Risks of the cloud

I came across an interesting research released on Monday by the Gartner research group focusing on the future of digital storage in the cloud. Only 31% felt safe storing personal documents online.

During my time as risk manager in a major Swiss bank, I’ve had more than once thoughts about the topic. My conclusions were always the same: no way we can afford the risk of using such things. The risk involved in losing data in the wild is way too important and in the banking business you must be safe, there is no place for sorry. Once the data is out, it is out. And regardless the sensitivity of the data, it will damage you: if you loose unimportant things, people will think  “sure it was ok, but next time: will it be my data that’s out”.

The reputation dilemma is actually not different for non-banking corporation. Every large company is hit hard when their security fails so that third parties can access confidential data. And when they are safe, people complain — rightfully — about their privacy rights.

I have however evolved in my thinking. Most major companies, bank or not, are in fact using the cloud already. Many have centralized database which are accessed from other locations, other countries. Even if they “own” the cloud and its infrastructure, a database hosted in the US and accessed from a branch in Singapore is no less than a cloud. In certain instances, companies are not allowed to keep certain data abroad, for instance Singapore or Hong Kong based banks must keep their client data within the same country. It however does not prevent them to have non-client or anonymized client data sitting in other locations. They are using the cloud.

So basically the question for corporation is answered by default, most of them are in fact using a cloud: their own. And think about it, they are exposed to similar risks as they would have when using a third party cloud provider. If technically this is similar, what is very different is the question of liabilities. When corporation are managing their risks, if they fail and loose data they eventually take a hit or even die, managers will have a vested interest to find the best people and do their best to protect the company that feeds them. On the other hand a third party cloud provider will still do its best to protect their clients and grow but if they fail, they might not be big enough to compensate for the damage that occurred to their client, eventually they go under and their client too. Clearly it is a worst case scenario and in real life they might just be badly hurt or not at all. From a decision point of view, I think corporation are better off not relying on third party providers or use providers that are large enough with sufficient resources for financial compensation in case of catastrophic failure.

Small and Medium sized companies have more a dilemma, because relying on cloud computing can represent both a significant increase in productivity and a significant decrease in IT cost. Their issue is that losing certain data would not just damage them but kill them, so they better ensure that they keep such data in systems under their control, in particular for their client’s list or their R&D data.

Now how to efficiently and safely benefit from the cloud for small and medium sized companies? Well, by fragmenting and diversifying risks. Using several providers based on their strength and using compartmentalized accesses. Using iCloud for Personal Information Data makes sense, so that employees can synchronize their data such as calendar, address book, etc across their devices, of course that requires having apple devices. For collaborative data, using services like Dropbox makes also a lot of sense, especially with their new group features. However in the case of dropbox, I would recommend to segregate the accounts by topic. For instance an account per project. In case the account gets compromised, the security breach is limited to the project. The same spirit can be followed with other service providers.

A crucial security element here is: people. It is difficult to enforce security policies (well forcing to change a password every 3 months is not a policy. A 12345678 password will just become a 87654321 or another variation…) but it is easier, though it require time and investment, to train your people so that they understand the risks and know what to do. Because, regardless of the implemented security (in-house or third party), your weakest link will always be with people.

Individuals: well accident happens. Your apartment can be burglarized, generally according to signs of wealth. I believe with internet it is the same. Unless you are a celebrity, you are unlikely to be targeted. But if you fail to lock your door, burglars are likely to have a look inside if there is anything of value. It is the same with everything you have in the cloud. For individuals, it starts by ensuring you are using strong and unique password. Don’t rely only on one strong password, which you use everywhere. How many times, have I received an email confirmation after registering to a site with my password showing in clear in the email, together with my username! Don’t reuse password! There are apps which help to do that, my favorite is 1Password which exists with many devices and can use dropbox for synchronization.

Then when you store data in the cloud, if it is sensitive, encrypt it (again with a different password). If someone gets to the file, it might just be worthless without the password. Well think again though… sometimes you should make sure that your password is unreasonably strong (like 30 characters or so). Because what is uncrackable today, might be trivial to crack in 10 or 20 years. If the information you need to protect is short lived, it does not matter, but if it will remain sensitive for decades, be sure not to forget that technology evolves too.

So, is it too risky to use the cloud? Well for most people it is not riskier as driving a car or walking down the stairs. It is a matter of knowing and understanding the risks to effectively mitigate them.

Am I using the cloud? You bet I do!