Slashdot Mirror
Ask Slashdot: Is Your Data Safe In the Cloud?
With so much personal data being kept on the cloud, including government and health records or your source code, do you have any concerns about it falling into the wrong hands? Do you think the cloud's benefits are outweighed by continuing security issues?
I believe that government seizure/examination of cloud data is even a bigger threat than hacking. With a court order or -- as we have seen in the past few years -- even without a court order, a trustworthy cloud operator could be forced to turn over our data. The article a few days ago about foreign governments being reluctant to sign onto cloud computing with an American company because of the potential for snooping into their data illustrates the point even further.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
And what's a cloud, really?
not a bit
yep and yep. Shut it all down. My MP3s at Google Music should never ever be stolen. Evar.
No one is going to care as much about your data as you do. Next question please.
putting the 'B' in LGBTQ+
In many cases maybe your data is even more secure in a cloud than on your own servers, especially if you choose your 'cloud' carefully (outside of your country/jurisdiction).
The real threats to your data are your own employees and your government. The outside 'hackers' come as a very distant third.
You can't handle the truth.
then store it to the cloud w/ you just knowing the keys/passphrases
I do not trust the cloud, because I can't grab it and bury/burn it at my whim. Just like posting on FB, once you have done it - that data is out there, forever.
local storage will never die.
It's still someone else's servers holding my data and I still have to go through some hoop(s) to get at it from other devices. What is so special about it?
Now this story shows that the hosting company's can get mix up and do you want to take that risk with your data??
http://thedailywtf.com/Articles/Remotely-Incompetent.aspx
...that the first outing of the sponsored Ask Slashdot is a Geeknet company.
In any case, as usual, it depends on the kind of data. I believe medical data has be encrypted though, no?
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
::rimshot::
No, seriously - depending on the cloud service, aren't buckets of data encrypted in such a way that only the owner of the data can access them? Cloud service providers may be required to hand over data, but do they have the means of handing over the encryption keys along with it?
For certain cloud services where you're uploading via browser, they may be encrypting your data post-upload, so the request to decrypt may be more trivial. However, if you manage your own (like S3 backups) - or simply use a service that encrypts BEFORE uploading, I'm not sure there's a whole lot Amazon or some other provider could do to hand over the data in any usable form.
Those who are concerned about security of their data should ensure that the backup is encrypted in an acceptable method, or simply stash it in an encrypted container before storing it "online" (I realize there may be limitations of scale with that suggestion).
$ man woman *
-bash:
Unlike all other Ask Slashdots, this question is not prededed by "$USERNAME writes", so who actually proposed this question? A user that didn't get credit? A Slashdot editor? Someone from Sourceforge? The post introducing sponsored Ask Slashdots says that "the sponsors don't pick the questions", but that's still ambiguous. Many people are skeptical about this being thinly veiled astroturfing, so it's important to be as transparent as possible.
I would encrypt any sensitive data I may have before storing it in the "cloud". It would be irresponsible to assume the data can not be read or copied by others.
Note to slashdot: It'll be hard to maintain whatever shred of journalistic veneer and integrity you have left if you start posting advertisements for sister websites as 'sponsorships' of semi-legitimate discussions or stories.
The fact that everyone else does it is still no excuse.
The British government has an appalling record when it comes to protecting data. It all comes down to individual failures. Individuals in ministries, local government, etc have been loading up laptops and USB sticks with swathes of very personal, very sensitive data and then losing these devices or having them stolen.
I do understand that the cloud technically may technically make a data theft much more easy but given the volume of data that has been physically stolen in the past decade, it's hard to imagine it being worse than the status-quo. At least they can wrap everything in umpteen layers of security and DRM and attempt to standardise the way councils and hospitals manage sensitive data.
Not is, but Are.
Datum. Data.
Even engineers know how to use the plural.
Dave Barnes 9 breweries within walking distance of my house
It's a marketing term for a hard drive in a different building from the one you are currently in.
I used to be a security "expert" (at least according to my business card), but that was long enough ago, and things have changed sufficiently since then, that I no longer make that claim. However, back then, most of our customers happened to be in healthcare in some form or another, and I was appalled, on a daily basis, how insecure their data was. Any high school kid with some tools could completely own their network servers with very little effort. We hired one of those high school kids, and he frequently did.
Furthermore, with a little sweet talking, or looking under keyboards, we got access to all the stuff that he didn't. Granted, this was in the days immediately before HIPAA, and in the first days after HIPAA when people were trying to figure out how to implement the requirements. I naively hope that HIPAA has corrected some of the most glaring of these problems.
It's hard to imagine that putting data "in the cloud", whatever that happens to mean in the particular case under discussion, could be any less secure than where they're already storing your data.
Apache guy, Open Source enthusiast, runner
These days your data is your wealth. Putting it somewhere as vague as 'the cloud' is as dumb as keeping your life savings in a car belonging to someone you don't know and have no idea where that car might be located. (Probably in some trailer court.)
It's a marketing trap - don't fall for it.
No.
I use cloud storage for a good deal of our small business data. The question is do the people who work at the place my data is stored at do a better job than I would protecting that data? probably. Am I worried about about most of that data being obtained by a hacker? No. 70% of it is actually public record, and the other 30% is really boring financial stuff. Could someone steal my identity if they got this information? Most likely. if this happens, have fun blackhat; the IRS is after you, and so is the (local) state employment security department! (also you may have a bench warrant) have fun.
Security is a big issue, but I find myself wondering about who will be owning the data in the end, and if the future of computing is tablet/cloud, as users we won't have the means to save our data on our own drives, we would always have to use the cloud. Talk about lock-in, price increase of cloud services...
Will we have the choice in the future of NOT using the cloud?
Servers "in the cloud" are installed, secured, and maintained, by sysadmins like you and me. Some of those sysadmins are good at what they do, and some of them aren't.
I don't get it then, what makes the sysadmins and employees at these companies that run "the cloud" any more or less secure than my own employees and sysadmins? And what makes the government where "the cloud" resides any more respectable of my privacy than my local government? My own reaction is that there's just another layer of security risk here. At least if they're my employees or sysadmins and I find out data is being leaked, I can fire them and do an internal investigation. If some sysadmin is dumping databases at a "cloud" site, then who is ever going to know and how is that ever going to be rectified?
