Feeds

Is cloud data secure?

Because your datacentre probably isn't

  • alert
  • submit to reddit

High performance access to file storage

Hosted apps Would your data be more secure in the hands of Google or left where it is? Your answer to that depends on where you store business information at the moment and, of course, whether you feel Google can be trusted.

We’re picking on Google here because it is the “cloud” player that, rightly or wrongly, receives the most criticism about security and privacy. We could, however, ask the same question of Microsoft, Salesforce.com, Amazon, IBM or anyone else offering to host the business information that is so precious to us.

Before we discuss this issue of trust, let’s think about where your data resides right now. If you are a sizeable organisation, you might have a central datacentre or computer room that houses specialist servers and storage equipment. As well as that, research among Reg readers suggests that you are likely to have at least a few local servers and storage devices dotted about the business. Then there is all that stuff that sits on desktop and laptop PCs, not to mention smartphones and handhelds, or even in cloud services such as Dropbox or SkyDrive.

"Most businesses could never match the Fort Knox-style controls implemented by the big providers"

The result is that not everything is totally controlled and secure. In smaller organisations with limited manpower and money to spend on automation, this is even more true. There is no shame in this. IT professionals do what they can with what they have, and 100 per cent protection is not realistic anyway. Some of the most common threats arise from accidents or misuse of data by employees and partners.

Is it reasonable, then, to be so hung up on security when it comes to hosted service or cloud providers? Even setting aside the human element, most businesses could never match the Fort Knox-style controls implemented by the big providers to protect their datacentres. Nor would they be able to implement the same measures to defend against hacking or to manage access control.

So what are we scared of? And we are scared, if the research is anything to go by. Whether it’s in our Reg reader studies or surveys carried out elsewhere, security and privacy appear at or near the top of the list of reasons given for not moving stuff to a service provider’s datacentre.

Coming back to the question of trust, or lack of it as the case may be, one concern is that providers will abuse access to our data. Whether it’s selling "profiling" or "traffic" related information to third parties who want to advertise to us, or giving up our secrets to governments at the drop of a hat, we get nervous. The press has educated us not to believe that such activity is innocuous, even if the stories are about consumers, and even when data has been aggregated and anonymised before it was passed on. There is similar uncertainty over whether "delete" actually means "delete" (in the permanent sense) in the cloud.

Just as with on-premise systems, we then have the possibility of human error inadvertently creating a security hole to the outside world, but specifically with SaaS there may also be concern about leaks of information between customers. There is something inherently worrying to many businesses about their data sitting in the same infrastructure as that of their customers, suppliers and even competitors.

Lastly, we have a cultural dimension. Many of the big providers have their roots in the consumer sector, providing low-cost or advertising-funded services to the masses. The conventions in this space are perceived to be different, especially if the provider has anything to do with social media. It is often assumed that the spirit of “open by default, secure by exception” applies. This might not be fair but there remains the nagging question of whether the expectations of both consumers and businesses can be met via a shared infrastructure.

We would be interested in knowing what you think. What kinds of providers do you trust and which ones are you suspicious of? What can providers do to reassure you? Are contract terms and service level agreements good enough, or are there specific proof points you would look for? We would be particularly interested in hearing from those who have overcome their issues (or paranoia) and taken the plunge into cloud services.

High performance access to file storage

More from The Register

next story
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.