Ask Slashdot: Is Your Data Safe In the Cloud?

With so much personal data being kept on the cloud, including government and health records or your source code, do you have any concerns about it falling into the wrong hands? Do you think the cloud's benefits are outweighed by continuing security issues?

No.

[plopez]

No one is going to care as much about your data as you do. Next question please.

Re:No.

[ironjaw33]

No one is going to care as much about your data as you do. Next question please.

This. My employer only backs up one of several disk partitions on my work computer. The non-backed up partitions were hosed during a routine system upgrade last summer. Fortunately, I had backed up the data using my own resources but others hadn't and lost months of work.

The lesson: only you can ensure the integrity and persistence of your data. If even your employer can't, then who can?

Re:No.

[DaveWick79]

And frankly, if your employer allows you to create your own data partitions on your hard drive, and doesn't require you to sync or store data on a file server, then they deserve to lose their data.

maybe more secure

[roman_mir]

In many cases maybe your data is even more secure in a cloud than on your own servers, especially if you choose your 'cloud' carefully (outside of your country/jurisdiction).

The real threats to your data are your own employees and your government. The outside 'hackers' come as a very distant third.

Re:maybe more secure

[rbowen]

Yes, exactly.

Servers "in the cloud" are installed, secured, and maintained, by sysadmins like you and me. Some of those sysadmins are good at what they do, and some of them aren't. "The cloud" is not intrinsically secure or insecure, because "the cloud" is not a definable entity, as much as the tech press wants it to be. This is a misnomer perpetrated by the poorly-informed press, and not really something that's based in reality.

Every time we read an article about "the cloud", it's useful to take a moment to consider what it actually means in that particular scenario.

Although "the cloud" means "I don't care where my servers are", there are in fact actual servers somewhere, and there's an actual person or team of persons responsible for maintaining that server or servers, and they are either good at their job, or they aren't. Talking about "the cloud" as though it's one homogeneous mush of data is nonsense, and leads to all sorts of false conclusions.

Re:maybe more secure

[TheSpoom]

Really, I just hate the term "The Cloud" in the first place. It's so vague as to be unusable. Virtualized servers? OK, I get that, and it's specific about what it means. But "on the cloud" tends to just mean "on the internet somehow". Maybe it's on a physical box, maybe it's virtualized, maybe it's run by your company (but probably not), maybe it's managed by a third party. It means I have to ask additional questions, meaning the term is a waste of time.

Re:maybe more secure

[Terrasque]

I feel it's more about paying someone else to do all that server'y stuff, and gives you the freedom to go "I need $foo for $bar time" - and the provider(s) goes "okay" and magically pulls it out of the cloud for you. When you're done with it, it goes back to the cloud, no extra cost to you.

At least, that's the impression I've got from the non-technical people's understanding of it. For techies there's nothing new, per se. It's just that hardware / software have come to a point where large companies find it useful both to sell and to buy, and marketing have managed to find a way to explain it to non-techies.

simple -- create an encrypted container

then store it to the cloud w/ you just knowing the keys/passphrases

Local Storage, Forever

I do not trust the cloud, because I can't grab it and bury/burn it at my whim. Just like posting on FB, once you have done it - that data is out there, forever.

local storage will never die.

The "cloud" is not some mysterious relic.

[cmv1087]

It's still someone else's servers holding my data and I still have to go through some hoop(s) to get at it from other devices. What is so special about it?

No, the bits will get wet!

[HTMLSpinnr]

::rimshot::

No, seriously - depending on the cloud service, aren't buckets of data encrypted in such a way that only the owner of the data can access them? Cloud service providers may be required to hand over data, but do they have the means of handing over the encryption keys along with it?

For certain cloud services where you're uploading via browser, they may be encrypting your data post-upload, so the request to decrypt may be more trivial. However, if you manage your own (like S3 backups) - or simply use a service that encrypts BEFORE uploading, I'm not sure there's a whole lot Amazon or some other provider could do to hand over the data in any usable form.