I'm not arguing against "the cloud" and I don't have a good example on hand of where "the cloud" has failed but to me it seems like a lot of these are virtual machines sitting on physical hardware running more software. And every layer is just another potential weak point in the chain of software. Is that not true? Isn't it possible that employees of VM farms are simply cloning and dumping memory or hard disks (or entire VMs for that matter) for their own personal use?
There was a paper a while back about encrypted computing just to address this very fear.
"The cloud" is not intrinsically secure or insecure, because "the cloud" is not a definable entity, as much as the tech press wants it to be. This is a misnomer perpetrated by the poorly-informed press, and not really something that's based in reality.
Just like the title to this Ask Slashdot encourages us to debate the security of something that cannot be intrinsically secure or insecure? If you're telling me that "the cloud" is not intrinsically secure or insecure why are we having this conversation? I mean, I think it's worthwhile to consider what a lot of "the cloud" services are that are out there (the big few that exist) and to debate their security success or potential holes. You can always deflect my arguments by saying that they're just "implementing the cloud wrong" and we won't go anywhere. But it is my opinion that sensitive, personal and secure information should not be handed off to yet another third part for computation or storage unless your trust with them is enough to risk litigation against yourself from all of your customers.
My work here is dung.
that's the question. where do they store their internal email and data? in another cloud? in their own systems?
if they store it locally then why should i send my data to them?
I am a lawyer, and the thought of trusting my data to the cloud makes me very nervous for several reasons.
1. Government access. If you trust the government to keep its hands off of your securely stored data, you are living in the 1960s. Federal and (most) state governments are too tempted by the possibility of using your data for good purposes to actually keep their hands off it. Employees (like the FBI) will peek at it, especially if you're famous. They will run "searches" to see "what comes up" and get a feel for whether the government needs to do something. Data should never be stored -with- the government, and government should be expressly forbidden from getting access to it after it is generated. They should be required to give you notice each time that they access your data and describe to you what they are looking for in it when they inevitably -do- access it.
2. Outside threats. I'm thrilled every time I read about botnet attacks and Anonymous hacks that get into some individual's or company's private data. (Sarcastically...) "Yes, I believe that my externally stored data is safe from outside intrusion and will not be stolen by criminals." No, I don't believe that. There is no routine requirement for encryption in business environments. If there isn't a robust, national / industry-wide data encryption plan that makes it easy for the end-user (the person whose data it -is-) to protect and access the data, I think that the cloud is too risky for storing really important information, rather than just having my music collection stored in iCloud or Amazon's service.
Also, email security, to me, seems to be a joke. Here, I don't worry about breakins to get at my information, although that has happened at many email providers. Rather, I worry about internal inspection of my information. I use Gmail, but I don't believe for a minute that Google, (or Facebook, which I don't use) doesn't sometimes run statistical analysis of the email stream or the google search bar terms I use to learn more about me. It's their business to know more about me so that they can make money advertising to me. You can be sure that they test their AdSense algorithm improvements on my data to enhance the chances that I'll click on an ad and make them a few per thousand clicks.
I will use the cloud as a backup with services like MozyPro, but only if I can have assurance that my information (my clients' information, really) is locked down tight. To my mind, "ease of access" from storing information in the cloud equates all too readily to "ease of theft" where the thieves don't even have to leave their desks in Mountain View or Moscow to "reach out and touch someone" (apologies, ATT). I much prefer to make the thieves go to all the bother of getting up and coming to my house or office to steal my data.
Carbon_Tet
I run my own cloud network storage business. Everything is encrypted on the client side, there is no cheating(ala bitcasa which says they manage to deduplicate encrypted data). Sure you can upload raw data that you for example want to share, but one should know that someone else then have the possibility to read and abuse the data.
So I would say the data is safe in our cloud. Sure we have access to see how much disk space you're using, but thats pretty much it.
save time an money, skip the cloud, just put your data on a flash drive and toss it out the window while driving.
start counting the days til the first cloud hack data theft.
Is Your Data Safe In the Cloud?
No. Next story.
We used to have cloud computing in the mainframe days: IBM ran a data center somewhere, and you connected to it via a leased line. The only way you knew its location was from the size of your phone bill (;-))
Joking aside, cloud computing really is just a buzzword change. Like any other outsourcing effort, you are at the mercy of the vendor and the government of the country they're in. Chose your suppliers based on the SLA they'll offer you, and the country of the candidate suppliers based on the rights they honor.
--dave
davecb@spamcop.net
Until it rains. Then all your data washes out of the cloud and ends up in a puddle on the ground.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
I would like to believe that when I host a server at Slicehost (oh, yeah, it's Rackspace now) that they have server administrators who are better trained than I am. That they have backup procedures that are better executed than I would do. That they upgrade their hardware more often than I do.
Likewise, if I put my data on a "cloud" service, I am paying for the assurance that they have secured those servers at least as well as I would, in addition to whatever it is that they specialize in (scalability, availability, redundancy, etc). So, in theory at least, that's what's special about it - that they can do a better job at those things, for less money, than I can.
The reality can be less clear cut, and so, as with any vendor selection process, you have to do your homework and find the ones that seem to do a good job.
I think the press has done us all a disservice by making the cloud into, as you say, a mysterious relic with mystical powers. Hopefully those of us actually making these decisions understand what it really means and can be sober about evaluating options.
Apache guy, Open Source enthusiast, runner
No and any idiot that thinks it is or could be make safe is just an idiot.
My karma is not a Chameleon.
I'll vote for the cloud. I use web based email (google) because I reckon they'll do a better job of backing up my data than I do (copy to USB drive as and when I think about it). I do download the contacts to a CSV every now and then, and should probably pop the email down to my PC as a local copy. I use Dropbox and Evernote as well - I like having things on multiple devices, and can't see the point of reinventing those wheels to do it myself.
The only things I store locally only are my photos, but I'm at about 600GB there, so the cloud wouldn't be practical. I do backup, not religiously, and so far haven't bothered with offsite copies.
