Put Your Enterprise Financial Data In the Cloud? Sure, Why Not

jfruh writes: For many, the idea of storing sensitive financial and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that information is more likely to be accidentally emailed out to the wrong address than hacked.

then/than

Emailed out, and then hacked! It's a one-two punch of bad luck!

What's the point

Yeah, what's the point of security when someone can just email stuff?

Let's just give up.

Re:What's the point

[MobSwatter]

The first rule of security is don't put all your eggs in one basket. Like a cloud with multiple users data segmented but under one layer of sandboxed admin privs. If anyone thinks that is a good idea then just ask the NSA about it though that might still be a bit of a touchy subject for them with Snowden. In reality the only credentials that should have access to all data would be the service a backup runs under and the backup operator should have a healthy loyalty based paycheck. These are some old school tactics, but hey this new shit is supposedly better somehow and I'm sure China really appreciated the F-35 JSF plans before the plane was completed. Now if security is not such a big deal anymore then we should be able to sublet positions to H1B visa candidates and collect a free paycheck.

Re:What's the point

That's not really a security rule, it falls squarely on the operations deptment. Not telling the chickens where their eggs go, now THAT is a security rule. Or don't let the fox guard the henhouse, that's a well known one. Of course, all this analogy stuff breaks down when you realize chickens seldom fly high enough to reach the cloud.
On Slashdot, you should stick to car analogies until you get the hang of it.

Re:What's the point

The backup operator does NOT need access to the information. If the information is encrypted, you just backup the encrypted state and doing validation on the encrypted files afterwards. This means you need to trust the encryption/decryption process for backup, which can be a problem, ie. for disk degradation and other problems with signals.

It's not easy. It requires brain power. But it's not impossible as some people assert again and again.

Re:What's the point

[turbidostato]

"In reality the only credentials that should have access to all data would be the service a backup runs under and the backup operator should have a healthy loyalty based paycheck."

Not even that.

On a properly configured system for sensible enough data, agents you can't impersonate run on the clients and offer the already cyphered data to the central backup manager. The credentials that can backup the data can't restore it and viceversa.

On top of that, you segregate data/systems into security realms and you backup/restore them to/from different systems with different teams/credentials.

Re:What's the point

[MobSwatter]

Security through obscurity is not security, fox guarding the henhouse applies as well, these also could be elaborated on by the NSA, and being that they author security policy for the rest of the government explains a lot about the latest breach of security clearance information. This is part of a larger picture though, the problem is lack of government accountability. Corporations are pulling political strings, but the corporations got where they are because they got in good with the mob. I say we elect mob family's to run this shindig country, then we'll be hanging the right people when they fuck shit like this up.

No, just no.

[geogob]

Nothing goes into "the cloud". I'm slowly getting sick of this cloud hype. In most cases its useless and its only a security risk - a risk no one can really weight as the cloud is often maintained by an external provider.

Re:No, just no.

[ArylAkamov]

Wasn't it Bill Gates and Steve Jobs that originally rallied against relying on external entities to store your data?

We've come full circle.

Re:No, just no.

It's all sh*ts and giggles until someone yanks the network cable.

Re:No, just no.

[thegarbz]

In most cases its useless and its only a security risk

And yet here in TFS we not only have a use for it, but also a realisation that there are far bigger security risks than cloud storage of data.

How many companies have fallen victim to information theft of data stored in enterprise cloud systems? Compare that to how many companies have fallen victim to utter stupidity, lax internal security, poor practices in general etc

Re: No, just no.

Look, 'the cloud' is a stupid concept meant for stupid business people.

When their sensitive data gets hacked they won't even know it because their provider won't tell them, and if they do mention anything it will be through the blur of corporate doublespeak.

This whole thing is just another attack on the IT profession, by trying to make it seem like all those pesky responsibility things just magically go away. Now send us our monthly fee please and ignore that after a few months all your savings are imaginary and oh if you stop paying us your mission critical days is gone too.

Re: No, just no.

We must be working at sister companies. Or upper management is "cloud sourcing" 80% of IT (the server part). I have no doubt that they will eventually get rid of company employees for "desktop support" and likely outsource it. Given them, probably to "Geek Squad".

Long ago we had "cloud sourcing". But we called it "remote time sharing". ref: http://www.computerhistory.org/revolution/mainframe-computers/7/181

What is old, is new again.

Re:No, just no.

[Culture20]

My driving a car is statistically riskier to my physical safety than flying. But I drive, because I have more control there. Sometimes convenience wins out over security.
To make my analogy fit better, the two things should be unrelated: Just because I'll happily drive a car doesn't mean I should now climb a ladder when I could use stairs instead.

Re:No, just no.