Those who are concerned about security of their data should ensure that the backup is encrypted in an acceptable method, or simply stash it in an encrypted container before storing it "online" (I realize there may be limitations of scale with that suggestion).

Who asked this question?

[MalleusEBHC]

Unlike all other Ask Slashdots, this question is not prededed by "$USERNAME writes", so who actually proposed this question? A user that didn't get credit? A Slashdot editor? Someone from Sourceforge? The post introducing sponsored Ask Slashdots says that "the sponsors don't pick the questions", but that's still ambiguous. Many people are skeptical about this being thinly veiled astroturfing, so it's important to be as transparent as possible.

Re:Who asked this question?

I don't know if they're taking constructive criticism from anonymous users, but...

Slashdot might get more mileage out of a question that people can have several different takes on. "How should I archive data long term?", or "How do you secure a small business website on a tight budget?", or the like. This one is a bit of a dud because it's basically two yes/no answers. It's just chumming the waters to throw something like this into a user community that's already on to your synergistic marketing plan; they need something that geeks can't help themselves but participate in.

For a SourceForge topic, I'd love to read more details about what's involved in providing and effectively securing the type of service they provide (which must be a bit of a rolling nightmare for you folks with hundreds of thousands of projects and the level of exposure that entails), and maybe a solicitation of anonymously-submitted stories from other users about website break-ins they've had to clean up and how things went, both with the software and with public relations.

Re:Who asked this question?

[Leebert]

Hey, PerlJedi,

Just thought I'd throw out that I'm happy to see your interaction here. It's always bugged me how little the /. staff is represented in the comments.

Encrypt First

I would encrypt any sensitive data I may have before storing it in the "cloud". It would be irresponsible to assume the data can not be read or copied by others.

Sponsorships? Really?

[RobinEggs]

Note to slashdot: It'll be hard to maintain whatever shred of journalistic veneer and integrity you have left if you start posting advertisements for sister websites as 'sponsorships' of semi-legitimate discussions or stories.

The fact that everyone else does it is still no excuse.

Re:Sponsorships? Really?

[mikeroySoft]

I'm glad at least comments are enabled. Most other sites disable them for sponsored articles.

Further, I imagine that the bandwidth and hosting costs of /. are quite high, so they need to get a return somehow.
I mean, with so many people here probably using AdBlock etc, or disabling ads because they're registered users who can, they have to get their ads-to-eyeballs ratio back up to somewhere that it's actually worth it to advertize here (this ensuring that our geeky community can continue to have someplace to live!)

Re:Sponsorships? Really?

[Hatta]

Slashdot is a geek tabloid. Don't expect journalistic integrity. Do expect entertaining discussion.

Re:ABSOLUTELY !!

[TheRaven64]

A cloud is a large thing made entirely out of vapour.

Absolutely not

[KlomDark]

These days your data is your wealth. Putting it somewhere as vague as 'the cloud' is as dumb as keeping your life savings in a car belonging to someone you don't know and have no idea where that car might be located. (Probably in some trailer court.)

It's a marketing trap - don't fall for it.

Re:Government action

[GeckoX]

Heck, never mind seizure, how about willfully providing this information? Twitter is now providing all public posts to the government.

Bottom line, if it's in a cloud, you have zero guarantee as to how that information will be used and who will end up with access to it.

I Disagree

[eldavojohn]

Servers "in the cloud" are installed, secured, and maintained, by sysadmins like you and me. Some of those sysadmins are good at what they do, and some of them aren't.

I don't get it then, what makes the sysadmins and employees at these companies that run "the cloud" any more or less secure than my own employees and sysadmins? And what makes the government where "the cloud" resides any more respectable of my privacy than my local government? My own reaction is that there's just another layer of security risk here. At least if they're my employees or sysadmins and I find out data is being leaked, I can fire them and do an internal investigation. If some sysadmin is dumping databases at a "cloud" site, then who is ever going to know and how is that ever going to be rectified?