While I care about my privacy, I reckon the worst that can happen with my email is that some admins at Google read it and have a good laugh at what a loser I am!
Sigs are so 1990s. No way would I be seen dead with one.
Only if you trust both the operator and every jurisdiction in which they operate now and in the future. So in short no.
If you absolutely most store such data in a 3rd party datacenter (or cloud if you must), take responsibility for the data security yourself. Use an encryption layer above the storage layer.
"Data" is plural in Latin, but in common English usage, "data" has become a mass noun. One says not "two data" but "two points of data". If you insist on inflecting the verb to match the Latin plural, do you plan to say "datôrum" for "of the data" and "datîs" for "from the data" or "to the data"? Or do you use "data" to mean gifts? Of course not; that'd be the etymological fallacy.
Just add a filter in your RSS client to block everything with " - Sponsored by " in the result. :)
In Thunderbird go to "Extras -> Filters..." and add a new one with "Subject" "contains" " - Sponsored by " and "Set junk status to" "Junk" and/or "Move message to" "Trash".
Done.
...so that we could remove ourselves from the cloud. Years ago when I started my career, I was a mainframe programmer. We operated through terminals that sent commands to the central mainframe. It was constraining and the machine high priests prevented individuals from being productive. Then the Apple II came out and we got a few of them past IT. Then the PC with dBase and Lotus 123. The Apple Laserwriter is what pushed the tipping point as then everyone became a publisher. We were freed from the tyranny of the controlled server. I laugh because here we are 30 years later and we are being sold that the cloud is freedom. Yes, freedom for the company to mine your data and market you. What does the individual get out of the cloud? If your network goes down, no cloud. The cloud is a stupid idea foisted and fostered by a generation too young to remember the old cloud. No thanks, I'll keep my personal data on my laptop.
Ars actually just covered this for anybody not in the US - the Patriot Act is a huge barrier that is making it hard for US companies to do business. Nobody in their right mind trusts US cloud providers with their (subject to non US privacy law) data.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Here is a good video of what is a cloud: http://www.blip.tv/file/2714301 I love the cats.
Also:
I have never seen a storm that didn't have a cloud in it. Remember that. Also remember the more tiers the more tears.
I wish the filter on /. would let me post all the links I've accumulated over the year with issues: Here is a small sample of issues this past year: skype outages 12/24/2010, gmail loosing 150,000 email account messages (there servers went bonkers and they struggled to bring back messages, I think they got most back but not all) 2/28/2011 ibm looses 1.9 million patient data records, netflix was down for hours on 3/22/2011, 4/1/1022 tv shows stored in cloud were wiped by an employee and no backups so shows were lost forever, 4/4/2011 - epsilon email marketing company compromised, hootsuite, reddit, foursquare down when Amazon AWS went down on 4/21/2011, Sony on 4/27/2011 with it's data breach, on 5/2/2011 Vmware cloud went down. 5/16/2011 microsoft cloud services were down for 4 times in a week, 6/20/2011 GRID online multiplayer meets early demise on PC because 3rd party level they were using didn't want to renew a service they needed, 6/21/2011 drop box accidentally turned off passwords for file storage service (so anyone could view your stuff), 6/21/2011 wordpress plugin repository compromised, 6/29/2011 groupon published 300,000 customer usernames and passwords on their website by accident, 8/18/2011 microsoft crm online office 365 customers were had an outage, I don't have the date but also Intuit shop cloud was down for 3 days in 2011.
The list goes on and on.
Between the patriot act and the value of the data itself for mining purposes, no. To argue otherwise is naive.
Shoes for Industry. Shoes for the Dead.
From my *personal* perspective, I do have some stuff stored in a 'cloud' provider, but I *don't* trust any encryption they provide, I gpg it before upload. This is *not* stuff I'd care about the government seeing, incidently. My presumption is the gpg protection should suffice in the face of realistic attacks mounted by people who could do something apart from the government. Additionally, if broken, the damage would be recoverable.
From a business perspective, after talking to various companies, my take on the general outlook:
-If it's material like advertising/marketing, wherever is cheaper, no confidentiality to sweat.
-If it's material that the company doesn't explicitly care about, *but* is regulated to protect the confidentiality (e.g. incidental medical data subject to HIPAA accumulated by a non-medical company), then they would almost certainly put it on a 'cloud' *if* liability were part of the agreement. The rationale being they only care about being sued/not sued. If they don't have to store or audit the data and lawsuits pretty much go straight to the provider, they are very happy. No provider seems to be stepping up to offer that however.
-If it's material that the company explicitly cares about (e.g. future product designs by a manufacturer), no way in hell. If they did outsource, they'd spend about as much money *auditing* their provider as they would protecting it themselves (if not more) and still not being as comfortable, so why bother. They feel the damages they could get through legal channels would likely not offset their opinion of their loss.
XML is like violence. If it doesn't solve the problem, use more.
I was recently at a VMware luncheon with a VMware "clould" expert. He was probably the first person from a big could-services type provider that openly admitted the cloud isn't for everyone, and in many cases, it just doesn't make sense. He went on to explain that it's VMware position that you deploy your own "private cloud" at your own pace, and whether or not you move to public cloud is entirely up to you. Their whole sell was that their products make the transition from private to public cloud easy, hence you can stay private or move public at your own pace.
This contrasts to some recent Microsoft events I've attended, where they were pushing Azure so freakin hard that one of the Microsoft guys was almost literally said, quote for quote, 'if your next SQL project isn't on Azure, you're making a BIG mistake'. Microsoft seems to be of the mindset that between Azure and Office365, it's a hole-in-one business case for every company on the planet, which it's not. They went on to sell their Intune service the same way - 'If you're not a big company that has your own SCOM/SCCM solution, then you're making a mistake if you don't use Intune'.
Bottom line, much more cloud snobbery from the Microsoft guys.
Data is only safe anywhere (mostly) if you use end-to-end strong encryption. Even then, keyloggers can capture your passkeys and gain access to your data just as you do. So, my advice is to NEVER store anything in the cloud that you don't want others to have access to. Facebook and other sites of that ilk are a good case in point.