[masterofthumbs]

You drive a car because flying everywhere is expensive and not possible in most cases. You can't fly to the grocery store, to work, to school, etc. This isn't a very good argument. A better analogy is that you trust yourself to do car work better than you trust a mechanic. They are the expert and cost more to do the work but you have to read up on how to fix things and spend your time doing the work yourself. The expert costs money, you cost time (which is also money). Now your engine needs fixing. Do you pay for someone to figure it out for you or do you try to do it yourself? Both choices might have disastrous results; you might fuck something up big time and have to spend way more time fixing your mistakes, the mechanic might not get things done on time or within the estimate he gave you. Hell, in both cases, you might have your car stereo stolen either right from your driveway (a targeted attack) or from the mechanic's parking lot (an attacker looking for the easiest thing to steal). You might have a motion light pointing at your driveway and yard but its just you at your house guarding your stereo, maybe you spot the guy because he just walks right up to the house and the light goes off. The mechanic might have a fenced-in parking lot with a rent-a-cop doing their nightly drive-bys at various businesses, maybe he spots the guy trying to get past the fence but failing.

It's all a matter of money and time. What do you have the most of?

Re:No, just no.

A better analogy to putting sensitive data in the cloud because you're more likely to lose it via coworkers than hacks is one where you realize it is more likely you will die of cancer or a heart attack than drunk driving, so you decide to stop taking a cab home from the bar and just drive yourself because it's cheaper. While cheaper, it's an unnecessary risk that increases your overall risk of something bad happening.

Re:No, just no.

[neurovish]

Nothing goes into "the cloud". I'm slowly getting sick of this cloud hype. In most cases its useless and its only a security risk - a risk no one can really weight as the cloud is often maintained by an external provider.

Perhaps you would like to sign-on for the newest IT trend then, "... in a box". Tired of the cloud? What is it? Where is it? Does it even really exist? You have none of those question with "... in a box". With our premium subscription service, you can even have the best of both worlds, "Cloud ... in a box"! Our certified consultants with over a millenia of combined IT experience will install our Cloud ... in a box in your data center. You can see it, you can touch it, you can bring in your leadership team to look at the blinking lights, and then proudly proclaim "Here is our cloud!".

Re:No, just no.

[Oligonicella]

False comparison as moving data to the cloud does not reduce or eliminate the risk you mention. Adding new security risks isn't the brightest thing to do.

Re:No, just no.

The cloud is no different than old-style mainframes.

Except that the terminal is a browser, there's no sysadmin, and the security is lousy.

(captcha is 'foolish')

Re:No, just no.

[jbolden]

How is putting data in a high end professionally managed data center running a high end professional managed infrastructure system a security risk over what most companies are doing with their data?

Re:No, just no.

[jbolden]

Yes. Web is a return to the mainframe paradigm. People are enjoying the upside of this paradigm and while they are experiencing some of the downsides the ratio is such that mainly things are getting better. Once the environment becomes too monolithic and tightly controlled the freedom of "do whatever you want" will have huge advantages and we will see a shift away.

You already see this to some extent on mobile with Apple's push for performance away from the almost totally web paradigm that was popular prior to Apple.

Re:No, just no.

[jbolden]

That's not entirely true though it is mostly true. There are cloud systems and MSPs (and cloud migration exports) that will work on top of many IaaS that offer: auditable procedures, security audits, practice improvement.... Obviously you can implement those things without cloud but for many companies the cost of a SOC is undoable but having a SOC through their MSP is doable.

Re:No, just no.

[plopez]

"How is putting data in a high end professionally managed data center running a high end professional managed infrastructure system a security risk over what most companies are doing with their data"

How do you know any of that is true? How many people review the data center they are migrating to? How many people vette the employees in the cloud center? There is no incentive for the vendor to do any of that, it just reduces profitability. And the IT management can just say, "It is a professional Fortune {500 | 50} company they *must* be good". But trust me, the incompetence I have seen in Fortune 500 companies has been astounding.

Re:No, just no.

[jbolden]

How do you know any of that is true?

For a customer you can easily have a tour arranged. You can meet with your account manager regularly. You'll know the people assigned to your account.... Your agent can just tell you since we all go on tours.

How many people review the data center they are migrating to?

I'd say most customers go their data center at least once and sometimes more than once during the sales process.

How many people vette the employees in the cloud center?

You mean like an HR vetting? Those are done quite well. In addition the centers themselves are regularly audited by customers and auditing firms. Again you can pick your center based on the policies you want.

There is no incentive for the vendor to do any of that, it just reduces profitability.

Quite the contrary. The better the data center the less cost sensitive the customers. It increases profitability. Lower end centers selling rack space below cost to supplement existing customers who have become semi-indifferent might have those sorts of incentives to cut corners but again a customer is going to know if there are hitting up a low security / low cost provider.

And the IT management can just say, "It is a professional Fortune {500 | 50} company they *must* be good". . But trust me, the incompetence I have seen in Fortune 500 companies has been astounding.

Exactly the point. You see a much higher level of competence in telcos and fiber companies which run most data centers. You see a much higher level of competence in IaaS operators. Which is my point for most companies this is a security upgrade.

Re:No, just no.

