Slashdot Mirror
Put Your Enterprise Financial Data In the Cloud? Sure, Why Not
jfruh writes: For many, the idea of storing sensitive financial and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that information is more likely to be accidentally emailed out to the wrong address than hacked.
Emailed out, and then hacked! It's a one-two punch of bad luck!
Yeah, what's the point of security when someone can just email stuff?
Let's just give up.
Nothing goes into "the cloud". I'm slowly getting sick of this cloud hype. In most cases its useless and its only a security risk - a risk no one can really weight as the cloud is often maintained by an external provider.
... information is more likely to be accidentally emailed out to the wrong address then hacked.
It must have been something you assimilated. . . .
advertisment in pretty clear form.
"I went to this company conference and they told me they're cool and I have nothing to worry when storing my data on their great services"
"Insane" is too sane a word to describe this.
Once all the data is in the cloud... the only data breaches will be to the cloud itself. Because it becomes a tasty, tasty target.
I'm also positive that government regulators couldn't possibly find financial irregularities by grabbing you documents from the cloud service provider, since there's no such thing as contradictory laws which make it impossible to not be in violation of one or the other of them...
...that most "brick and mortar" banks have been outsourcing their "back end" account management (i.e., your money) to "the cloud" for decades? (OK, back in the day, no one called it "the cloud," but it was the same damn concept.)
What else do you think EDS, FIS, Fiserv, Jack Henry, etc. have been doing all these years?
Is data in the cloud vulnerable? Well, yes, all data everywhere is theoretically vulnerable and the cloud is no exception.
"the cloud" has proven time and time again to be not just vulnerable but exceedingly vulnerable to attack. what's worse is that companies are under no obligation to tell you when (not if) they get hacked. worse yet, they aren't held responsible for getting hacked, so all you can do is switch to a new "cloud provider" and pray it doesn't happen again.
Anons need not reply. Questions end with a question mark.
... that 99.999% of the humans are idiots
At first I did not think much of that saying, but, reading TFA, especially the part about "... people realize that information is more likely to be accidentally emailed out to the wrong address then hacked ..." makes me wonder if there is a need for something far worse than the word "idiot"
Muchas Gracias, Señor Edward Snowden !
I posted on their article itself... "Spreadsheets and email documents are a bigger threat than the cloud" Typical high-level executive thinking. There can only be one reason for anything, only one "real" reason and all else should be ignored. Because there is zero chance that BOTH email and the "cloud" are security issues...
Just because an accountant is "satisfied" with marketing double speak about the "cloud", that just shows how clueless they are. If they think that offsite, connected storage is somehow "new" because it has a new name, then as an IT security professional this is quite scary. There isn't just "one" cloud, each service must be vetted, and the assumption here is that there must be some cloud provider that will not be found lacking.
Next time there's a server security breach, I'll call my accountants to come fix it right? Since their now experts in compsec, and know the cloud is "safe"? The more critical financial information is placed up into a cloud, the more of a target it becomes. Do you want your info on the same service that Sony uses the next time North Korea decides to mess with them? That's a very real potential issue.
When I read this title: ENTERPRISE in cloud stood out. What happens when it rains? Clouds are notorious for dropping stuff on us helpless mortals.
"Cloud" has morphed into a buzz word that providers want you to believe means "all your IT problems and costs replaced by a simple monthly fee", but in reality it's a private company that will lease you access to their private equipment which you can access through the Internet. Ignoring the same issues that exist with cloud or on-premises servers (administration, software updates etc) the issue is how how you can trust the cloud providers staff. If you haven't encrypted you cloud data it's physically accessible to the engineering staff at the provider. One important layer of security, physical access, has been stripped away. If your data is sensitive do you trust that your cloud providers hiring policy is aligned perfectly with your own?
If company B has a cloud provider C with iron clad contract to do everything possible to protect B's data, and B gets sued and C is dragged into the discovery process. How strong would C fight the fishing expedition? C will minimize its risk, its costs. Despite whatever the contract with B says, it is going to cooperate and will protect B's data only to the extent B will be able prove negligence on the part of C.
If some cloud provider provides only the administrative and maintenance services, but the physical servers are in your premises, with access controlled by you, discovery controlled by you, it is not a good idea to out source it to the cloud provider.
I find many software development companies outsource the entire planning, scheduling and development process to third party companies like $agiledev.com or $rapid.deployment.com or $general.scrum.com. Very very fertile ground for patent lawyers to launch archaeological expeditions, years after the fact, claiming IP violations of submarine patents.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
For goodness sakes, we've JUST HAD a massive hack of a Government resource of personal information, and this article is trying to convince us that the probability of a hack occurring and causing grief is not really within the realms of possibility.
Keep in mind that the Government works for itself, is not profit driven and has a vested interest in security (if only because breaches look bad in the public eye). Private organizations only have eyes for the $ and will cut corners if they think they can get away with it, which makes things even more likely that your data will be spilled. What a fucking tosspot of an article.