The Cloud is a TOY it is not a place for serious use . Yes ok you can store your holiday snaps on the ok make sure you only upload watermarked pictures that state very clearly owns them .
Health Data on the cloud not a very intelligent idea , People stop trying to pass the buck on data backup get your systems sorted OWN your own storage Archive & Backup .
Don't feed the money grabbing idiots that only have one thing of interest on their minds how much of YOUR data of one form or another can the get for free to later sell on to some little Smuck that is going to spam your home your email your phone and anything else they can find .
Your own storage is cheap enough now OWN it dont pass it on .
I've long thought that government software should be software of the people, by the people, for the people (to be a little over-poetic). If I pay for the development of software that's used to run, say, the TSA, then I should have access to that code. And if the IRS is using software to store my data, I should have access to that code so that I can verify that it's secure, and is calculating my tax refund correctly.
I'm not sure, as a non-lawyer who has never worked as a government contractor, whether such demands are at all realistic or probable, but I still think it's worth making the demands. While I'm confident that *my* congress critter didn't understand the letter I sent him on the subject (at least, based on his content-free response), I would encourage you to contact yours, and maybe there's one out there that would understand.
The medical data issue is a little less clear-cut, depending on whether medecine is socialized in your particular country.
Putting medical data in a shared data pool *promises* big things, certainly.
Every time I go to a doctor's office and have to fill out all the same data, yet again, or when I have to fill out yet another government form with all the same information that they already have, often two or three times on the same set of forms, I think, why, in 2011, do I have to fill out these forms at all, when they already have so much information on me that should be readily accessible? A retinal scan, or even an ID number, should be sufficient to avoid this. Why haven't we solved this problem yet? (Yes, that's a very naive position, largely inspired by the frustration of filling out the 8th form while other peoples' kids run around screaming and sneezing on me.)
But who do we trust to be that central repository of data, and not sell it to the highest bidder?
Apache guy, Open Source enthusiast, runner
OK, not really. But it's weird not seeing my good ol' green, black and white page.
Check your premises.
Tieto did have some trouble here in Sweden recently where they lost data and the backups weren't up to date.
The cause was some problems with the SAN where both master and mirror data crashed. Many companies did suffer - all the way from restaurants to loan businesses.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I'm more concerned about what my ISP is going to say when I start uploading data by the gig on a regular basis.
SJW: Someone who has run out of real oppression, and has to fake it.
I mean, the answer is utterly clear, isn't it? You data is not safe in the cloud. Break ins have happened already, and will continue to happen. Your data also isn't safe at home, or at work. Your company's data isn't safe at their site, or the cloud providers. It's a relative safety issue, and one that should be weighed carefully. If you really care about the safety of your data, you probably want to use local apps, combined with cloud storage of encrypted data. That way you get the distributed benefits of the cloud (reduced risk of data loss due to disaster thanks to replication across multiple physical sites ... your cloud provider does do multi-site replication, right?), but you don't leave control of your data security in their hands.
Just never trust a cloud app. Local apps, encrypted cloud storage. Very simple rule.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
I'm pretty sure they can figure out how to log in to Twitter.
But they'll have to create a bunch of sockpuppets, not unlike the other twitter did back in the day, in order to get past any search throttling that Twitter may impose.
No.
Next question.
Government will subpoena data whenever it desires, hackers will find ways to access data, so I don't trust anyone to secure my personal data. Hell, I don't even feel confident that personal data on my own laptop - data which which never sees the internet - is secure. Trust no one. No one.
I have been an avid dropbox user for years. It really saved my bacon a few times while I was in college. I keep everything from my Resume to a bunch of android .apk's beyond that I also use Microsofts SkyDrive for uploading photos and and other content to share with friends. I am also an early adopter of google music, which I love to use to listen to my music at work. With that being said I try not to keep any truly sensitive data in the cloud. The only exception is my use of lastpass/xmarks. My dream would be a private cloud with high security encryption but that dream will never be realized. I really don't like my medical records or other private data being stored in and cloud especially one run by the US gov.
Who ever foolishly thought it would be safe and secure?
What you ask is something that has been a concern of mine since the buzz word started being tossed around by Executives as "Must Have" services.
Let's just say that everything is set up correctly. Services boot new OS's on servers and format drives between clients, restrict access or properly wipe disks prior to the new OS going. Lets just say that accounts are host based, ACLs control access as opposed to standard Unix permissions, snort stations watch for and disable systems trying to probe the network, etc.. etc..
John Doe working in China is offered $5,000.00 by the Iranian Government to watch for foreign DOD customers to put data on servers in the data center in China, and copy that data to a USB stick. For every USB stick he makes he gets another $5,000 USD. What does John Doe do? He's offered 5-6 years salary for doing one thing against policy. Does he do it?
Lets take things a bit of a different direction. Lets say the Chines Government tells him that he must copy any foreign Governments DOD data to USB or spend his life in jail for treason.
The problem is that the human factor is a huge risk. When you pay for generic services there is no one looking out for your best interests. When you pay for the lowest bidder you often end up with people on the other side that are under payed and disgruntled, which means no vested interested in the Cloud Company or it's customers.
Lets face facts here people. You can not possibly protect your servers when you are not in control of them. It's a difficult chore even when they are in your control, but impossible when housed somewhere else.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Hahaha-hahahahaha-hahahaha-hahahaha-hahahah-hahahaha-hahahahaha-hahahaha-hahahaha-hahahah-hahahaha--hahahahaha-hahahaha-hahahaha-hahahah-hahahaha--hahahahaha-hahahaha-hahahaha-hahahah-hahahaha-hahahahaha-hahahaha-hahahaha-hahahah-hahahaha-hahahahaha-hahahaha-hahahaha-hahahah-hahahaha-- (Gasp) --hahahahaha-hahahaha-hahahaha-hahahah-hahahaha-hahahahaha-hahahaha-hahahaha-hahahah-hahahaha-hahahahaha-hahahaha-hahahaha-hahahah-hahahaha--hahahahaha-hahahaha-hahahaha-hahahah-hahahaha--hahahahaha-hahahaha-hahahaha-hahahah-hahahaha-hahahahaha-hahahaha-hahahaha-hahahah-hahahaha!
