Recently Steve Wozniak, who co-founded Apple with the late Steve Jobs, predicted "horrible problems" in the next five years as cloud-based computing begins to mainstream. He was recently quoted:
"I really worry about everything going to the cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years."
Mr. Wozniak went on to describe how data in the cloud will belong to the cloud provider and the individual will lose ownership of their own content, but it is more complicated than that. In my previous article, I outlined that cloud providers must enhance their security controls, but this is not just about controlling the security for access to content on line.
Most cloud providers are able to reduce cost and increase operational efficiency by storing data across multiple servers and disk arrays, these same servers are used for all customers, meaning that your data is shared on the same server as thousands of other clients. Most providers use database configured controls to ensure each client has access to their specific content. In practice, this design works well and is very effective; of course this design also makes it very difficult to return all content should you leave the provider and as with anything there is always the chance for a glitch.
The risk of a glitch is not what scares me, in 15 years I have only seen this type of issue occur a handful of times and the exposure to clients has been minimal, what really concerns me is what happens when the hardware is upgraded? In 15 years of dealing with fortune 1000 clients I have never been asked what do you do with outdated hardware?
The reality is that this equipment has content stored on the hard drives, unless they are physically destroyed or wiped in a manner that prevents recovery, your data can be reassembled. The other question you have to ask is what do companies do with their outdated hardware? Many companies sell them on EBay so you have no idea who just received potential access to your data. I have never seen a cloud based contract that was executed outline what the policy was for hardware retirement.
For example, are you notified when servers containing your data are replaced, are you informed how they are being decommissioned? Are you made aware of whom and when the equipment was properly destroyed? I am not implying cloud providers are not handling security properly, but I do believe enterprises have to begin to demand more from their cloud providers and insist on the audits, notifications and penetration testing, otherwise Steve Wozniak’s prediction will become our reality.
Frank Toscano is a 15+ year specialist in cloud based services focusing on Product Management, Marketing and Security within the Cloud. He has worked for Easylink Services and Premiere Global Services in a global role providing hosted services to Fortune 1000 clients. He is currently seeking employment with a cloud based provider in a senior level Product/Marketing role.
We see it all the time, social media sites being hacked and accounts being compromised, this has become a routine part of the internet (LinkedIn hack is much worse than you think), but in order to protect sensitive data and prevent embarrassment for organizations, these social media outlets must take a stronger stance on security and start to develop moderator controls. This especially holds true for enterprises that utilize social media avenues to promote their products.
Recently Major League Baseball was hacked on Facebook (Jeter has sex change in Yankees Facebook page hack), and being a Yankee fan I was surprised to learn that Derek Jeter was having a sex change:
“We regret to inform our fans that Derek Jeter will miss the rest of the season with sexual reassignment surgery. He promises to come back stronger than ever in 2013 as Minnie Mantlez.”
This of course was not true and was quickly caught and taken down. However had Facebook offered moderator controls, a feature they could easily charge for, these comments would never have been posted to begin with.
I have worked in the cloud space for over 15 years, you may think the concept of cloud is new, but in fact, we used to call this very concept, outsourced, hosted and managed services before some clever think tank decided to call it a cloud based solution.
The problem is that most organizations accept the contractual terms that outline security assuming they are protected, and from a legal perspective they probably are, however how does an organization bounce back from an attack on their reputation? The fact is that depending on the seriousness of the event, they may never be able to recover.
While this particular event was humorous, what if it was true, how do you take back a statement once the bell has already been wrung? This all starts with enterprises becoming more aware of the cloud solutions they are utilizing and putting in place stop gap measures to make sure that the cloud providers are in fact policing themselves the way they claim. Without a proper audit and penetration testing, there is no way to be certain your data is truly protected.
Frank Toscano is a 15+ year specialist in cloud based services focusing on Product Management, Marketing and Security within the Cloud. He has worked for Easylink Services and Premiere Global Services in a global role providing hosted services to Fortune 1000 clients. He is currently seeking employment with a cloud based provider in a senior level Product/Marketing role.
