It’s been said that if you want to keep your data safe, keep it in the data center, not on the Internet.
Really? If you examine the facts, you might find that with a few tweaks, cloud services are actually more secure than your in-house storage facilities. Indeed, for normal organizations (i.e., not the Pentagon), most incidents of real data theft are the result of internal employees, not external malefactors.
While I'm sure as IT professionals we all take great security measures, those darned users seem to have minds of their own. There is some data that is always going to be at risk, whether it’s stored in-house or in the cloud.
A user emails files to his personal mail account and leaves the building with the data on his laptop; the laptop gets stolen and data is at risk. An employee is let go; she decides to take some of the organization’s data with her by copying it to a USB hard drive. Now that you can fit 1 Tbyte in your pocket, a lot of corporate data is at risk.
Worried about internal data theft? Check out
IE's tutorial on mitigating the insider threat
Moving the data out of your building may actually be safer than running these kinds of risks. Many users are already placing corporate data in the cloud anyway. They are using cloud services for collaboration or to store backup copies. Almost every cloud storage service provider I speak with indicates they are storing data for many Fortune 500 companies. This is often being done covertly, without IT knowledge. Talk about security concerns.
One cloud storage provider I know reported having multiple terabytes of SEG-Y (the preferred format for seismic information) in a personal cloud services account. I can't think of any reason someone would save SEG-Y data for personal use -- can you?
All of this raises the question: Can enough security be added to cloud storage to make it, not only a viable option, but the most logical destination for data that needs to be secured?
I think the answer is "yes."
Part of the solution is to include an encrypted, secure transfer and storage mechanism for moving the data from your data center into the provider’s network. Then, access to that cloud must be limited to a very few; any request for access or search should be logged and auditable. There are some cloud companies that deliver an encrypted, secure transmission to the cloud storage facility and even store it in such a way that the service provider cannot view the data; all they see is encrypted bits.
Typically, this is accomplished via use of a hybrid, gateway-style appliance placed in the customer’s data center. You transfer data to be archived or retained to this appliance (and of course all of this happens behind your firewalls). The data is then encrypted prior to transmission, and with some providers the data stays in an encrypted state, so the service provider can’t see it. Of course, if you lose your encryption keys, they can't help you either.
Expect to see many improvements to this model to further tighten security. After all, if the cloud addresses security concerns, then it can be a real asset to organizations looking to reduce their reliance on in-house gear.
As this security tightens, it’s likely that many organizations will come to the conclusion that their data is more secure in the cloud.
This blog is part of Internet Evolution'sIT Clan, which addresses the continuing impact of the Internet on enterprise networks, applications, and management. Register hereto join the IT Clan's conversation, and you just might win something unspeakably cool.
I agree with your points completely! In fact, my first post stated that I believe cloud computing is a new technology in search of a problem to solve, and that the cloud computing solution providers are currently involved in trying to make security a problem that they can solve.
As I see it, what the cloud offers is radical simplicity. Devices can be IPV6 and MAC address identified, and the security/data- access -protocols will be logical constructions in the cloud. Physical partition- e.g. 'firewall' and 'premises' are all gone.
I think we can count on the "cloud" data centers (Amazon, IBM, Google, Microsoft and Salesforce) to be far more careful about admin rules than even the best enterprise. And because of their scope, they will be able to detect, and react to, new attacks faster.
I still fail to see how cloud storage can create "tighter security." There is nothing that convinces me of this in the thread.
Once my data is outside of my control, I have more things to worry about and less visibility into the access and use of that data. That doesn't make me feel more secure.
I'm not sure I understand the difference here...
"I am not proposing it as a backup system, more as an archive system."
It seems that you are proposing that the cloud be a replacement for off-site storage services. Perhaps you are addressing offsite storage security requirements and not "data security" as a whole.
I can see how some companies, and particularly smaller ones with limited staff, may decide to go with cloud services, but I don't think that this is in any way related to security. It's related to operational effectiveness and efficiency. Security can be tied in there as well as a requirement, but that's not going to be the key aspect of it.
George, Thank you for the opportunity to read your white paper. I found it a very interesting read. However, I remain unconvinced and skeptical. But, in the spirit of fairness, let me try one more time.
In the network situation I proposed in my previous post, storage of new or current data is no problem. The data and information created by current projects, recent billing information, or meeting notes and new e-mail messages all require instant access by large groups of users. After about three months all activity in the file structure moves on to newer, more current data or information. It is this storage of inactive data or information that causes the most concern. Some information, such as project meeting notes, utility bills and payroll information all have retention policy time limits on how long we must retain that information. Other information such as non-elected officials e-mails, software projects source code updates, syslog's, event logs, etc. have different retention policy time limits. And still other information, such as every single e-mail to and from every member of the city Council and the Mayor and his/her staff must be kept in perpetuity, as required by law.
It is this stagnate, very seldomly accessed data that poses the biggest problems for storage space. And it seems to grow exponentially. This is realistically the best and possibly only opportunity for cloud storage in my situation. In fact it would be ideal, but only if the cloud storage solution provider would guarantee a 99.98% uptime access policy. In reality, the only time some of this information is accessed is when a private entity requests information under the Freedom Of Information Act(FOIA). And since this most often is associated with a law suit, this information must be provided in a timely manner.
I am not proposing it as a backup system, more as an archive system. I am also not proposing that you replace your Data Center. My opinion is that there will always be a mix of needs for on premise and off premise processing and storage. The idea is to have as you say the data out of the facility in a totally encrypted fashion. Basically encrypted as it leaves and encrypted as it is stored at the remote facility.