Let me get this straight: is uploading something to someone else's data centre, that may have multiple supporting vendors and other off-site systems secure?
While I wasn't too thrilled about this whole sponsored post idea, I shrugged my shoulders and moved on. However, this first go at it is somewhat troubling. The question is rather ambiguous, with no information given about who submitted the question, but that's already been discussed.
My big problem with it is why this story seems to be 'floating' in the feed. All morning, it's been at the number two position. I don't really mind the glaring blue story staring at me, but I would appreciate it if it faded to oblivion just like the rest of the articles/stories/slashvertisements, so I don't have to continue to stare at this giant blue SourceForge logo when I browse the news feed. I had tried to keep an open mind, but this whole thing looks like an attempt to whore out the site for money.
While cloud computing offers greater efficiency it also combines quite a bit of data under a single infrastructure and the data is maintained by private companies. This leads to the first obvious problem which is an attack or compromise can now affect multiple sites and companies but this is not the problem that worries me.
What worries me is who we are giving our data to and where they will be in the next few years.
With the current race to be a "cloud" provider I anticipate that companies will come and go, some will be bought out and eventually we will end up with a few larger businesses handling our "cloud" needs. The questions I have is who will ultimately end up with our data, what will the terms of service be and what changes will happen to the terms of service during these transitions.
Also, what may be more scary is that typically when a company starts to struggle they cut costs. So what if my "cloud" company is cutting corners in staff or systems which results in loss of data or compromise?
Ultimately I think that "could" computing is an efficient use of resources and will play a big part in the future but we should also remember that our data is being maintained by private companies and a private companies primary interest is itself and not its customers.
CLOUD =
Cheap
Lumps
Of
Useless
Data
All storage is now so inexpensive it is essentially free. If I really need it, I can afford to buy my own and protect it. The only stuff you ever want to store in the cloud is all the useless crap that would make you slightly nervous to delete, so you throw it into someplace where you hope it will just eventually disappear on its own.
...is not "is your data safe in the cloud" but ARE your data safe in the cloud. +1 for English majors.
Absolutely - if you can't trust the governments of the world, who can you trust? - Yahoo Serious as Albert Einstein (young) Cloud storage is as secure as the promises made in writing by the storage vendor/host and subject to every change or government whim that there may be some potential for determining who has had a bomb implanted in their body in the guise of a colonoscopy so we had better review everyone's medical records for signs of constipation. It is a shame - the technology is reasonably well developed, the economics are there and the bandwidth and management tools are developing quickly to make this a default choice. The only thing completely lacking is the security that is required to entrust this data to the hosting company to begin with, and that is the first and most necessary element of the mix.
They make it rain. They block the sunshine, Then they make it snow so you crash in to a telephone pole and die.
"Cloud" is a nasty marketing term designed to get you to give up control of your data to Corporation X.
If you want access to your data from wherever, set it up on your own machine. You know, they have been trying for thin clients to maintain centralized control of everything for well over a decade. They finally have come up with the unbeatable marketing term. "Don't worry Bob. It's in the cloud" What about when you lose that link...oh well, you bought it.
Am I missing something here? If you encrypt your data yourself before sending it to the cloud storage and use more than one provider - what seems to be a problem?
To clarify: I am only talking about storing encrypted data on the cloud. If you need to run an application on the cloud that needs data decrypted none of what I said applies.
How is it different from having your own dedicate server in someone's datacenter? It seems that OP assumes that cloud is somehow less secure than other alternatives. I just don't see a difference.
There are at least 2 concerns with data management:
1) Integrity - i.e. is it backed-up so you can restore it fully?
My experience here is that is a mixed-bag. Cloud vendors will have a better backup strategy than someone who is not doing a great job backing up, but by definition most data backup, especially "on-line" backups, are about disaster recovery, and that's a rare event. Rare events are hard to plan for.
I'd say for random small businesses, especially ones whose core business is not tech, the Cloud vendors will on average do a better job.
IF however, the core business is about computer technology, or you have real professional people who understand backup issues, then you may be better of doing it yourself.
One of the big problems with relying on a "Cloud vendor" to provide your computing resources is that they share a LOT of clients on their infrastructure, and all it takes is one unhandled event to take many of those clients offline with no backup.
2) Security - i.e. will someone else be able to copy it?
By definition, having a cloud vendor involved adds layers, remote access capabilities, and extra eyes who can see your data. PLUS, other entities such as governments (or other outsourced services the cloud vendors use) may have their fingers into these cloud vendors.
So, I'd say by definition it's less secure. The question is how much the exposure is, and that would vary tremendously by the kind of business.
The worst cases would be multinational businesses and non-profits who have policies which don't necessarily agree with the local governments' rules. We already have seen many such abuses in practice.
Erich Boleyn
If you have difficulty enough protecting your data on a server in your closet if it's connected to the Internet, how do you expect this to change when that server lives in a building somewhere and is controlled by someone else? Do you think "Trust me, I'm a professional" ad material is going to keep your data safe? You can encrypt, for a start, but there's no real substitute for locally controlling what goes in and out of your server.
Not that any reality-based arguments will matter. Capitalism fails at the local interface level. Professional IT personnel who can actually assess risks and benefits accurately are overridden by bean counters and PHBs all the time. Let's hope this doesn't eventually end up with strategic military information being reviewed by Chinese or Pakistani generals.
Please do not read this sig. Thank you.
(1) Um, no?
(2) As safe as the cloud wants it to be.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I note, with interest, that no cloud computing purveyor offers to even let me create a node of my own for my data. No, they must own it all, on their servers, and do what they see fit with it. No attempt to even let me have a regularly maintained backup in a standard format on my own system. The best option is Google's data liberation front, and while that's a laudable effort, it falls far short of letting me have a regular local backup.
And don't even get me started on my smart phone. None of the applications give me the option of installing something on my home web server and using that for my 'cloud storage'. Not even the ones I pay for.
Need a Python, C++, Unix, Linux develop
I think one thing that is missing from a lot of this discussion is the concept of liability.
