Ask Slashdot: Is Your Data Safe In the Cloud?
sponsored by:
332
With so much personal data being kept on the cloud, including government and health records or your source code, do you have any concerns about it falling into the wrong hands? Do you think the cloud's benefits are outweighed by continuing security issues?
Government action (Score:5, Informative)
I believe that government seizure/examination of cloud data is even a bigger threat than hacking. With a court order or -- as we have seen in the past few years -- even without a court order, a trustworthy cloud operator could be forced to turn over our data. The article a few days ago about foreign governments being reluctant to sign onto cloud computing with an American company because of the potential for snooping into their data illustrates the point even further.
hosting company’s gets the wrong server (Score:5, Informative)
Now this story shows that the hosting company's can get mix up and do you want to take that risk with your data??
http://thedailywtf.com/Articles/Remotely-Incompetent.aspx [thedailywtf.com]
Re:Who asked this question? (Score:5, Informative)
I didn't get to pick the question, if that's what you're asking. Presumably, if I had, it would be more about Open Source. I believe the question was chosen by the Slashdot editorial team.
Is your data safe in the cloud? (Score:4, Informative)
Re:ABSOLUTELY !! (Score:5, Informative)
Re:ABSOLUTELY !! (Score:4, Informative)
"Cloud" refers to a symbol used in network organization charts and data flow diagrams to refer to a connection across a large network. Something being "in the cloud" is on the other side of this symbol, namely on leased servers in someone else's data center.
In other words, it's what we used to call 'the black box'. Once data enters the black box, it shouldn't matter to the app.
Re:A little telling (Score:5, Informative)
What does Source Forge do that is above and beyond the call of duty to protect user information? Have you guys had any data breaches that you haven't disclosed, or fully disclosed? What would you have done differently in hindsight?
When we have attacks, and compromises (which has happened in the the past) we report in detail on it in the blog. Here's one example: https://sourceforge.net/blog/update-sourceforgenet-attack/ [sourceforge.net]
As with any company, these sorts of things have a procedure that we have to follow, and I'm checking with the people along that trail to see what I should say in response. There haven't been any compromises or attacks during my time at SF, so I don't have any personal experience as to how we respond to this, but I've asked some of the guys on our engineering team to help me put together a response to this question.
Mass noun (Score:5, Informative)
Re:Government action (Score:2, Informative)
This is a legal grey area on so many accounts. Is there a reasonable expectation of privacy when storing data in the cloud? This can be important because it means that no search warrants would be needed, and people could be arrested seconds to minutes after data goes in the cloud. Encrypted data could be viewed as probable cause for a search because it would be (in the eyes of the law) equal to putting data on an open, free-for-all FTP server. Lawsuits can be filed for unauthorized MP3 files in seconds after the files lands in the cloud.
Then there is another legal issue: Cloud servers that span countries. An admin in country "A" can be compelled (either via a legal action, or something less subtle like an AK-47 aimed at the admin's family) to log onto another country's cloud servers and hand stuff over. A country like Saudi Arabia where porn is illegal can get access to Germany's cloud servers, and when any German citizens come to visit, have them hauled off and jailed, or even executed, even though the act did not occur on Saudi soil.
Finally there is the fact, as demonstrated by the Borders case that all info on cloud servers, be it trade secrets, protected government documents, copyrighted info... anything become available for all if the server provider goes under and the servers get sold off. A cloud provider that stores PII data like medical records can go under, another company pick up the data and make a torrent of the medical records for anyone to look at, and there is not a single thing that can remedy this in criminal or civil law, because the contract responsibility for data ends where bankruptcy begins.
Until these legalities are sorted out, the only way a company can use cloud storage without violating Sarbanes-Oxley, HIPAA, FERPA, or other regulations is to encrypt data before it leaves the premises.
It would be nice to see some regulation, such as DAR encryption for cloud data, coupled with mandatory destruction/erasure of all data if a cloud provider gets liquidated, with an independent organization overseeing the process, and certificates of destruction (with video) on the website. However, this would have to be part of the bankruptcy code.
Until then, you will get shitloads of promises about security in the cloud, but until these loopholes are addressed, your data is no more secure than storing it on an anonymous FTP server.
Re:Who asked this question? (Score:5, Informative)
For what its worth, I personally agree with you.
Re:Who asked this question? (Score:5, Informative)
That would be a bug, not a conspiracy. I'll see to it gets fixed.
Re:Who asked this question? (Score:5, Informative)
We is the other two editors and myself. I wrote a few initial ideas and then it got passed around. I'm not sure if my boss picked the topic or someone at SourceForge. As rbowen eludes to in a thread above, this is a sort of test run to work out the kinks, but we still wanted to get a decent discussion going.
Re:Government action (Score:4, Informative)
Re:A little telling (Score:4, Informative)
Here's a little more information from our legal folks:
A: Earlier this year, we went through a pretty robust process to receive our Truste certification which covers privacy, security and safe harbor (our privacy policy is located at ADD LINK). We are continuing to look for ways to improve our security controls and protect user personal information. We did fully disclose an incident early in 2001 and the details and what we did about can be found at: http://sourceforge.net/blog/sourceforge-attack-full-report/ [sourceforge.net]
They also recommended that I point you to our corporate privacy policy, here: http://geek.net/privacy-statement [geek.net]
Re:maybe more secure (Score:5, Informative)
NIST published SP800-145 [nist.gov] (PDF warning) in October with their definition of cloud computing:
There is an expanded section covering an additional 1.5 pages describing:
OK, so it's not the best-formatted list (I blame Slashdot), but it makes the point. The document is short and abstract, but it at least tries to give a coherent response.