Exactly how I feel! Greedy corporations came up with the whole "cloud computing" thing hoping to create a huge cash cow for themselves. In reality, there is no security possible in "the cloud" because you have no control over who has access to the "cloud" servers. Storing data in the "cloud" is really just putting it out there on someone else's server. Unless you can personally control who has both physical access and access via the internet to those servers, there is NO SECURITY AT ALL! I know that some of you will holler "but what about encryption?" If you think that the government (ANY government) or agencies like the NSA, CIA, FBI etc... would allow any form of encryption that they couldn't break, you are extremely naive! Rules, laws, the constitution, none of them mean anything to the above mentioned entities. They will do as they and their corporate overlords wish and to hell with anyone who objects. Why do you think that the U.S. is still trying to extradite and imprison Edward Snowden, one of America's great heroes of all time?! He rightly exposed highly illegal activities of the above listed entities, so in their eyes, he must be punished or eliminated. I wouldn't be surprised to find out that one (or all) of the above listed entities had put out a contract to have Snowden killed just as an example to others who might think about revealing what these entities don't want revealed!

Re:No, just no.

[thegarbz]

Your analogy fails and also comes to a very common conclusion. It fails because flying and driving are two very different things that get you very different places. It's not a one or another option. Choice of data storage is.

The common conclusion actually fits perfectly into what I'm saying: Some people are afraid of flying. They should not be as they are more likely to die on the way to the airport than they are in a plane crash.

Re:No, just no.

[thegarbz]

False comparison as moving data to the cloud does not reduce or eliminate the risk you mention. Adding new security risks isn't the brightest thing to do.

I didn't say elimination. Risk management starts with grading the risks. The risk of using a cloud service is very low when compared with the many other data security risks. The benefit of using a cloud service however can be numerous. It's scaled, offsite, provides a place for data redundancy etc.

If you care about your risk you would focus on the high risk options and not kill low-risk projects. Adding security risks may not be bright, but it may be necessary for the continued operation of a business. e.g. a new employee is about the biggest security risk there is.

Re:No, just no.

[Culture20]

Okay, revised:
"My driving a car is statistically riskier to my physical safety than riding a bus. But I drive, because I have more control there. Sometimes convenience wins out over security."

My second analogy still stands (altered for clarity): "Just because I'll happily engage in one risky behavior doesn't mean I should now climb a ladder when I could use stairs instead."

Re:No, just no.

[thegarbz]

The analogy stands beautifully. You do a risky activity because of the benefit it brings. You don't go cloud just because. You go cloud when there's a benefit to doing so.

That's been my point all along. You have something which brings a reward and you weigh it against the risk. The OP assumed all risk and no reward which was false and then compared it to another activity without analysing reward.

So the analogy which would properly fit the OP's proposition is you're driving a car, vs driving a car blindfolded. In that regard he would be right, you'd be mad to do the high-risk activity without reward.

Re:No, just no.

[geogob]

How do you know any of that is true?

For a customer you can easily have a tour arranged. You can meet with your account manager regularly. You'll know the people assigned to your account.... Your agent can just tell you since we all go on tours.

A tour. Is this middle-school? Sure, a tour is nice and fun... and always gives you a good impression, because that's that tours are for. Lets be honest, no company would allow, let alone offer, tours if it had any risk of leaving a bad impression to potential customer. But if you are touring through a corporate Disney park, that they won't say.

The only way to verify what the previous poster addresses, is through regular audits covering all facets of production, management, troubleshooting, etc. You need to talk to those workers, that the provider will not put in front of the customer during the touristic tour. You need to review their experience, work methods, communications methods and so on. No company in the world would allow a client to perform such audits, except maybe if the client is ESA or the USAF or something like that.

And now we are speaking only about competence. Whether the provider plays (willingly or not) hand it hand with intelligence agencies is yet another question, one you will never find the answer to unless there's another leak. But you can probably bet your ass that every god damned intelligence agency is either deep within your cloud provider or trying to get there. From the NSA to North Korea, with China, Russia and Isreal. They are all there, waiting for your sensitive data. What else do you expect when you concentrate data in large data centers which are fully accessible in the open world?

You obviously still like bedtime stories. In the meanwhile, I'll leave my sensitive data off the hands of cloud.

Re:No, just no.

[jbolden]

Lets be honest, no company would allow, let alone offer, tours if it had any risk of leaving a bad impression to potential customer.

It is not so much a bad impression or good impression it is an accurate impression. Obviously they are going to spin things positively. But it is not to their advantage for the customer to not know the upsides and downsides. They don't want to sell services they can't provide. So for example if the data center offers 24/7 smart hands they will present that. If they offer 8/5 smart hands they aren't going to claim 24/7. If they have 2 week's of oil on hand they will want to present that if they only have 4 days they aren't going to claim 2 weeks.

No company in the world would allow a client to perform such audits

Not true. Remember that quite often the IaaS provider and the underlying colo are separate. So for example if AWS is hosting out of location X, the colo company for X (say QTS for example) is going to be audited by Amazon. QTS might very well show you the result of the Amazon audit. Even better is if a bank colos there.