When data is put on the "cloud", if some data breach then happens, the company in question can scapegoat the cloud provider, or otherwise shift blame to them. "They told us that (y)our data would be secure! It's not our fault!"
When dealing with data in-house, you don't have that luxury. Data breach happens, and the person getting the blame is part of the company.
"CLOUD" is the big buzzword now, but what is it really. Some people will say a remote file server is Cloud computing. Other will say the cloud needs to provide a server or functional action to be a "Cloud " There is a big difference in "Cloud computing" when you compare what saleforce.com does vs dropbox.
What is the difference between 10 non related hospitals putting data on 3rd party "cloud" file share or 10 related hospitals putting data on a owned file share at a central location? Security? Reliability? Accessibility?
What happens if a "cloud" provider files chapter 11 or goes belly up? Is the data or the service the product that will be sold off? What happens to your data if the hardware containing your data is sold off? What does your legal mumbo jumbo say, What have the courts said?
When you take into account HIPPA and all the other acronym rules, how do they get enforced?
Using this definition of security: "The state of being free from danger or threat", I feel that my cloud data is very secure. I tried the "send a hard drive off-site" to keep an off-site backup, but the problem with that method is that I'm never sure that hard drive is still functioning. A couple months after I sent an off-site backup drive home, I got a call from mom "Hey, I don't know what was in that box you sent home, but the cat keeps knocking it off the bookshelf. I hope it's not fragile".
My cloud backups are encrypted (both in-transit and at rest, the encryption key never leaves my home computer). The most sensitive thing I have in my backups is old tax returns. I'm not sure that any government is going to be interested in seeing my gigabytes of vacation pictures, nor my 15 years of email archives.
If I really thought someone would try to compel me to release my decryption key, then I'd use something like a Truecrypt hidden volume and release the key to my LOLCat archive instead of the key that secures my Plan To Take Over the World.
Collective Load-balanced Organization of Uniformed Data-centers?
Someone has got to be able to do better than that.
Encryption isn't just for warez, you know...
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Looks like checking the box to say I don't want to see stories from samzenpus doesn't actually do anything.
Pity that. I checked it for a reason.
Lost at C:>. Found at C.
Then why doesn't the front page of Twitter.com link to this page?
The problem is, its not their data, but they have a business reputation to uphold so they can maintain a revenue stream. But lets say someone offeres them a lot of money to get at your data, well a business is to make money, right?
Then there are all those governement and security sights that have been hacked. If I were a hacker (which I am not) I would target large farms of computers where if I could get in would have a lot to choose from. Also If I could break the security of one of the hosted boxes, I probably could break them all because a large organization has consistant policies and standards and tools for security. Break one, break them all.
Then there are the secret government taps and accesses that they might have to honor and access your data without your knowledge.
The point being, your data is out of your shop and out of your control. You don't know if it has been comprimised and the company you are dealing with, if your data was comprimised might not want to tell you because it affects their bottom line.
Oh, and send it to another country, as if other countries have better more secure systems, or governments with more honorable practices.
Working for a bank and a trust company, the cloud computing solution scares, me.
That could just be an application service provider. [Or it could be cloud storage.]
Exactly. "Cloud" can mean storage service providers, computation service providers, and application service providers. Amazon offers all three: S3 for storage, EC2 for computation, and Fulfillment and Product Advertising for applications.
So even tho I get to check the box that disables advertising, I have to see advertising?
Can /. at least put all the ads (like the sourceforge logo) in the same folder so I can just add an * to adblock?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
In relation to healthcare data, the first step is to describe what you mean by "The Cloud." From a clinic-end-user perspective, there are already many providers of Practice Managment and Electronic Health Records which offer "cloud" storage. By which is meant that the vendor of the PM/EHR software stores your data somewhere away from the physical clinic space. But, universally AFAICT, it means storage at a server farm either maintained directly by or certified to the vendor as being HIPAA and ARRA compliant. It is simply that the storage location is irrelevant to the Nurse/ Physician/Biller looking up your record.
This is contrasted with those of us who maintain a physical server in the building - the actual server sysadmin tasks of which are usually still provided by the vendor. But this nevertheless all-but-requires the clinic to hire or have contracted additional IT support. (Which is my role here.) Doctors and nurses cannot wait two hours to have someone figure out what button was mispushed, they need immediate IT support when they need it.
One reason I still have my job is because our physicians are concerned with ownership of their data - the hard drives containing patient data are under this roof.
But ARRA EHR stimulus will change this radically as Health Information Exchanges are *mandated*. Your data will eventually be shared because government regulation requires it, end of sentence. Unless something changes. And some providers are already going with solutions which, upon treatment, they either create your record or claim elements of it from other systems.
Bottom line: The cloud ain't "The Cloud" when it comes to Healthcare IT, but elements of patient data will someday reach The Cloud anyway.
What about putting data on the cloud that contains sensitive financial information like social security numbers or loan IDs in a cloud? Is there a service that can guarantee our data will have the same protections we have in house?
and how do I make it go away!
+1 for parent
No. When it comes to protecting your data. The only way someone can be sure that everything that can be done has been done is to do it themselves. I prefer to think of cloud data storage in the same way I do banks. If I go with one that's well known as being reputable then I probably won't see any issues, but there's still a chance that one of their employees can do something dishonest.
Couldn't you just encrypt your information before you give it out?
If you have stuff that you don't care about other people seeing, go ahead and store it on someone else's servers/drives/etc. if it's convenient and meets your needs.
If you have stuff that you want to keep private, keep it local, keep it encrypted, and be careful with it.
If you have stuff that incriminates you, BURN IT YESTERDAY. (And I do not mean to a CD-R.) Unless, of course, it's stuff that I think you should go to jail for, in which case, go turn yourself in, you crook.
WALSTIB!
Yes. Thanks to the magic fairy dust they use when they write their laws down, your information is secure in other countries where your privacy is guaranteed by law. Don't look behind the curtain. Nothing to see here. Move along.
I don't see how it is any worst than relying on Gmail or sending an SMS on the phone. If the government really wanted to get my medical records, they can get it from the hospital. They can get phone records from the phone company. Financial records from the bank, credit rating agency or your IRS tax returns.
