Ask Slashdot: Is Your Data Safe In the Cloud?
sponsored by:
332
With so much personal data being kept on the cloud, including government and health records or your source code, do you have any concerns about it falling into the wrong hands? Do you think the cloud's benefits are outweighed by continuing security issues?
Is your medical data safe now? (Score:4, Interesting)
I used to be a security "expert" (at least according to my business card), but that was long enough ago, and things have changed sufficiently since then, that I no longer make that claim. However, back then, most of our customers happened to be in healthcare in some form or another, and I was appalled, on a daily basis, how insecure their data was. Any high school kid with some tools could completely own their network servers with very little effort. We hired one of those high school kids, and he frequently did.
Furthermore, with a little sweet talking, or looking under keyboards, we got access to all the stuff that he didn't. Granted, this was in the days immediately before HIPAA, and in the first days after HIPAA when people were trying to figure out how to implement the requirements. I naively hope that HIPAA has corrected some of the most glaring of these problems.
It's hard to imagine that putting data "in the cloud", whatever that happens to mean in the particular case under discussion, could be any less secure than where they're already storing your data.
Re:A little telling (Score:5, Interesting)
Well, we were pissed about the experts not being expert enough -- so here goes nothing -
What does Source Forge do that is above and beyond the call of duty to protect user information? Have you guys had any data breaches that you haven't disclosed, or fully disclosed? What would you have done differently in hindsight?
security... from what? (Score:5, Interesting)
I am a lawyer, and the thought of trusting my data to the cloud makes me very nervous for several reasons.
1. Government access. If you trust the government to keep its hands off of your securely stored data, you are living in the 1960s. Federal and (most) state governments are too tempted by the possibility of using your data for good purposes to actually keep their hands off it. Employees (like the FBI) will peek at it, especially if you're famous. They will run "searches" to see "what comes up" and get a feel for whether the government needs to do something. Data should never be stored -with- the government, and government should be expressly forbidden from getting access to it after it is generated. They should be required to give you notice each time that they access your data and describe to you what they are looking for in it when they inevitably -do- access it.
2. Outside threats. I'm thrilled every time I read about botnet attacks and Anonymous hacks that get into some individual's or company's private data. (Sarcastically...) "Yes, I believe that my externally stored data is safe from outside intrusion and will not be stolen by criminals." No, I don't believe that. There is no routine requirement for encryption in business environments. If there isn't a robust, national / industry-wide data encryption plan that makes it easy for the end-user (the person whose data it -is-) to protect and access the data, I think that the cloud is too risky for storing really important information, rather than just having my music collection stored in iCloud or Amazon's service.
Also, email security, to me, seems to be a joke. Here, I don't worry about breakins to get at my information, although that has happened at many email providers. Rather, I worry about internal inspection of my information. I use Gmail, but I don't believe for a minute that Google, (or Facebook, which I don't use) doesn't sometimes run statistical analysis of the email stream or the google search bar terms I use to learn more about me. It's their business to know more about me so that they can make money advertising to me. You can be sure that they test their AdSense algorithm improvements on my data to enhance the chances that I'll click on an ad and make them a few per thousand clicks.
I will use the cloud as a backup with services like MozyPro, but only if I can have assurance that my information (my clients' information, really) is locked down tight. To my mind, "ease of access" from storing information in the cloud equates all too readily to "ease of theft" where the thieves don't even have to leave their desks in Mountain View or Moscow to "reach out and touch someone" (apologies, ATT). I much prefer to make the thieves go to all the bother of getting up and coming to my house or office to steal my data.
Re:Government action (Score:5, Interesting)
Cloud ::= Timesharing (Score:5, Interesting)
We used to have cloud computing in the mainframe days: IBM ran a data center somewhere, and you connected to it via a leased line. The only way you knew its location was from the size of your phone bill (;-))
Joking aside, cloud computing really is just a buzzword change. Like any other outsourcing effort, you are at the mercy of the vendor and the government of the country they're in. Chose your suppliers based on the SLA they'll offer you, and the country of the candidate suppliers based on the rights they honor.