. Whether the provider plays (willingly or not) hand it hand with intelligence agencies is yet another question... You obviously still like bedtime stories. In the meanwhile, I'll leave my sensitive data off the hands of cloud.

Assume the answer is any colo provider you to to will work with USA intelligence agencies. But so will your technical staff. Nothing you do will stop domestic intelligence agencies. As for foreign though, the IaaS companies often offer far better security than your company could ever afford.

But intelligence agencies aren't the real threat. Your facility is likely vastly less secure than the worst of the commercial colos, you are making it much easier to get spied on by thieves.

You don't get audited by anyone serious.

Um...

[fahrbot-bot]

... information is more likely to be accidentally emailed out to the wrong address then hacked.

... "then" or "than" ? Because they're different.

Re:Um...

No... I am pretty sure they meant "then", as in...

... [cloud] information is more likely to be accidentally emailed out to the wrong address, then hacked.

Re:Um...

Eye sea watt ewe did their

Re:Um...

wrong. if you are comparing 2 things, as to which is more likely, then it would be than. Don't be such a dope.

Re:Um...

Wrong. I think we should take expressions from people exactly as they were written. After all, aren't we taught that everyone is a unique snowflake? Shouldn't we highly value individualism and not assume everyone is a complete fucking idiot?

So, assuming the submitter is not a complete fucking retard who can't spell properly, he must have meant that information in fact is emailed out and on top of that, hacked.

Yeah, he forgot a comma. Big fucking deal.

Re:Um...

[plopez]

Antonin is that you?

Cloud can be more secure...

...if the platform is accredited, properly maintained and the security team are good. Just because it's in-house doesn't mean it's secure. The contrary is also true. Moot point from itworld.com. Who woulda thought it?

obvious ad

[jarkus4]

advertisment in pretty clear form.
"I went to this company conference and they told me they're cool and I have nothing to worry when storing my data on their great services"

Re:obvious ad

I know my data is secure because the rep said they encrypt my data on their servers.

Re: obvious ad

Hah, this is just the thing an upper management type reads and before you know it, your finance dept is uploading everything but the kitchen sink, unencrypted files and excel docs with passwords in them, to a cloud drive.

Re:obvious ad

[plopez]

They double rot 13 encrypt it just to be safe....

What?!?!

[freeze128]

"Insane" is too sane a word to describe this.

Once all the data is in the cloud...

[tlambert]

Once all the data is in the cloud... the only data breaches will be to the cloud itself. Because it becomes a tasty, tasty target.

I'm also positive that government regulators couldn't possibly find financial irregularities by grabbing you documents from the cloud service provider, since there's no such thing as contradictory laws which make it impossible to not be in violation of one or the other of them...

Re:Once all the data is in the cloud...

[Ungrounded+Lightning]

... government regulators couldn't possibly find financial irregularities by grabbing you documents from the cloud service provider, ...

The courts said you have no expectation of privacy one you put your data in the hands of a third party. Great! Let's convince all those "evil corporations" to store all their data in the cloud. Then the government can go after them any time they want. B-b

What if I told you...

[xxxJonBoyxxx]

...that most "brick and mortar" banks have been outsourcing their "back end" account management (i.e., your money) to "the cloud" for decades? (OK, back in the day, no one called it "the cloud," but it was the same damn concept.)

What else do you think EDS, FIS, Fiserv, Jack Henry, etc. have been doing all these years?

Re:What if I told you...

[l0n3s0m3phr34k]

EDS hasn't done anything for several years...since it hasn't actually existed as a company in awhile. I, however, still have an EDS license plate, and work with many former EDS people at the old SABRE center (now owned by HP). White the "spin-off" of HP Enterprise, we're all assuming it will also not be HP for much longer either...

Re:What if I told you...

Two points:
1) Outsourcing business processes to a different company is not really the same as "the Cloud", at least not in the beginning. If that company's sole purpose is ensuring your business processes, you're lucky as long as better prospects don't come along. Banks all share the same business processes and so have used common vendors for ages. Again: This is not "the Cloud". As it happens today, banks have found better prospects than serving private customers and vendors to banks have found better prospects than just serving banks. So how long will this work or not? Who knows. All we know it's changing and every entitity you work with (hello Microsoft!), will in the future choose someone else than you.

2) Having worked for a vendor to banks for the core and peripheral systems for nearly a decade, I can tell you you wouldn't want to be their customer. Outsourcing is done to separate cost, risk and complexity, and it really shows underneath the opaque hood...

Re:What if I told you...

[Oligonicella]

Writing software which was then mostly run in house on data stored in house. Smarter banks had teams that did the installation and maintenance in house as well. In the banks I spent those same decades you mention contracting for, they rented their wire transfer software (which I worked on) and we had complete access to the source code and managed the compilations and never once did the financial data leave bank systems for storage. Even the backup machinery was bank owned. Hell, when it was still being used, even the microfiching was in house.

bullshit

[Gravis+Zero]

Is data in the cloud vulnerable? Well, yes, all data everywhere is theoretically vulnerable and the cloud is no exception.