I'm not arguing against "the cloud" and I don't have a good example on hand of where "the cloud" has failed but to me it seems like a lot of these are virtual machines sitting on physical hardware running more software. And every layer is just another potential weak point in the chain of software. Is that not true? Isn't it possible that employees of VM farms are simply cloning and dumping memory or hard disks (or entire VMs for that matter) for their own personal use?

There was a paper a while back about encrypted computing just to address this very fear.

"The cloud" is not intrinsically secure or insecure, because "the cloud" is not a definable entity, as much as the tech press wants it to be. This is a misnomer perpetrated by the poorly-informed press, and not really something that's based in reality.

Just like the title to this Ask Slashdot encourages us to debate the security of something that cannot be intrinsically secure or insecure? If you're telling me that "the cloud" is not intrinsically secure or insecure why are we having this conversation? I mean, I think it's worthwhile to consider what a lot of "the cloud" services are that are out there (the big few that exist) and to debate their security success or potential holes. You can always deflect my arguments by saying that they're just "implementing the cloud wrong" and we won't go anywhere. But it is my opinion that sensitive, personal and secure information should not be handed off to yet another third part for computation or storage unless your trust with them is enough to risk litigation against yourself from all of your customers.

Re:Government action

Twitter is now providing all public posts to the government.

I've never used Twitter, so maybe I'm missing something.
Isn't Twitter providing all public posts to the whole world?

Re:Government action

Actually you are very much on mark there. An article in Politico over the weekend talked about how the Patriot Act is a deterrent for companies to use cloud storage in the U.S.

http://www.politico.com/news/stories/1111/69366.html

Is Your Data Safe In the Cloud?

[1s44c]

Is Your Data Safe In the Cloud?

No. Next story.

Possibly better trained than me?

[rbowen]

I would like to believe that when I host a server at Slicehost (oh, yeah, it's Rackspace now) that they have server administrators who are better trained than I am. That they have backup procedures that are better executed than I would do. That they upgrade their hardware more often than I do.

Likewise, if I put my data on a "cloud" service, I am paying for the assurance that they have secured those servers at least as well as I would, in addition to whatever it is that they specialize in (scalability, availability, redundancy, etc). So, in theory at least, that's what's special about it - that they can do a better job at those things, for less money, than I can.

The reality can be less clear cut, and so, as with any vendor selection process, you have to do your homework and find the ones that seem to do a good job.

I think the press has done us all a disservice by making the cloud into, as you say, a mysterious relic with mystical powers. Hopefully those of us actually making these decisions understand what it really means and can be sober about evaluating options.

Re:Government action

[tomhudson]

As soon as you supply your information to a 2nd party, it's no longer *your* information

Not true (except maybe in the US, where copyright law seems to only apply in favour of corporations, and the sheeple have ceded control of the political process to lobbyists because the rednecks fear limitations on political campaign donations and pork to the point where privacy legislation is decades behind the rest of the world).

Re:Government action

[drpimp]

If they are in fact able to get a court order, what is the difference WHERE the data resides? Assuming you are not talking about hosting your data in some government "non-accessible" nation. Unless of course you're planning on destroying or "getting rid" of it. And in that case if they could prove that you destroyed evidence you could have potentially a bigger issue on your hands.

Where am I going to get all this upload bandwidth?

[elrous0]

I'm more concerned about what my ISP is going to say when I start uploading data by the gig on a regular basis.

Why is this article floating?

[milbournosphere]

While I wasn't too thrilled about this whole sponsored post idea, I shrugged my shoulders and moved on. However, this first go at it is somewhat troubling. The question is rather ambiguous, with no information given about who submitted the question, but that's already been discussed.

My big problem with it is why this story seems to be 'floating' in the feed. All morning, it's been at the number two position. I don't really mind the glaring blue story staring at me, but I would appreciate it if it faded to oblivion just like the rest of the articles/stories/slashvertisements, so I don't have to continue to stare at this giant blue SourceForge logo when I browse the news feed. I had tried to keep an open mind, but this whole thing looks like an attempt to whore out the site for money.

Re:A little telling

(our privacy policy is located at ADD LINK).

I think you forgot something, like making the effort to read the marketing material someone handed you before you copied and pasted it.