Cloud Computing

Chris Burchett (US) - Navigating the Complexity of Cloud Security and Compliance in the US and Overseas

Over the last few years, there have been numerous cloud storage services popping up that are doing a lot of things right. They're making cloud computing easy, fast, and available to many people. Data from a single person or an entire enterprise can be stored virtually with unlimited space, accessible from desktops, laptops, iPhones, iPads, and even PlaystationsTM. Aside from storage, these services allow you to share data such as photos, audio and video files, documents and even work-related information freely. In fact, for the enterprise employee, you can almost think of cloud service providers like DropBox as your virtual briefcase.

But, just because you can do all of this so easily, doesn't mean you should.

In fact, when it comes to storing and sharing enterprise data without additional security, the answer is an absolute "No." Although cloud services like DropBox are extremely convenient, their convenience shouldn't overshadow the fact these providers don't keep your data protected in the way that you might expect-private to just you. In fact, in the case of DropBox, a recent privacy policy update clarified that they will remove encryption from data in the event that it's handed over to law enforcement. This fact alone means that your data is not completely private to just you.

However, if a well-managed enterprise encryption technology were to be implemented with these solutions, utilizing them would be much safer, and probably even encouraged by even the most cautious of enterprise organizations. Such a solution would work with competing cloud services to support all of the great capabilities they will continue to provide while giving enterprises the ability to control protection, audit use, and report compliance on their data in cloud services. Fundamental to these capabilities is the ability for key management and encryption to stay within the enterprise itself.

That being said, as any security professional will tell you, electronic privacy is hard to do well. It requires technologies like encryption, key management, identity management and authentication. More fundamentally, it requires that the cloud service provider and the customer agree on something called a threat model. What this means, in the case of DropBox, is that the user should answer several questions before they use the service:

  • Who owns the data I'm putting in the cloud? This is the person or organization ultimately responsible for protecting the data.
  • Who should be able to view the data I'm putting in cloud? Is the data owner okay with data going into the cloud which is public or should it be kept private?
  • What consequences would result from public disclosure of this data? Who could be hurt?
  • Is it possible that anyone would want to use this data for illegal or malicious purposes? What might the impact of that be?
  • Would someone be able to tamper with this data without my knowledge? How can I continue to trust the data?
  • And is this data meeting the compliance mandates of the region, be it in the US or overseas? Would this data be accessed by anyone other than the person putting it in the cloud place the organization at risk of a data breach?

When you begin to answer these questions, you realize that something you once thought was a simple, convenient solution for storing and sharing data is actually a very serious issue, especially for enterprise organizations. In reality, users should be treating most cloud providers as publicly visible file shares.

This potential lack of privacy can have considerable impact if you or your users are storing protected information belonging to others. This is especially true for European organizations who must deal with highly stringent privacy laws. In the US, the likely appearance of a Federal breach notification law will up the ante in the event that information is breached.

However, the bad news doesn't stop there. One of the benefits of cloud computing is that so much of the underlying computing infrastructure is hidden from the user. While this simplifies usage, it dramatically complicates compliance because information may be hosted in a country with very different laws and regulations than you are used to operating under. Organizations should be very careful to understand exactly what third-party relationships exist with their primary cloud provider before considering putting any kind of protected information in cloud storage.

So, does the lack of protection mean that the millions of users of competing cloud service providers like DropBox aren't storing work-related and private data in the cloud? Of course not. In fact, they're doing so at an alarming rate. And that's all the more reason for urgency in solving this problem soon.


By Chris Burchett, chief technology officer, CREDANT Technologies


« Gabriel Cogo (Brazil) - Brazil and the Open Source Software


Will Mutua Mworia (Africa) - The State of e-Governance/e-Government in Africa »


Do you think your smartphone is making you a workaholic?