"the cloud" has proven time and time again to be not just vulnerable but exceedingly vulnerable to attack. what's worse is that companies are under no obligation to tell you when (not if) they get hacked. worse yet, they aren't held responsible for getting hacked, so all you can do is switch to a new "cloud provider" and pray it doesn't happen again.

Re:bullshit

"the cloud" has proven time and time again to be not just vulnerable but exceedingly vulnerable to attack.

That wouldn't even be my biggest worry with hosting financial data in someone else's computer (let's call it what it is guys). The big worry is the guy who owns the someone else who owns the computer snooping through said computer to find out how company they own that competes with you can outperform you in the market.

It's not a "what if?", it's guaranteed this will happen. In fact it's guaranteed this is already happening. Only a complete idiot thinks Google (for example) is not using Google docs and gmail to spy on competitors to future business ventures.

There is a saying ...

[Taco+Cowboy]

... that 99.999% of the humans are idiots

At first I did not think much of that saying, but, reading TFA, especially the part about "... people realize that information is more likely to be accidentally emailed out to the wrong address then hacked ..." makes me wonder if there is a need for something far worse than the word "idiot"

Re:There is a saying ...

[Hognoxious]

Ediotor?

Re:There is a saying ...

[Jane+Q.+Public]

This really is the problem.

The vast majority of private data leaks were due to HUMAN error... not vulnerability to hacks. That means that even if your site isn't hacked, some bozo working for the company you're supposed to TRUST is intentionally or accidentally giving out the information on your 12-year-old daughter.

People REALLY need to get it through their heads that the serious flaws aren't in the technology, they're in THE PEOPLE who implement it. A seriously hack-proof database is still going to get spilled, by idiotic corporate bureaucratic errors or even just employee theft.

Re:There is a saying ...

[grep+-v+'.*'+*]

Where I used to work, there were a few short terms for idiots who ignored or violated security standards: CEO, CFO, Legal, etc. They'd pass all these security measures for protecting data, and then say, "Oh, but not for me."

One of them had they RSA keyfob security code statically set at "111111" because it was just too hard to type in the digits (or they changed too quickly, I forget which.)

He got written up in the security exception reports and such, but was high enough to be able to override it.

At least it wasn't the code to the planetary air shield generator: 12345.

Re:There is a saying ...

[kilfarsnar]

At least it wasn't the code to the planetary air shield generator: 12345.

That's amazing! I've got the same combination on my luggage!

Re:There is a saying ...

[hawguy]

Where I used to work, there were a few short terms for idiots who ignored or violated security standards: CEO, CFO, Legal, etc. They'd pass all these security measures for protecting data, and then say, "Oh, but not for me."

One of them had they RSA keyfob security code statically set at "111111" because it was just too hard to type in the digits (or they changed too quickly, I forget which.)

He got written up in the security exception reports and such, but was high enough to be able to override it.

At least it wasn't the code to the planetary air shield generator: 12345.

How did he get RSA to custom produce a keyfob with static numbers?

Re: There is a saying ...

The RSA server let's you assign static codes.

email vs hacked

You accidently email one record or a few.. or a hundred... a hacked site, and your entire database is compromised. Worse you do not know if the data has been manipulated in any way. Good luck.

"accidentally"

"people realize that information is more likely to be accidentally emailed out to the wrong address then hacked."

I worked on an HR project where we had to encrypt data and send it to the vendor (a big name-- think of a couple of huge banks or insurance companies, and it was probably one of them). The specs on my side said I couldn't keep the decrypted data, I could only encrypt and send and archive the encrypted data.

So... for the first production run, the vendor decrypted the data, then emailed it back to the entire project team to see if it was right. This was names,family members/relationships, addresses and SSNs for about ten thousand people.

Re:"accidentally"

[cbiltcliffe]

So... for the first production run, the vendor decrypted the data, then emailed it back to the entire project team to see if it was right. This was names,family members/relationships, addresses and SSNs for about ten thousand people.

One of my clients is a medical practice. They've got an internal, non-cloud practice management database, which is stored on a computer right in the office. They got an upgrade from the provider, as part of their service contract, which had a slightly different database format, which for some reason, the provider hadn't written the program to upgrade by itself; it had to be run through an upgrade process at the provider's location.

So, the provider's tech connects up using GoToMyPC, or something similar, goes into the program, exports the data, zips it up.... ...and then transfers the entire fucking thing over an unencrypted FTP connection.
I should have been paying more attention, as it was almost finished the transfer, when I looked and realized he was using plain FTP. I asked him if the zip file was password protected, and he kind of hummed and hawed, before saying no. So, I tore a strip of him over the phone, and said if they ever did anything so stupid again, they'd get sued. Since they're not actually a cloud provider, with some indemnity terms in a contract, this seemed to hit home to him. At least the transfer back of the updated data was done over an encrypted connection.

