Over the last 5 years, the volume of information that is shared and/or stored in the public cloud due to the increased use of social media platforms such as Facebook, Twitter, and LinkedIn has soared. According to a report called “The Growth of Social Media“, compiled by Search Engine Journal:
At the Carmel Valley eDiscovery Retreat (CVeDR) held July 22-25, 2012 in Monterey, California, I had the pleasure of moderating several panel discussions on cloud computing featuring industry experts in eDiscovery, Internet security and the legal risks associated with storing data in a public cloud. The consensus from the panels was that storing any data in the public cloud poised both a security and a legal risk.
The Experts are Cautious
The consensus among the CVeDR cloud panel experts was that there was probably more data stored in Dropbox than most businesses realized and that it was a potential source of risk. Several of the lawyers on the CVeDR panels indicated that a business could potentially lose its claims to properly protecting trade secrets and other proprietary information by merely storing data in storage technologies like Dropbox. The security experts on the CVeDR panel contended that there were still some very worrisome security issues with storage technologies like Dropbox.
According to its website, Dropbox contends that they use modern encryption methods to both transfer and store your data such as Secure Sockets Layer (SSL) and AES-256 bit encryption. In addition Dropbox contends that the Dropbox website and client software have been hardened against attacks from hackers, that public folders are not browsable or searchable and public files are only viewable by people who have a link to the file(s).
What Can Happen
However, Dropbox actually uses Amazon’s Simple Storage Service (S3) for storage and therefore they really don’t even have direct control over the security of the files that you store. The potential problems with Cloud Service Providers (CSPs) such as Aamazon S3 was very evident this summer as a severe storm that rumbled across the Eastern U.S, leaving nine people dead and millions without power, also disrupted an Amazon Web Services data center, affecting service for social media sites like Pinterest, Instagram and Netflix, which host their services at Amazon’s data centers.
Nathan Olivarez-Giles reports in this article that on Tuesday August 7, 2012, that Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.
Amazon officials weren’t available for comment on the security changes, but during phone calls to Amazon customer service on Tuesday, representatives told us that the changes were sent out this morning and put in place for “your security.”
The security gap was used by hackers, one of whom identified himself as a 19-year-old going by the name “Phobia,” to gain access to Honan’s Amazon account on Friday. Once Phobia and another hacker gained access to Honan’s Amazon account, they were able to view the last four digits of a credit card linked to the account.
The hackers then used those four digits to trick Apple customer service into thinking it was dealing with Honan. Apple customer service then gave the hackers a temporary password into Honan’s Apple ID, which the hackers used to wipe his iPhone, iPad and MacBook, and gain access to a number of email accounts as well as his Twitter account.
We discovered Amazon’s policy change on Tuesday after we failed to replicate the exploits used on Honan this weekend. Amazon declined comment on the security hole on Monday, and has since failed to return repeated phone calls from Wired about the vulnerability.
Moving data to the public cloud is already happening at an accelerating rate. And, the operational efficiencies and financial benefits are just too great for this trend to slow down. Therefore, even though it is a fair question to ask if it is safe to move your data to a public cloud, a more realistic question might be, “What do I need to know and what do I need to do to ensure that my data will be safe once I move it to the public cloud?“
- Don’t move any business data to the public cloud that is confidential, proprietary or is the essence of valuable corporate Intellectual Property (IP).
- Have your legal department read the providers Service Level Agreement (SLA).
- Develop and/or follow corporate data retention policies in regards to the data you store in the public cloud.
- Develop and/or follow corporate password and other security policies in regards to the data you store in the public cloud.
- Talk to the cloud storage provider about eDiscovery and develop a joint plan for how it is going to be accomplished and how much it is going to cost.
Storing data in the public cloud is inexpensive and very efficient. Just be aware that there are risks that need to be mitigated and addressed.