We trust things like the cloud everyday in our lives with little second thought. Being so afraid of the cloud is like using only cash because you are afraid of the government tracking your credit cards.
If the data has redundancy across multiple providers (not just mirrors based on the same software platform and managed under one vendor), then I tend to trust the cloud to make authentic free/libre source code available, but I expect the author to have a backup, and I would keep one myself if I was the author. Aside from this, such as public domain audio, video, text, images, and non-libre but gratis binaries/source, no. Takedowns, and other such methods, as well as internal disputes, threaten the availability of this data, and if a managed provider is asked to take it down, it will become scarce or not available. I make local copies and back them up whenever possible. If it's not managed by me, it can't be guaranteed to be available to me.
Twinstiq, game news
The whole question of "cloud security" is off base. The "cloud" is nothing more than a geographically distributed cluster of compute nodes running virtual machines on behalf of the clients. While the essential firewall security and such are the responsibility of the cloud provider, it's still up to the customer to ensure that the server images are properly configured and secured.
Cloud providers who provision a complete suite of software are different -- they're not letting the customer set up the software, so they're taking ownership of the security issues at the provider end. However, most such services are referred to as SAS providers, not cloud providers.
So the question is not whether you trust cloud security, but whether you trust government and corporate security.
Sad to say, I do not. There have been and continue to be too many intrusions and cracks in the past few years by supposedly reputable outfits that expose the weakness of most web facing security models. See yesterday's article about XSS and SQL injection vulnerabilities in the majority of websites tested by a security firm for an example of why I don't trust the security "experts" most companies and government agencies have on staff.
If you don't know enough to encode the raw text received in a web form as an SQL or XML string instead of just wrapping it in quotes and passing it to the database, you should be sued for incompetence and negligence. There is simply no excuse for such sloppy coding in this day and age, even if you're fresh out of school and working your first job.
I do not fail; I succeed at finding out what does not work.
That question is too short and nondescript to make any sense? Safe, not only in IT terms today, is an objective and non-persistent state. What my third party entity audits as safe may very well fail your third party's audit. This is even if we may be auditing against what sounds like strict standards. What may be deemed as safe today may not be safe a 0-day later, though you may be continuously assessing. Your data is not safe anywhere and you should not sleep easy even if you write it on a piece of paper only to swallow. You are bound to poop tomorrow.
I saw the story about Sponsored stuff, but the "loudness" shocked me a little.
At least you can Ad-Block the logos. (... for now!)
I'm kinda dreading the eventual push to have every story Sponsored though.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Well, I trust both Google and Dropbox enough to store my encrypted backups. Wouldn't upload anything important without encryption though.
I don't upload anything that I don't want third party data center employees, government agencies, or Chinese hackers to see, so I don't have any problem with cloud computing services. I have no problem storing things like a catalog of my CD collection - though unfortunately I wound up deleting that because my house was broken into and all my CDs were stolen. :(
Well, you can always go into prefernces and disable "ask slashdot."
Free Martian Whores!
a) What legal jurisdiction is your data under?
b) Which state, country is it located?
c) How do we ensure the cloud provider doesn't get hacked?
d) How do we ensure the available access methods are secure for our data?
e) What happens when the data is needed back? Overnight HDD shipment or are we downloading for the next 3 months?
f) What happens if your data is mixed with your main competitors data?
g) Fail to perform penalties?
Many of these things can be controlled through strong contract requirements.
How many companies will have the skill to negotiate a contract like that?
Will these critical items make "cloud data" cost prohibitive?
Here's what a well known law firm Seyfarth Shaw says about cloud services: http://www.seyfarth.com/publications/Issues-Related-To-Cloud-Computing
I'll keep a hold of your data for you - for free. It will be perfectly safe in my cloud
There used to be a post worth modding 5 points here.
Unless my data is on a non-networked machine stored in a locked filing cabinet in a basement closet with a sign on the door saying "Warning: Leopard inside," then no.
Vote monkeys into Congress. They are cheaper and more trustworthy.
Yes. If your organization is “normal” then your data is definitely safer in the cloud for several reasons.
The definition of normal in this context is an organization that has some, but never enough, technical and CAPEX resources so it is struggling to make do through a combination of ingenuity and hard work. The end result of this is that individuals are forced to triage tasks to overcome the perpetual shortfall in funds and time. All of this is fine and hopefully results in a raise, or a parking spot, or at least an employee of the month plaque – however – the simple truth is that stones are left unturned and holes are left unplugged.
So this is the first reason that a fully formed cloud from a major provider like Amazon, or Rackspace, or Terramark is superior. They have lots of resources and smart people who have focused man-years on designing ONE secure process. When you buy into that you are getting the benefit of all that expertise and attention to detail and you just have to keep from screwing it up. For example, a new Amazon or Rackspace cloud computer has, by default, only one open port; SSH on port 22. Honestly, can normal folks be absolutely certain which ports are open and exposed from the various pathways into their terrestrial network?
Of course some organizations do indeed have the resources to dot every “i” and cross every “t” but the overarching point is that cloud computers from reputable cloud providers are, by standard measures, more secure.
I know it is already in the wrong hands. Privacy on the internet has always been a myth, a LIE!
This is just one more example of cost considerations overriding any other consideration, including security, privacy and control.
Government or hackers, either way you should assume your data is compromised.
blindly antisocialist = antisocial
"Cloud" is just another service provide your company or your are dealing with. They should and usually do spell out how they respond to subpoena for your data.
Amazon AWS, for example:
8.1 Your Content. As between you and us, you or your licensors own all right, title, and interest in and to Your Content. Except as provided in this Section 8, we obtain no rights under this Agreement from you or your licensors to Your Content, including any related intellectual property rights. You consent to our use of Your Content to provide the Service Offerings to you and any End Users. We may disclose Your Content to provide the Service Offerings to you or any End Users or to comply with any request of a governmental or regulatory body (including subpoenas or court orders).
the uid says tom, but the posts are signed barbara
i just assumed it is a male to female tranny
Don't put information on the web that you don't want other people to see. This includes personal data and source code. Especially source code.