But this is exactly it. The third party provider doesn't give a shit, as it's not their data. Even this company I dealt with, that deals _only_ in medical software, and knows the regulations regarding protection of related data, as they bake lots of password protections and such into the software itself, didn't give a crap when dealing with the actual data themselves.

Cloud providers are in the business of making money for cloud providers, while minimizing expenses in all areas. They are not in the business of securing your data, unless they can charge you extra for it. They are not in the business of ensuring your particular business succeeds. They are in the business of extracting money from you; that's all.

instead of just posting here...

[l0n3s0m3phr34k]

I posted on their article itself... "Spreadsheets and email documents are a bigger threat than the cloud" Typical high-level executive thinking. There can only be one reason for anything, only one "real" reason and all else should be ignored. Because there is zero chance that BOTH email and the "cloud" are security issues...

Just because an accountant is "satisfied" with marketing double speak about the "cloud", that just shows how clueless they are. If they think that offsite, connected storage is somehow "new" because it has a new name, then as an IT security professional this is quite scary. There isn't just "one" cloud, each service must be vetted, and the assumption here is that there must be some cloud provider that will not be found lacking.

Next time there's a server security breach, I'll call my accountants to come fix it right? Since their now experts in compsec, and know the cloud is "safe"? The more critical financial information is placed up into a cloud, the more of a target it becomes. Do you want your info on the same service that Sony uses the next time North Korea decides to mess with them? That's a very real potential issue.

Re:instead of just posting here...

[turbidostato]

"Just because an accountant is "satisfied" with marketing double speak about the "cloud", that just shows how clueless they are."

Of course, anything new needs to be analyzed and put into perspective, but I really don't understand this rabid hate for cloud services except being afraid of lose job security (OK, "cloud" is marketspeech, then let's call it for its real name: outsourcing).

Basically 99% of what's needed for our business is already outsourced: from building the place we are working on to most of internal processess. Data safeguarding/management is only one more. After all, data about money can't be more important than money itself and money safeguarding/management has already outsourced to banks since, when? always?

"Next time there's a server security breach, I'll call my accountants to come fix it right?"

How's this any different to a physical bank security breach (aka robbery)? Next time the bank your accountants work with is robbed will you call them to fix the mess too?

"The more critical financial information is placed up into a cloud, the more of a target it becomes."

For an untargetted attack? Maybe yes, just like your money becomes more of a target when you put it in a bank along with a lot more money from other people. But targetted attacks? What would you prefer? Attacking a company's network to reach the data or attack a company's network just to know which company manages the company's data and after that, attack the outsourced company to get your hands on the data?

Re:instead of just posting here...

[kilfarsnar]

After all, data about money can't be more important than money itself and money safeguarding/management has already outsourced to banks since, when? always?

"Next time there's a server security breach, I'll call my accountants to come fix it right?"

How's this any different to a physical bank security breach (aka robbery)? Next time the bank your accountants work with is robbed will you call them to fix the mess too?

You should look into how much people trusted banks with their money before the advent of FDIC. People trust banks with their money because the government is insuring it against theft or loss. No such guarantee comes with Cloud storage.

Re:instead of just posting here...

[turbidostato]

"You should look into how much people trusted banks with their money before the advent of FDIC."

This *is* a valid point. Just as current bank regulation and standards didn't grow overnight, these kind of somehow novel services will need time to settle. Not a intrinsic problem of the services themselves but of their maturity status. But still you see the vast majority of critics are directed to the services themselves, not their development status.

You see, one can somehow compare current cloud services' situation to that of banking on the 17th or 18th century and the critics here instead of saying "banking is a good thing but beware it still has quite some rough corners", they are saying "Banking? it's a bluff, there's no way anybody sensible will ever put his money and confidence on them".

Re:instead of just posting here...

[jbolden]

Do you want your info on the same service that Sony uses the next time North Korea decides to mess with them? That's a very real potential issue.

Sony was hacked because they were utterly incompetent and didn't believe they would ever be subject to a APT type attack. financials, pharmaceuticals, social networks... have no doubts they will be subject to APT type attacks. So were Sony on a cloud Sony likely isn't successfully hit at all. Nothing happens other than the ineffective attacks the internet infrastructure has to repel every day.

Re:instead of just posting here...

[jbolden]

People trust banks with their money because the government is insuring it against theft or loss. No such guarantee comes with Cloud storage.

Yes they do. There are many auditing agencies that supervise and audit clouds. For example once a cloud provider has agreed to be a data partner they become subject to HIPAA, And there are insurance programs you can buy that include data breach.

Re:instead of just posting here...

[l0n3s0m3phr34k]

I did a bit of research on it, the "SpiritWORLD" media system was written by (from what I can tell) five Indian contractors. It's some SAP / Oracle media DB app and it was part of the initial breach in Brazil that they ignored. Well, they didn't totally ignore it...part of their IT noticed something, they told someone else, and then whomever the escalated it to ignored it. I'd guess someone managed to get some video on it that called out to a pre-infected codec, probably by spoofing an email address and sending a video to someone in Brazil. I'll also bet that the GOP knew that Brazil has no laws regarding security breaches and was a major reason they chose this country (as opposed to the other 22 countries SpiritWORLD serves for Sony).