--dave
Re:No. (Score:5, Interesting)
Re:Government action (Score:5, Interesting)
Yes, to me this is a much bigger concern than something intrinsically secure/insecure about cloud computing. By entrusting my data to a third party vendor, I make it one step easier for the government to sieze it. With the kinds of legislation that's being debated even this week, I worry that any data I entrust to a vendor might eventually be subpoenaed, and I wouldn't have any recourse.
And hosting that data elsewhere (ie, outside of my country) doesn't necessarily solve anything.
On the other hand, the benefits of the cloud - a scalability that I can never achieve "at home" - enormously outweigh this concern in most cases. When it comes to confidential data, however, the question becomes much less obvious.
Re:It's hard to see it being less secure (Score:5, Interesting)
As I posted here: http://ask.slashdot.org/comments.pl?sid=2563666&cid=38303250 [slashdot.org] - I've seen servers at hospitals, local governments, and various other supposedly-secure places (fire stations, airports, etc) in my years as a network security auditor. And I frequently peek under the keyboards in doctors' offices while I'm waiting for them. It's hard to imagine that storing data on someone else's server instead of their own is going to make any substantive difference in their data security posture.
I think VMware has got it right... (Score:5, Interesting)
This contrasts to some recent Microsoft events I've attended, where they were pushing Azure so freakin hard that one of the Microsoft guys was almost literally said, quote for quote, 'if your next SQL project isn't on Azure, you're making a BIG mistake'. Microsoft seems to be of the mindset that between Azure and Office365, it's a hole-in-one business case for every company on the planet, which it's not. They went on to sell their Intune service the same way - 'If you're not a big company that has your own SCOM/SCCM solution, then you're making a mistake if you don't use Intune'.
Bottom line, much more cloud snobbery from the Microsoft guys.
Re:I Disagree (Score:3, Interesting)
we are having this conversation to promote SourceForge, if you didn't notice.
heck, I would have missed this "article" but it was laced on my post history page - in a different color too.
I thought I had ads disabled. guess not...
Re:Is your medical data safe now? (Score:5, Interesting)
It's hard to imagine that putting data "in the cloud", whatever that happens to mean in the particular case under discussion, could be any less secure than where they're already storing your data.
Exactly. The amount of risk that is introduced by putting your data into the cloud is infinitesimal compared to the risk that already exists in your network due to your company's cultural lack of top-down focus on security. If your CEO has domain admin privileges to the network and does not actively manage the active directory structure, you probably have more serious security issues to worry about.
I am a current security expert, working at a security-conscious company. So far, I haven't seen any hypervisor exploits, so the largest source of failure from hosting your business in the cloud probably rests on being unable to access data because of your ISP or network outages. Shop around by comparing SLAs.
When hypervisor exploits do become known (and they will), the PCI council will likely put the hypervisor into scope - they're waffly about it right now. As soon as that happens, kiss your PCI-compliant cloud goodbye - the third-party compatibility for security tools used for PCI compliance in the cloud are abysmal. It will become very difficult for any cloud-based application to live up to the PCI standards. That's your real risk.
Re:Possibly better trained than me? (Score:5, Interesting)
The key phrases of your entire post are "I would like to believe..." "In theory..." "....seem to do a good job"
The reality of it...really...we, as sysadmins turning to "The Cloud", have no real bloody idea how good the people there are. And lets face it...there are rogue sysadmins everywhere (just like rogue accountants, etc). Sure, its a serious minority of people, but they exist.
If I have a rogue sysadmin at my office, my data is in danger (whether by accidential/intentional destruction, leaks, theft, etc). At aq major cloud provider, hundreds, if not thousands of company's data is at risk.
There are definite cases for The Cloud...I have my antispam services in the cloud for example. The economy of scale meant that they could do a better job for the same price as I could internally. If you are a retailer with an e-comm presence, having the ability to instantly scale up your processing power based on need at a given moment (ie..Black Friday/Cyber Monday) without having to buy hundreds of thousands of dollars of equipment that is rarely used is a good thing.
But throwing my day-to-day operations and database to the cloud? I have no need, and I can provide the services to my company far cheaper than any external provider. Last time I priced it out, I could entirely re-do my entire computer infrastructure (Servers, desktops, switches, routers,etc) every 2 years for the extra cost of having it hosted for me. I'd be a fucking retard to do that.
