I was in London a few weeks ago, and splashed across the Metro, a paper that circulates freely on the Underground, was a story about a messaging service that had breached data privacy laws by asking subscribers for access to contact lists and storing that information on the company's servers in California. This application had about 300 million users globally, so large volumes of sensitive data were at stake.
For the majority of us, cloud applications have become both a way of work and personal life. Productivity applications are a big component of the way we work today. And applications are often comprised of or linked to multiple micro applications that further complicate data privacy. Cloud storage services represent another vector for storing data in the cloud -- and add yet another layer of complexity to the privacy conundrum.
We hope the organization collecting and storing our information has strong data-handling procedures, access controls, and proactive measures against hackers. And, for the most part, I believe that to be true of both established entities and emerging providers.
Yet even in a best-case scenario, one where the cloud service provider or developer stores only information that the customer has consented to, there are strong data-handling practices, and even if only authorized personnel access that information, people must still take precautions with their personal and corporate data.
It's not unlikely that at some time, a smaller cloud storage service provider will close or merge, at which point it's up to individual users to remove their data from the site and transfer it to another data storage site if they wish. Unfortunately, an increasingly common scenario is that authorities might seize data for various reasons. Or individuals may become involved in a variety of copyright issues. Perhaps many, or indeed, all of us, will experience the following scenario in the next few years: Our data (personal or corporate) ends up in the wrong hands and is used for nefarious purposes. Try explaining that to your significant other or boss.
So, what should you tell your organization's end users to do when they work from home or on the road, represent your company online, or interact on social media?
- Ensure they know they must be careful about what they post about themselves on sites like Facebook and other social networking sites.
- Tell them not to link passwords together and to use two-factor authentication.
- Make certain any material on cloud storage sites is legal and does not contain highly sensitive data.
- In the case of an organization’s sensitive data, be sure to encrypt and back up data.
Securing the cloud is not the responsibility of one person or department. It is, rather, a burden everyone should shoulder.
— Evelyn de Souza is a datacenter security strategy consultant and co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM). She blogs at RavenhairedMaven and is on Twitter at: e_desouza.