About Us | Site Map

Data Security in the Cloud

Once upon a time, security used to consist of just a doorknob and a deadbolt. These simple physical defenses used to be enough to keep a family of five safe and out of harm’s way; unfortunately, in today’s world, we’re under attack in ways unimaginable 30 years ago. What was once simple physical security has expanded tremendously to now include data security—where cryptographers work tirelessly to keep our personal data out of the hands of those with more nefarious intentions. Of course, those with nefarious purposes have not sat by idly. What has resulted is a global game of cat-and-mouse, where each side attempts to stay one step ahead of the other. For each brilliant breakthrough in cryptography, there is an equally brilliant breakthrough in cryptanalysis, circumventing the new security measures and requiring another advance in cryptography to stop intrusion. Over the years, this cycle has repeated ad nauseam, leading to the co-evolution of data protecting and data hacking.

First off, the security of data is much different from online privacy. While data security and privacy are interlinked, there is a key difference. For starters, online privacy is typically violated by the company in control of the data itself, while data security is often violated by outside parties. (For more on data privacy and why it’s such an issue, see Your Privacy Online.) While most companies work to protect both data privacy and security, when the company voluntarily gives your data over to others, it’s privacy violation. On the other hand, if an outside force exploits a weakness in the company’s security measures and data is involuntarily transferred outside the servers, a security breach has occurred. The involuntary and unexpected nature of security leaks is what separates them from privacy violations. The tech industry is constantly susceptible to attack or malfunction at any time. Thus, security is a much more difficult matter, seeing as the best protection systems can be overcome, at any time, and without notice. Government oversight may be a useful tool in protecting privacy, but when it comes to data security, regulation can only pressure companies to stay up to date on security and possess thought-out data breach notification plans; it cannot stop security breaches outright.

If a deadbolt can’t keep us safe anymore, what can? Well, we all know that our passwords need to be secure, and that we shouldn’t share them with anyone. But what if we do everything correctly on our end, but someone else messes up? What if an IT guru at Amazon.com forgets to flip the proverbial “safety switch” one morning and a hacker is allowed access to sensitive data, such as credit card information, purchase histories, home addresses, and phone numbers? Though this particular situation may not be likely to occur, similar situations do arise. One such unfortunate event occurred in May 2010—a glitch broadcasted Facebook users’ private chat conversations on their friends’ “News Feeds,” allowing others to see private information that could be not only embarrassing, but damaging to the original parties involved. This is just one of a myriad of examples that arise after a quick Google News search for “Data Security Breaches”.  Not only that, but this is a relatively mild example. Thousands of credit card numbers are stolen annually, and instances of identity theft are on the rise. It does not take a cybercriminal much effort, after stealing credit card information, to look their victims up on Facebook.com, find some personal data, and begin amassing a sizable collection of fraudulent charges, which are often quite difficult for the victim to remove from their record. As the map shows, identify theft occurs across the United States, affecting millions of people each year.

In the cloud, this problem is easily multiplied—more servers are involved, more transportation of data takes place, and more information is consolidated into one place—making cloud service vendors a juicy target for cybercriminals. When it comes to cloud services, there are simply more links in the chain for things to go wrong. A system is only as strong as its weakest link; in the cloud, more links exist, more players matter, and the system as a whole is more attractive to cybercriminals.

According to a recent IBM report, threats to data security can be divided into four broad categories: “data threats, configuration threats, audit threats, and executable threats.” As part of the report, a huge table details the twelve ways data can be stolen, as well as common countermeasures to data threats. This is all well and good for an in-house IT department, but in the cloud, how can you be sure the cloud vendor is following the industry standards? Furthermore, there is another general problem with data outsourcing: what happens if the cloud service vendor goes out of business? Who becomes responsible for its secure storage and maintenance? These are the questions company CIOs must answer before shifting their business onto the cloud. (For more on the problems associated with cloud computing, go to Risks of Cloud Computing.)

One potential solution to this issue is strict regulation and standards within the realm of cloud computing. Measures need to be put in place, ranging from mandatory breach notification laws (which eighteen states currently lack) to stringent security enforcement requirements. These regulations and standards already exist in the world of e-commerce (which processes millions of credit card numbers a year without much incident). The Federal Trade Commission (FTC) just needs to update their regulations to keep up with the cloud computing craze. This fact has not escaped the Senate, which has recently motioned to push the FTC to begin regulating both security and privacy in the cloud, partially due to May’s Facebook glitch.

Of course, any measure to protect data security will have unintended consequences. For example, it is not infeasible to think that if particular industry standards are widely adopted, a security breach at one company might put the whole system in jeopardy due to the cloud’s homogeneity. Just as in nature, a little heterogeneity helps the system survive unexpected shocks. However, this would mean one of the major benefits of cloud computing must be overlooked, possibly even defeating the purpose of moving to the cloud in the first place. (To read about centralization and its effect on the benefits of cloud computing, go to Benefits of Cloud Computing.) Furthermore, due to the rapidly changing nature of this new technology, any regulations and standards written today will likely need revision within the same year. Considering the speed at which bureaucracy moves, this is quite unlikely.