Re:instead of just posting here...

[jbolden]

GOP in the above is whom? I'm assuming you don't mean Republicans.

Now you have two problems

people realize that information is more likely to be accidentally emailed out to the wrong address then hacked.

Er, you can still accidentally email stuff out to the wrong address if it's stored in the cloud.

So now you have two problems.

This type of analysis only makes sense if the cloud prevents the former exposure but creates a new, smaller, exposure. If it just creates more risk then it doesn't matter how that risk compares to other risks, the overall risk is still greater. So the best you can say is, "use the cloud, it might not make anything worse".

This is obviously some kind of slashvertisement.

Captain! She can't take no more!

[PDX]

When I read this title: ENTERPRISE in cloud stood out. What happens when it rains? Clouds are notorious for dropping stuff on us helpless mortals.

Re:Captain! She can't take no more!

Unfortunately, enterprise software and IT solutions are sullying the good name of the U.S.S. Enterprise. In the software world, "enterprise" is a synonym for "crap". Scotty would be ashamed.

Re:Captain! She can't take no more!

I always associated cloud software with vapourware :)

It's a matter of trust

"Cloud" has morphed into a buzz word that providers want you to believe means "all your IT problems and costs replaced by a simple monthly fee", but in reality it's a private company that will lease you access to their private equipment which you can access through the Internet. Ignoring the same issues that exist with cloud or on-premises servers (administration, software updates etc) the issue is how how you can trust the cloud providers staff. If you haven't encrypted you cloud data it's physically accessible to the engineering staff at the provider. One important layer of security, physical access, has been stripped away. If your data is sensitive do you trust that your cloud providers hiring policy is aligned perfectly with your own?

Great for lawsuits and discovery.

[140Mandak262Jamuna]

If company A gets sued by some one planning to use the discovery process as a fishing expedition, A will fight it very hard, demand to see the court orders and will do everything possible to comply with the letter of the court order while defying it in spirit. No one thinks A will just let the discovery process go unimpeded. A will do anything short of being convicted (not merely accused) of obstruction of justice. And it would cost money and it would take considerable risk.

If company B has a cloud provider C with iron clad contract to do everything possible to protect B's data, and B gets sued and C is dragged into the discovery process. How strong would C fight the fishing expedition? C will minimize its risk, its costs. Despite whatever the contract with B says, it is going to cooperate and will protect B's data only to the extent B will be able prove negligence on the part of C.

If some cloud provider provides only the administrative and maintenance services, but the physical servers are in your premises, with access controlled by you, discovery controlled by you, it is not a good idea to out source it to the cloud provider.

I find many software development companies outsource the entire planning, scheduling and development process to third party companies like $agiledev.com or $rapid.deployment.com or $general.scrum.com. Very very fertile ground for patent lawyers to launch archaeological expeditions, years after the fact, claiming IP violations of submarine patents.

Re:Great for lawsuits and discovery.

[jbolden]

This is somewhat true. Let's narrow a bit. First we are talking civil discovery only and then that's just an argument against IaaS vs. Colo though. Obviously for a criminal case where the government is seriously pissed i.e. the government issues a warrant and ceases the servers they will get the data in either case. Also don't kid yourself once they take the servers your IT staff can be terrified by "obstruction" type charges and will help them get data.

OK so with that off the table. If you intend to be stay close or over the line with discovery breaking apart the management of the service and the physical service makes it easier to avoid discovery because you have three parties than can legally block one another. A can say B knows, B can say C knows and C can say A knows. That's even better than having the in-house staff obstruct discovery where a judge is more likely to find the company liable.

I should also mention that companies that are frequently subject to discovery BTW often have the opposite problem getting middle management and lower management to admit wrongdoing to legal. Often during discovery those people are hiding documents trying to "help" the company when in reality creating a problem of what looks like not complying with the court.

So at best you are making an argument for colo + MSP over IaaS.

Oh FFS

For goodness sakes, we've JUST HAD a massive hack of a Government resource of personal information, and this article is trying to convince us that the probability of a hack occurring and causing grief is not really within the realms of possibility.

Keep in mind that the Government works for itself, is not profit driven and has a vested interest in security (if only because breaches look bad in the public eye). Private organizations only have eyes for the $ and will cut corners if they think they can get away with it, which makes things even more likely that your data will be spilled. What a fucking tosspot of an article.

Re:Oh FFS

[david_thornley]

Why do you think the government is that strict about security? The people making the decisions usually aren't held responsible. Government agencies have often been listed as having terrible security by the GAO.

regulatory aspects

How does this pass the regulatory tests? I have yet to see a cloud service prove that they cannot access any data that I would store in their equipment. Providers claim to encrypt and protect all of the data, but how do we know that they absolutely cannot access it?