... as like the things that fly through them (planes).
On average and statistically, the safest (it's got true industry experts in safety and security behind it precisely because their business relies on it - in-house usually hasn't)
But when something does go wrong, it affects a lot of people and makes a mess.
It might or might not be, the only problem is it's no longer in your control but someone elses.
Oh you mean the Apache foundation? Or PHP developers?
The trouble is with the phrase 'your data'. If it is truly _my_ data, say my own personal documents or porn-stash that I only use myself, then I can secure it no matter where it's located. I encrypt the bezeesus out of it, and only I know the keys. Wherever I store it has inherent risks, be it the risk of theft of my physical computer, or the risk of my hosting/cloud company messing with it, or handing it over to governments or other parties. But with the keys, I don't care if they do. [insert the xkcd.com cartoon about getting to my data by beating me with a $5 dollar wrench.]
Security only gets tricky because it's rarely just 'my data'. It's my company/organization's data, and needs to be shared by all kinds of people, with a group of other people responsible for both protecting it and making it available. This makes it tricky, REALLY tricky. In such a complex environment, 'the government' is really the last of my worries. Unless I'm an Iranian scientist.
It seems to me that encryption is still really difficult, and there aren't many offerings available that make it easy to use effectively in any other scnario than my private porn stash. For that, yes, I can have an encrypted file system on my EC2 server, and perhaps a TrueCrypt volume on that, with me accessing the data only through an SSH tunnel, from a screen in my basement, while completely covered by tin-foil lined blanket.
And I'd STILL be worried about my mum walking in.
Manolo Blahnik Blue Suede Pointed Toe Pump are alwatys show the high sociaty in the past,because the price is too high,and now you have the chioce to own it ,we provide the Manolo Blahnik shoes with high quality and the lower price.You will get what you see in the picture,it is your turn now.manolo blahnik something blue satin pump,made of blue suede with a high heel approximately 10cm,it has blue inside lining.
Pop element:with black suede and a pointed-toe pump
Height:10cm covered heel
Material:suede
Color:blue
Weight:0.5kg
Toe:pointed
manolo blahnik shoes
manolo shoes
christian louboutin shoes
christian louboutin shoes on sale
cheap christian louboutin shoes
"This."
WTF is that? An Americanism? Who the heck writes a sentence with one word, that doesn't really make sense. Seriously, you all need to stop using this slang phrase. //The Language Nazi.
is required (ala UK/EU) and of course a Data protection commission with real teeth (ie unlike the current UK situation).
So that's personal data sorted from a policy and law requirement. Now to get to the issue if greater security. - involves constant testing/pen testing/patching and machine sure a decent ISO27001/2 standards are used, which means the application AND the backend infrastructure.
All you can you can is mitigate risks, not completely remove them.
Clouds don't make this any better worse, just mean you have to be more careful as to how you define security, check/audit and continue the process with vendors of your choice, just like any sub-contract be it manufacuring widgets, off-shoring call-centres and so on. You'll still need a large percentage of man-hours to manage the relationship which alot of people don't take into account!
These corporations keep stating that the information they keep is generic and not harmful. If so how about they share it publicly?
Do I have concerns about data falling into the wrong hands? YES
Are the cloud's benefits outweighed by security issues? YES
The information needs to be stored in a known physical location which is under the jurisdiction of a government that has laws protecting the data and a policing agency enforcing those laws. Under the current situation, there is no protection of the data (this is a criminal issue not a civil one). Hence, you can protect your data by keeping it under your own physical controls and attempting to keep burglars and thieves out (by preventing physical or network access).
To answer the question: some potential cloud users will have problems with governance (compliance) issues, and the cloud may not be suitable for them. An obvious example would be some government authorities. Organisations like the military will not want to use cloud computing services for many applications, because it requires trusting a third party and the connection to that third party. However, for many people data will be *more* secure, because it will be backed up more effectively, e.g. through replication at multiple sites or through distributed storage where all of the data is not stored at any one site, and because servers may be administered better. Moving to the cloud for many organisations will be equivalent to outsourcing IT, so if you have poor quality local expertise then you can expect an improvement in your IT administration.
Also, to add an opinion on cloud: so many people have disregarded cloud as a 'buzzword' or fad. I believe that they are wrong to do so. Recently I visited a cloud hosting provider that was growing its turnover by more than 100% a year - in the middle of an economic downturn - and they really are focused on the very early stages of cloud adoption (e.g. outsourcing an Exchange server). The potential for savings is huge, particularly for business that are starting up and are need scalability. One of the big advantages of cloud computing is that you free your company of capital investment in IT infrastructure, and you can relate your running costs to your operating income.
For concrete examples, Cloud is a catch-all word that includes:
- Hosting Exchange servers
- Providing thin-client services to offices or call centres.
- Providing CRM management over a web or thin client interface.
- Scalable web frameworks such as Google's App Engine.
- Providing scalable resources such as servers booting an image provided by the client.
Of course there are issues with Cloud Computing, and not everyone will adopt it to the extent that some enthusiasts suggest. There may well be a backlash after moving some services over and finding out that latency is too poor, or that certain providers are not sufficiently well-trained to do the job. But Cloud is here to stay, I am convinced of that, and it is a trend that will dominate the computing landscape for the next decade at least.
RS
It’s cheaper. Nuff said.
I had a cloud server for a while. It was great, until one day I opened my website and found the entire thing gone. My provider had reinstalled my machine from scratch.
Yes, I had the content backed up and went to another host, though I lost my visitor content database.
Next question?
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I don't trust them. There is no way that data farther away with more companies' data near it is safer than it was on your own box right next to you.
All it will take is one massive flub and clouds will be all over the news as something to avoid. Bet on that.
The whole thing reminded me of a mainframe - we will store your software etc. etc. What about my configuration settings, do I get to map those or is that cloud driven too because that's part of what makes some IT companies different. Outside of a cloud without a large name behind your organization you are small potatoes, squeeze yourself in next to someone on a radar and you could become the victim of their enemies. What I'm thinking is what is more appealing to crackalack, the server with multiple companies or the one with one that no one heard of. There is safety in obscurity for the smaller folks.