How safe is the cloud?

Today’s column about the safety of the cloud left out some other hazards to data.

What happens if your cloud provider goes out of business?

In 2013, Nirvanix went out of business, leaving customers two weeks to retrieve their data. They just ran out of money and/or the will to carry on. Those customers were lucky - last year, a cloud provider called Code Space was compromised and they went from up and running to smoking hole in twelve hours after a hacker gained access to their Amazon EC2 (Elastic Compute Cloud) dashboard and trashed everything in sight, including the backups.

Obviously, being hacked is not a hazard unique to clouds, but part of the whole “Let’s put our stuff on a cloud server” is freeing your IT staff from protecting servers from attacks, so you probably weren’t expecting your cloud and everything on it to be destroyed in a matter of hours.

Lawsuits can spoil your day as well

I can’t put my hands on any specific examples right now, but there have been some cases where a cloud provider was subpoenaed in the process of some lawsuit and became unable to allow any of their customers access to data during the discovery process. How long can you survive if your data is being held hostage like this?

When I read the title of the inquiry, I thought it was going to be more about how sacrosanct the data would be. There’s been a bit of bad press on this lately, like some starlet getting her cloud data boobie pics hacked/downloaded. I’m not a starlet and don’t have boobies, but would still harbor an in-principle concern that my data should be… well, I said it, already: Sacrosanct. It’s my data, and no one else’s, and as the old blues man said, “Ain’t nobody’s business but my own…”.

[the info proffered by Cecil is nonetheless appreciated!]

Was a pretty good article…it’s cool to see an article on IT stuff, since it’s not something you generally see a lot of. As for the OP:

As you noted, you generally have some time to move your data. If you are completely reliant on the ‘cloud’ (i.e. you have all of your data and VMs provided by a single provider off the internet) then you are, of course, more vulnerable than if you are using it for disaster recovery or fault tolerance of your system. So, in that case, yeah…it would suck if your provider went tits up and gave you only a few weeks to transition. If you are using your cloud provider as redundancy or disaster recovery, though, it’s not as big a deal (unless, by chance, you happen to get hammered right when your provider goes TU and before you’ve made provision with a new provider :p).

One thing that Cecil doesn’t really go into is that there are several ways to do a ‘cloud’. You could go with a provider that does it for you, or you could build it yourself by hosting your hardware at various sites throughout the world. In that case, you wouldn’t have this particular issue, since if you host your equipment (basically, purchase rack space at some tier 2 or 3 provider site) and bring in the pipes you aren’t dependent on them being there to provide the service…merely that their data center will continue on. Of course, it’s usually a lot more work on your IT staff to do it this way, but then you get more control too, so it’s a trade off.

We use a cloud based service (we also host our equipment in several different data centers in different states and one in another country) for fault tolerance, continuity of service and disaster recovery…and one of those disaster is hacking. With data mobility systems today you can use various add ons to snap mirror that give you a lot shorter windows for your snap shots, allowing you to roll back to a ‘good’ data set that’s closer in time to whenever you got hacked than you could in the past. Now a days you can have snap shots in as little as 5 minute increments…which is just amazing, to me, considering how things were even 5 years ago.

There are several ways. If you are going to have someone do it all for you, use a private key encryption system that the vendor doesn’t have access to (or double encrypt it…use your own key then have them encrypt it on top of that). Don’t go with a single vendor. Host your own equipment at a tier 2 or 3 providers data center (i.e. rent rack space and spin it up yourself). You don’t HAVE to be completely dependent on a vendor, unless you simply don’t have any IT resources yourself (which a lot of companies don’t) and you don’t have a descent and trusted consultant (which a lot of companies don’t want to pay for).

There’s also the question “Safe from what?” The column mostly addressed the issue of “safe from losing your data”; there’s also the issue of “safe from snoops purloining your data” (which is admittedly a simpler question that can be answered in three words: encrypt, encrypt, encrypt).

You may be thinking of Megaupload.

Encrypting data that only one person needs to see is a somewhat solved problem. Encrypting data that a large changing team of people need access to is a trickier problem that is not easily solved if you don’t want to trust your cloud provider.

In the end most companies don’t take security seriously, see Sony. Having a good cloud provider means fewer breaches since security is what they do. Mind you there are mom and pop cloud providers which may not be as safe, but with a tier 1 provider such as Microsoft or Amazon your data is far safer in their datacenter than it is in yours.

“The Cloud” is the least-riskiest strategy for long-term data storage as of this writing (Spring 2015). Does that mean you cannot lose everything nor have it misappropriated without legal recourse? No to both above. You could also die while reading this, too; life is uncertain like that, so relax. But do remember the first principle of economics: there ain’t no free. There has to be an economic cost to providing data storage, and that is a fact.

Methods for reducing the probablity of lost and or corrupted information have been studied for decades by mathematicians and engineers ever since the first practical computers were made available to high-level scientists (long before Joe Public ever saw a an electronic keyboard or watched “Star Trek” in the 1960’s.)

Pick your own poison: it is your data. Ask yourself how much it is worth to you if you lost it all, then decide.

If your IT department is more clueless than the people who run the cloud, the cloud might be a good idea. If it is equally or less clueless, the cloud is a bad idea, because if you store data internally it can’t be accidentally “shared” with someone else.

Does “google drive” = “the cloud”? How secure is it? I worked for a company that used it, and always wondered. What they put on the drive was pretty sensitive proprietary information, of their clients, as well as of their own.

I work with IT departments from various companies every day of the year as part of my job. I’ve never worked with a company with fewer than 100,000 users and I’ve never worked with an IT department I thought was particularly competent or knowledgeable about their own network. In fact the longest part of any assignment is tracking down the details of their environment and refining what they think they want it to clear, concise goals. Trust me the cloud professionals who have millions of clients have forgotten more about operating infrastructure and security than your company’s IT department will ever know.

Oh, the tales I could tell about IT after three decades in the business! However, even the most tech-saavy places have a hard time keeping their systems up to date and safe. We have thousands of servers from dozens of businesses that we’ve bought over the years. Each one could be a security hole that can reach into another system. We constantly find unpatched web servers with blatant and old security holes. Some of them are almost impossible to upgrade. It’s amazing what we find. We’ll find a group in some corner of the company using a server that no one in IT has ever heard of. We’ll take a look and just weep.

We have a top, top security team and have problems handling the security of our own servers. We are looking into cloud providers (top tier ones that have a boatload of cash, so we can sue the bejeebers out of them if they fail. We think that will help give them the incentive to be a bit more careful). A good cloud service provider will mainly have a staff that concentrates on security and uptime, and leave the worrying about apps to us. The idea is that they’ll have the better expertise in security, network provisioning, etc., and we can concentrate where we’ll have better security.

I use to run my own mail server, but I don’t anymore. I simply couldn’t keep up with all of the security updates and other possible issues. I’d rather have Google or Zoho do it because they’ll keep up better with security issues and uptime issues than I can.