Wot me worry? Let me rewrite OP:
> For many, the idea of storing nude photos and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that nude photos is more likely to be accidentally emailed out to the wrong address then hacked.
And OP was stupid before I changed it to nude photos eg "regulatory aspects that mandate how that data is protected" Is there a regulation for absolute security now? This doesn't even pass the think-about-it-for-10-seconds test.
You shouldn't trust the cloud providers. Even if the CSP and its employees are trustworthy, if they get a court order or double-secret-probation security letter, they have to turn the data over.
Whether that matters or not depends on what you are doing with the cloud though. If you are using cloud storage as a "big scalable drive in the sky", then you just need to encrypt the data on-premise where YOU control the encryption keys. Server(cloud)-side encryption helps with hackers, but not against three letter agencies.
Just using encryption to transport the data isn't enough. The data itself needs to be encrypted before it goes to the cloud. As long as you do that, you can take advantage of the cloud providers cost structure and save yourself some significant $$$ without risking your data.
So... for the first production run, the vendor decrypted the data, then emailed it back to the entire project team to see if it was right. This was names,family members/relationships, addresses and SSNs for about ten thousand people.
One of my clients is a medical practice. They've got an internal, non-cloud practice management database, which is stored on a computer right in the office. They got an upgrade from the provider, as part of their service contract, which had a slightly different database format, which for some reason, the provider hadn't written the program to upgrade by itself; it had to be run through an upgrade process at the provider's location.
So, the provider's tech connects up using GoToMyPC, or something similar, goes into the program, exports the data, zips it up.... ...and then transfers the entire fucking thing over an unencrypted FTP connection.
I should have been paying more attention, as it was almost finished the transfer, when I looked and realized he was using plain FTP. I asked him if the zip file was password protected, and he kind of hummed and hawed, before saying no. So, I tore a strip of him over the phone, and said if they ever did anything so stupid again, they'd get sued. Since they're not actually a cloud provider, with some indemnity terms in a contract, this seemed to hit home to him. At least the transfer back of the updated data was done over an encrypted connection.
But this is exactly it. The third party provider doesn't give a shit, as it's not their data. Even this company I dealt with, that deals _only_ in medical software, and knows the regulations regarding protection of related data, as they bake lots of password protections and such into the software itself, didn't give a crap when dealing with the actual data themselves.
Cloud providers are in the business of making money for cloud providers, while minimizing expenses in all areas. They are not in the business of securing your data, unless they can charge you extra for it. They are not in the business of ensuring your particular business succeeds. They are in the business of extracting money from you; that's all.
"City hall" in German is "Rathaus" Kinda explains a few things......
*You shouldn't trust the cloud providers. Even if the CSP and its employees are trustworthy, if they get a court order or double-secret-probation security letter, they have to turn the data over.*
You *shouldn't* trust banks. Even if the bank and its employees are trustworthy, if they get a court order, they have to lock your accounts and/or hand your money to the government.
It's scary how much more faith most of you put in some random IT department than the engineers at cloud providers. For everyone hacked provider using the cloud are 10 that had their own internal systems hacked.
Have you ever met anyone who worked in corporate IT? As someone who works in corporate IT let me tell you, 99% of them are idiots. And that's being polite. Your data isn't any safer in their hands than Google's.
Title: "Put Your Enterprise Financial Data In my Butt? Sure, Why Not"
The tag-line to the dullest porn *ever*.
If the NSA, FBI, CIA ask for a copy of your data your IT staff will give it to them. Don't kid yourself. Your IT staff is not going to jail for their "at will" employer.
There are plenty of cloud providers with very rigorous controls and audit reports. That is readily available. Not from Amazon (but even they are getting better) but Sungard, Oracle cloud, Verizon cloud, Firehost... You are asking for a standard feature.
a hosting platform for your company's secret patent and financial data, you store it on my servers, i sell it off to your competitors, the company is closed and i go retire... since it's a american corporation i won't be held liable for my subterfuge, worse case i blame it on "hackers".
I'm working at a government agency as a contractor. Not only do they want to outsource the servers, e-mail, v-mail, they even want to outsource the desktop. No, really. When we login, we're actually firing up a win license for our desktop to run the local vdi stuff to get to the real desktop (somehow we're saving licenses, though we aren't). You can't do anything with the local box other than run the vdi client. That desktop - another license or so actually runs our stuff. This is for an agency of more than 5000 people. Guess just how much bandwidth that'll be.
Can't talk them out of it, even though our local cloud desktop solution has been a disaster.
Then if the cloud provider goes belly up, we're done. Bought out, fire, cut wire, you name it. Oh, and I've seen their "security". Ha. The RedHat machine I checked out hadn't even been updated in a year. The Win 2012 server was the CD experience. Supposedly "fed ramp" compliant. Yea, not so much. They also have all of our data, who knows where.
But don't worry, they're taking care of us. Just go to google news, type in OPM. Check out the incompetence all the way around. They even talk about the IRS that allows a password of password. No kidding. I'd think you'd at least have to make it Password. At least bring it into the 1990s.