Truthfully, the issue of data security is a concern that will shadow cloud computing well into the future. As long as cybercrime exists, security experts will question the safety of cloud. However, this is nothing new; for years Microsoft has faced scathing criticism over the safety of its operating systems, but people still use their products nonetheless. Over time, cloud computing will become less of a novel concept, and fears over its safety will die down. On the other hand, that does not mean this isn’t a significant problem. For some, market forces will be sufficient to force stringent safety standards. After all, no business would willingly enter into a contract with a cloud vendor with a shoddy reputation. Furthermore, efforts by Google to develop Apps.gov – a government-specific version of its popular Google Apps suite tailored to meet specific public-sector requirements in security and privacy protection – shows us that it isn’t impossible for the cloud to meet stringent safety standards. Google’s government cloud would comply with all rules spelled out in the Federal Information Security Act (FISMA). While the same methods may not translate over to open source cloud platforms, this is a step in the right direction and a win for the cloud computing movement as a whole.

 

CLOUD SECURITY: THE GOOD, BAD, AND UGLY

Whether or not you are aware of it, whenever you use webmail services such as Gmail or Hotmail, upload videos to YouTube, or store personal photos on Photobucket or Flickr, you are taking advantage of cloud computing. While everyone is talking about cloud computing, security issues are stalling widespread implementation of cloud services. Opinions vary wildly, so the analysts at NetworkWorld have lent a helping hand by summing up the good, bad, and ugly of cloud security:

The good – Cloud computing vendors are working together to address security concerns through IT expert organizations such as the Cloud Security Alliance and the Open Cloud Manifesto. Also, McAfee has announced the Cloud Secure Program, software designed to daily scan cloud services directly from the Internet to probe for weaknesses in the network infrastructure.

The bad – Security experts and IT experts aren’t exactly seeing eye-to-eye when it comes to the security implications of cloud computing. To IT experts, cloud security fears are overblown, while security experts maintain that the industry is overhyping the value of these services, arguing that cloud computing savings in the long run – once security is factored in – are imaginary.

The ugly – The largest cloud in the tech universe is not owned by Google or Amazon, but rather by the Conficker computer worm, which controls 6.4 million computer systems in 230 countries around the planet. According to Rodney Joffe, senior vice president of the infrastructure services firm Neustar, “the biggest cloud on the planet is controlled by a vast criminal enterprise that uses that botnet to send spam, hack computers, and spread malware and steal personal information and money.” By storing thousands of terabytes of personal information in one location, we’re just making it easier for criminals to hack in and steal our information, and has history has shown, information is power.

FACEBOOK GLITCH RAISES QUESTIONS ABOUT DATA SAFETY

In early May, users discovered a Facebook glitch that gave the access to supposedly private information in the accounts of their Facebook friends, including chat conversations. Although Facebook quickly closed the security hole, the breach highlighted to many users the danger in trust online services to protect their personal information. Facebook users are basically forced to choose between making their information available to anyone or removing it altogether, causing some users to see the social network as "more scary than fun."

This is not the first time that data security has become an issue for the social networking giant. In an off-the-record chat with a Facebook employee, CEO Mark Zuckerberg apparently claimed he doesn't believe in user privacy – a worrisome attitude considering Facebook’s quest to become the Internet’s central repository for our preferences and predilections. What's worse, in the early days of Facebook, when Zuckerberg was a 19-year-old Harvard sophomore and creator of TheFacebook.com, he apparently used password data from his website to hack into the email accounts of two Harvard Crimson reporters. If Facebook's own executives won’t recognize the need for online privacy, how can you trust them to keep your information safe?

Stop by Your Online Privacy to read more about Facebook user privacy.

ARE SECURITY CONCERNS DELAYING SPREAD OF THE CLOUD?

This just in! According to Eric Mandel, CEO of managed hosting services provider BlackMesh, "One of the biggest security concerns about cloud computing is that when you move your information into the cloud, you lose control of it. The cloud gives you access to the data, but you have no way of ensuring no one else has access to the data." Thus, we arrive at the seminal question both cloud computing vendors and users must ask themselves: how can you protect yourself from a security breach somewhere in the cloud?

Because of the proprietary nature of cloud computing applications, as well as the lack of standards between different cloud computing vendors, many company CIOs are wary of moving their business into the cloud. According to analyst reports, if cloud vendors were more forthcoming about their security practices, businesses would be more comfortable jumping into cloud computing. After all, the benefits of cloud computing serve as a powerful driver.

Of course, vendors are not just sitting by idly. eBay and ING have come together to found what they call the Cloud Security Alliance, an expert community dedicated to promoting the best security practices in a cloud computing environment. According to their website, the group plans to examine "15 domains of concern," ranging from governance to encryption and key management, and release a report detailing the best methods vendors can use to protect user privacy.

However, the Cloud Security Alliance is not the only group of experts working on setting industry standards for cloud computing. Another group, said to include IBM and Sun Microsystems has recently released what they call the Open Cloud Manifesto, announcing the need for "an objective, straightforward conversation about how this new computing paradigm will impact organizations, how it can be used with existing technologies, and the potential pitfalls of proprietary technologies that can lead to lock-in and limited choice."

To read more about cloud computing's risks and benefits, see Risks and Benefits of Cloud Computing.

This website represents our own work in accordance with Princeton University regulations. Website template borrowed from Adobe Dreamweaver Development Center and Codify Design Studio. All media on this website link to their original source. These links are for sourcing only, and are not intended to provide any substantive addition to the information on this website.