* big things, certainly.

    Every time I go to a doctor's office and have to fill out all the same data, yet again, or when I have to fill out yet another government form with all the same information that they already have, often two or three times on the same set of forms, I think, why, in 2011, do I have to fill out these forms at all, when they already have so much information on me that should be readily accessible? A retinal scan, or even an ID number, should be sufficient to avoid this. Why haven't we solved this problem yet? (Yes, that's a very naive position, largely inspired by the frustration of filling out the 8th form while other peoples' kids run around screaming and sneezing on me.)

    But who do we trust to be that central repository of data, and not sell it to the highest bidder?

  • by elrous0 (869638) * on Thursday December 08, 2011 @12:25PM (#38303978)

    I'm more concerned about what my ISP is going to say when I start uploading data by the gig on a regular basis.

  • by milbournosphere (1273186) on Thursday December 08, 2011 @12:56PM (#38304414)
    While I wasn't too thrilled about this whole sponsored post idea, I shrugged my shoulders and moved on. However, this first go at it is somewhat troubling. The question is rather ambiguous, with no information given about who submitted the question, but that's already been discussed.

    My big problem with it is why this story seems to be 'floating' in the feed. All morning, it's been at the number two position. I don't really mind the glaring blue story staring at me, but I would appreciate it if it faded to oblivion just like the rest of the articles/stories/slashvertisements, so I don't have to continue to stare at this giant blue SourceForge logo when I browse the news feed. I had tried to keep an open mind, but this whole thing looks like an attempt to whore out the site for money.
  • by ZackSchil (560462) on Thursday December 08, 2011 @02:36PM (#38305858)

    and how do I make it go away!

If a listener nods his head when you're explaining your program, wake him up.

Working...