I don't see Cloud as technology in search of a problem. The problem is clearly storage, and the security of the data being stored, especially long term, is one aspects that is solves. In much smaller data centers that the one you describe, the role of Cloud Storage can be significantly higher.
Might I suggest our white paper: Cloud Storage Realities for more details.
sbondy, That is a fair question. I think for many organizations the cost to build the systems to control, automate and maintain that data might be more expensive than using a Cloud Storage Service that is focused on doing just that. There is one provider that I am speaking to that will specifically have language in its contract that will provide an SLA around liability.
Jason_13, I agree all data is at risk, I thought I said that in the entry? Agreed the specific issues you site don't go away in the cloud, although possibly the Cloud can help their too. For the entry I was focused on specific critical data that the organization knows it wants to or has to retain. That is a situation where the cloud might be a very viable storage area. There is no doubt that you can use some of the advanced disk archive products or even build and internal private cloud to solve the problem as well. -George
I'm not sure if I completely understand what it is you're trying to sell here! What it sounds like to me, is like some kind of fancy backup system. You described a data center with usual access granted to all users. Let's just say, I have 10,000 users and a data center that serves a large Metropolitan Area Network. We have high-speed data links between all the city buildings, and the data center, with segmented circuits (ie. Libraries, police department, City Attorney, fire department), with full access to the Internet and limited access to and from the rest of the inside network. We also have border routers and a firewall between the inside network and the Internet.
And now we are to add a device in the data center that links it directly through an encrypted channel to a commercial cloud site. The cloud site limits our access to our encrypted data to only a very few select "read trusted" people on my side of the connection (limiting the other 10,000 users on my network with no access to the cloud storage).
If that is the scenario as I understand it, then all we have accomplished is the ability to get rid of my tape backup system. However, if you are proposing that I get rid of my data center, and replace it with the encrypted link to the off-site cloud provider, then all 10,000 of my users must have access to the data on the cloud and we have not accomplished anything with regard to improving security against inside attackers.
This is how I see the cloud phenomenon as it stands right now. It is one more technology solution in search of a problem to solve (and right now they're trying security).
We ran into this same idea about 10-15 years ago, when everybody was trying to push thin client-solutions to replace the established server client paradigm (do you remember Citrix vs. Microsoft thin client-server wars and licensing arguements?). Thin client architecture was originally designed by the good people at Oracle to connect to Oracle databases( in fact thin-client was so new, they also had to invent the term thick-client, so everyone knew what they were talking about). And then, in my estimation, some "marketing genius" tried to get rich by selling it as a replacement to desktop computers connected via ethernet to anything and everything(Microsoft, SUNN, UNIX, LINIX and Novell servers).
As soon as consumers recognized this as a step backwards to the world of mainframes and dumb-terminals, that idea withered on the vine also.And as soon as somebody sees that the King is wearing no clothes, this cloud computing thing will go away also. Or at best, become a niche market.
"There is some data that is always going to be at risk, whether it’s stored in-house or in the cloud."
All data is at risk, always! Someone always has access to it and there is always a way to export it. We mitigate the risks by restricting access, but it is still at risk. By moving it to the "cloud" you've granted additional access to individuals with no stake in the success of your company. You also cannot easily judge the work climate of those with access to the information.
"A user emails files to his personal mail account and leaves the building with the data on his laptop; the laptop gets stolen and data is at risk. An employee is let go; she decides to take some of the organization’s data with her by copying it to a USB hard drive. Now that you can fit 1 Tbyte in your pocket, a lot of corporate data is at risk."
These don't go away once you move to the cloud. In fact, you now have systems outside of your control with access to do this.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Microsoft Corp. (Nasdaq: MSFT) has been on top in the browser market forever. Much of this is as a result of the fact that Internet Explorer comes with Microsoft's OS. But Microsoft has a problem.
As cloud computing, or the use of remote, Internet-based computing services, continues to grope its way through infancy, we can anticipate that an initial area of success will be in virtual data centers.
A good number of businesses probably couldn't care less about backing up their email servers and retaining digital business records. Performing regular backups is not at the top of their priority lists. But if you don’t think you have to worry about data retention, you’re wrong! There are new laws in place that may result in unexpected penalties for companies that don’t have a comprehensive data retention strategy.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
An email from Ukraine teaches us that perhaps those who complain about the Internet just haven’t figured out how to spam people’s inboxes with requests for pens and balloons… or something.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Is there such a thing as complete anonymity on the Internet? It is something of a philosophical question, but the consensus among experts seems to be 'No.' However, there are degrees of anonymity, which might be more practical for most people – and more necessary than ever before.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
There's a public-policy war on copyright that nobody is winning, and inconsistencies in viewpoint and interpretation seem to be multiplying. We need to step back and think our policies over again, or we risk having a strategy that fails everyone.
Ultraviolet is an industry-wide attempt to standardize video content delivery across multiple platforms. Apart from the fact that it’s based in the cloud, relies on the DRM system, and isn’t backed by Apple… it sounds great!
The FCC's Sixth Broadband Report has a hidden secret. But here’s a hint: The regulatory body plans to regulate broadband as a telecommunications service.
Once defined by epic journeys, planning, and maps, the phrase "on the road" takes on new meaning in a digital age, where we can make all our decisions using our connected devices en route.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
