Is user data safe in the cloud?
Thousands of websites and millions of pieces of private data are increasingly in one big cloud, where some of the old rules of data security are out the window.
With the rise of cloud computing companies, and the ferocity with which tech's biggest companies are snatching those firms up, it's no secret that a good chunk of our user data is already stored in the cloud. Our emails, our documents, our social network profiles and hundreds of thousands of tiny startups already rely on cloud services like SalesForce.com to be more productive and cost-effective. But one concern that remains constant is that of security. By off-loading more data to the cloud, are companies increasingly opening themselves and their users up to hacking, data loss, and privacy compromises?
What's at risk
Take the example of credit card data. Most of us don't think twice about saving account numbers and security codes into our online shopping profiles. The Payment Card Industry (or PCI) is a global information security standard established by a consortium including Visa Card, MasterCard, American Express and Discover, that places specific requirements on the operational infrastructure that handles high-risk data like credit card information. If an infrastructure doesn't conform to any and all PCI regulations, then it's not PCI compliant. And because cloud infrastructure is so vastly different than that what PCI was written for, most cloud service providers are in fact, not PCI compliant.
How a cloud service provider encrypts client data is also key to security. According to Forrester cloud analyst Chenxi Wang, cloud data encryption can be scattershot. Some services encrypt their data; some don't. For those that encrypt, it's worth figuring out whether the encryption is strong enough, whether the physical server that stores your data is entirely encrypted (ie. is all client data encrypted the same way?) or whether the service provider offers applications that encrypt your data separately and with different keys than other stored data.
That last concern stems from a popular cloud practice: some cloud providers store data from multiple clients on the same physical server. So, Client A may be running one "virtual machine" and Client B can be running on another "virtual machine," but both could be physically running on the same server. If an experienced hacker gains access to Client A via a security hole, it's not outside of the realm of possibility for the hacker to gain access to Client B's data as well. Even Client A, if they're up to no good, could become the culprit.
"The risk of that, depending on how the cloud provider, may be minimal, or it may be quite substantial." admits Wang. "From the absolute security stance, there is a risk that the other company who happens to rely on the same infrastructure may be able to utilize some covert terminal, or some kind of interface that's available to actually hack into your part of the infrastructure."
Another concern is the use of the third-party companies for various components of a cloud service. While Amazon's cloud services are entirely in-house, other cloud services are relying on third parties more and more.
Wang brings up a recent example where third party usage has gone horribly awry. For back-up purposes, client data is often written to tapes or drives, but after a given period of time, most back-ups need to be destroyed. Recently, an unnamed cloud provider sent their back-up tapes to a data disposal company. Wang says the data disposal company lost all the tapes, and thus all the cloud client data on them.
"The cloud provider was put in a very bad situation because they don't have any assurance the data was actually destroyed," says Wang.