Furthermore, can they prove that they do not keep copies once I have removed the data? Do we want them keeping copies for the NSA, FBI, CIA, etc to eventually crack the encryption to view?

Re:regulatory aspects

[tippen]

You shouldn't trust the cloud providers. Even if the CSP and its employees are trustworthy, if they get a court order or double-secret-probation security letter, they have to turn the data over.

Whether that matters or not depends on what you are doing with the cloud though. If you are using cloud storage as a "big scalable drive in the sky", then you just need to encrypt the data on-premise where YOU control the encryption keys. Server(cloud)-side encryption helps with hackers, but not against three letter agencies.

Just using encryption to transport the data isn't enough. The data itself needs to be encrypted before it goes to the cloud. As long as you do that, you can take advantage of the cloud providers cost structure and save yourself some significant $$$ without risking your data.

Re:regulatory aspects

[turbidostato]

*You shouldn't trust the cloud providers. Even if the CSP and its employees are trustworthy, if they get a court order or double-secret-probation security letter, they have to turn the data over.*

You *shouldn't* trust banks. Even if the bank and its employees are trustworthy, if they get a court order, they have to lock your accounts and/or hand your money to the government.

Re:regulatory aspects

[jbolden]

Do we want them keeping copies for the NSA, FBI, CIA, etc to eventually crack the encryption to view?

If the NSA, FBI, CIA ask for a copy of your data your IT staff will give it to them. Don't kid yourself. Your IT staff is not going to jail for their "at will" employer.

I have yet to see a cloud service prove that they cannot access any data that I would store in their equipment.

  There are plenty of cloud providers with very rigorous controls and audit reports. That is readily available. Not from Amazon (but even they are getting better) but Sungard, Oracle cloud, Verizon cloud, Firehost... You are asking for a standard feature.

Nude photos

[BringMyShuttle]

Wot me worry? Let me rewrite OP:

> For many, the idea of storing nude photos and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that nude photos is more likely to be accidentally emailed out to the wrong address then hacked.

And OP was stupid before I changed it to nude photos eg "regulatory aspects that mandate how that data is protected" Is there a regulation for absolute security now? This doesn't even pass the think-about-it-for-10-seconds test.

dumbest thing

Sure, I am just aching to make all my corporations financial information and R&D ideas readily available for every criminal organization in the world from the NSA, FBI, Chinese government, Russian government, French Government, ...

Scary

[jon3k]

It's scary how much more faith most of you put in some random IT department than the engineers at cloud providers. For everyone hacked provider using the cloud are 10 that had their own internal systems hacked.

Have you ever met anyone who worked in corporate IT? As someone who works in corporate IT let me tell you, 99% of them are idiots. And that's being polite. Your data isn't any safer in their hands than Google's.

I love Cloud to Butt

[neminem]

Title: "Put Your Enterprise Financial Data In my Butt? Sure, Why Not"

The tag-line to the dullest porn *ever*.

my cloud idea

[Some_Llama]

a hosting platform for your company's secret patent and financial data, you store it on my servers, i sell it off to your competitors, the company is closed and i go retire... since it's a american corporation i won't be held liable for my subterfuge, worse case i blame it on "hackers".

Citation please?

"...and people realize that information is more likely to be accidentally emailed out to the wrong address than hacked."

I guess I've missed the studies that show this fact? In my experience, my personal data has been accidentally mailed out once that I know of and hacked from banks/stores/sites more than 45 times at current count. Note, I'm including the email addresses, since I give every single site that asks for an email address a unique one to track how quickly they lose control of (or sell) them. One of the most disappointing was the email address I gave to Experian, which was used within two weeks to send porn spam and now collects about 40 spam per day from various campaigns.

Lingo

First it said then, then than.
I'd rather have it say than than then so I'm happy.

But don't answer yet!

[ebvwfbw]

I'm working at a government agency as a contractor. Not only do they want to outsource the servers, e-mail, v-mail, they even want to outsource the desktop. No, really. When we login, we're actually firing up a win license for our desktop to run the local vdi stuff to get to the real desktop (somehow we're saving licenses, though we aren't). You can't do anything with the local box other than run the vdi client. That desktop - another license or so actually runs our stuff. This is for an agency of more than 5000 people. Guess just how much bandwidth that'll be.

Can't talk them out of it, even though our local cloud desktop solution has been a disaster.

Then if the cloud provider goes belly up, we're done. Bought out, fire, cut wire, you name it. Oh, and I've seen their "security". Ha. The RedHat machine I checked out hadn't even been updated in a year. The Win 2012 server was the CD experience. Supposedly "fed ramp" compliant. Yea, not so much. They also have all of our data, who knows where.

But don't worry, they're taking care of us. Just go to google news, type in OPM. Check out the incompetence all the way around. They even talk about the IRS that allows a password of password. No kidding. I'd think you'd at least have to make it Password. At least bring it into the 1990s.