Think Your Enterprise Data is Safe in a Public Cloud? Consider Your Personal Shopping Experience
A great debate has emerged over security within public versus private cloud environments. Much of the information available is a high-level breakdown such as “things you should know” or a focus on compliance, be it Sarbox, HIPAA or FIPS. The reality is much murkier – and far more likely to cause information leak – but less talked about. There’s usually not much of a debate, even among public cloud supporters, that security is better in a private cloud. They point to the risk-reward payoff, i.e., public cloud being cheaper, as the main argument.
For enterprise applications, I am a private cloud proponent – and it’s not because that is what we have with Concerto Cloud Services. It’s because we spent months thoroughly researching customer needs and security requirements and came to the conclusion that the Amazons (and other public cloud providers) of the world simply do not protect your sensitive data. Period.
Now, I admit that I use many online retail stores including Amazon. One of the last things I ordered was a pair of hiking boots. I love hiking, and I’m willing to pay extra to ensure my feet aren’t screaming at me by the end of the day. I was planning a rather arduous series of hikes in Yosemite, so I carefully researched hiking boots on and off over a period of a couple weeks to make sure I got it right and that my feet would be kept dry, safe and comfortable.
Funny thing, I began to notice that I received a larger than normal e-mail flow on – you guessed it – hiking boots. I would visit a news site like CNN and sure enough, the ads to the right would be for hiking boots. I would then get information related to backpacks, GPS’s and anything else a hiker might need.
What Amazon Can Teach You About Cloud Security.
All of this came about because I simply typed a few words into a search browser. Mark Herschberg, CTO at Madison Logic, a New York-based company that provides data for advertisers, recently stated, “There are thousands of companies out there collecting information on customers, and together they are really aggregating quite a bit of data.” Google is reading through your email. Amazon is looking at not just what you buy but what you shop for.”
There are countless news outlets covering the NSA, Amazon, Google, Facebook and others accused of collecting information without consent. In one of two wiretapping cases against Google, the company is accused of using “Gmail as its own secret data-mining machine, which intercepts, warehouses, and uses, without consent, the private thoughts and ideas of millions of unsuspecting Americans who transmit e-mail messages through Gmail.” All of this happens because companies pay public cloud providers to give them access to your data – to essentially send customers to their websites and order entry pages. Your company might even be one of them, and that’s great. I get it – it's marketing.
Now think about the highly sensitive information you have stored in your accounting and ERP system. Customer and employee data. Buying patterns made easily discernible. Information on who pays what and how quickly they pay. Regulated data. It is a veritable goldmine, and multi-tenant cloud providers like Amazon, Google and others will be jockeying for a position in line to house your precious data. The prices for public cloud services are too good to be true, right?
The reality is that sensitive data in a public cloud is a risk, and buyers should understand the security protocols even when dealing with private cloud providers. Regulations on data collection and consent are murky at best, and even the best of companies have had cases of data “abuse”. In a study published in February 2013 by Scientific Reports, researchers were able to sort through location data (from social networks) on 1.5 million people and uniquely identify 95 percent of them based on four hours of tracking. If records can be matched with that level of accuracy in four hours, what could the data giants do with your company information?
While public cloud is recommended for some applications, enterprise applications dealing with sensitive data belong in a private cloud. I chose Solomon boots, by the way. They were fantastic – protected me properly and are high quality – and I’m glad I paid a little extra for the right product.
Learn more about the differences in cloud deploymments and key questions to ask in our whitepaper: Some Clouds are Meant to be Private.