Government data and Open Source (Score:5, Interesting)
I've long thought that government software should be software of the people, by the people, for the people (to be a little over-poetic). If I pay for the development of software that's used to run, say, the TSA, then I should have access to that code. And if the IRS is using software to store my data, I should have access to that code so that I can verify that it's secure, and is calculating my tax refund correctly.
I'm not sure, as a non-lawyer who has never worked as a government contractor, whether such demands are at all realistic or probable, but I still think it's worth making the demands. While I'm confident that *my* congress critter didn't understand the letter I sent him on the subject (at least, based on his content-free response), I would encourage you to contact yours, and maybe there's one out there that would understand.
The medical data issue is a little less clear-cut, depending on whether medecine is socialized in your particular country.
Putting medical data in a shared data pool *promises* big things, certainly.
Every time I go to a doctor's office and have to fill out all the same data, yet again, or when I have to fill out yet another government form with all the same information that they already have, often two or three times on the same set of forms, I think, why, in 2011, do I have to fill out these forms at all, when they already have so much information on me that should be readily accessible? A retinal scan, or even an ID number, should be sufficient to avoid this. Why haven't we solved this problem yet? (Yes, that's a very naive position, largely inspired by the frustration of filling out the 8th form while other peoples' kids run around screaming and sneezing on me.)
But who do we trust to be that central repository of data, and not sell it to the highest bidder?
Re:Government action (Score:4, Interesting)
So your data isn't really that much safer out of the cloud from the government.
The fear of the cloud is like the fear of taking the train vs. driving.
Like taking a train if there is an accident, one accident could have a big effect and a lot of people get hurt. While people are getting hurt every day (more then then a single train accident)
You are usually safer in the Cloud computing or taking the Train... However you loose control so you need to trust someone else with your data or your life. We don't like doing that even if they are better at keeping you safe then you are.
We as IT folk who take pride in our work really don't like the idea that some snot noes kid is handling data. However for the most part we are the Snot Noes Kids too, and we are in an organization who isn't as committed to keeping everything protected and operational.
Re:Government action (Score:5, Interesting)
"Becomes less obvious"
No it doesn't. Well, not to me. I just encrypt my data and store it in .JPG, .TGA, .PNG image's exif or "developer's area" data, then upload it to Sourceforge, GitHub, PirateBay, etc. and share it with the whole world. Since the images can't be transcoded in my open source projects (or else SHA-1 hashes don't match in the repositories), the data is pristine, verifiability tamper proof, and everywhere for me to re-download, decrypt, and use (so long as my projects remain popular).
I didn't see anything prohibiting this practice in the EULA... Still, I thought it best if the data was actually used for something. Turns out encrypted data makes a really good and fast pseudo random number generator lookup table, although it does eat a bit of disk space.
Now, if you want to narrow your definition of "cloud" to only services that do re-encode and compress my data, not allowing encryption or lossless images -- Well, I'd argue that those aren't storage solutions so much as storage problems.
Lately I've been hosting my data with friends and family, and they host theirs with me. Altogether we've got quite a bit of redundancy and geographic coverage. While I may not be able to get as reliable a service "at home", at all of our homes, I've achieved even higher uptime over the past year than Sourceforge.org has had... My custom solution involving deduplication (hey, we're family we can ACTUALLY trust each-other with some things) and other FSYNC like features is not ready for prime-time yet, but when it is, I plan to TAKE BACK THE CLOUD -- For free.
Re:Government action (Score:2, Interesting)
There are e-mail account providers, like runbox and neomailbox, that offer hosting in Switzerland, where the privacy laws stipulate that the government can only subpeona data as the result of an ongoing investigation. Also, at least for neomailbox, they delete the logs of an e-mail 7 days after it leaves the server, and that is nice if you configure your e-mail client to not leave a copy on the server :)
I signed up for neomailbox after I read the gmail privacy policy, which says that Google can use your information to protect its interests -- e.g. for whatever it wants. I realize that their business model necessitates this sort of legal language, and as they provide a free service I can't complain, but I can pay to buy a service that upholds privacy.
That said, as a U.S. citizen I believe that the government could ask me to give them the data directly, but I am OK with that, as I plan to obey the law. If they ask directly, it will be part of a court process, which I feel is fair. I will also know about it.