As someone who spends a lot of time perusing both Reddit and the now sadly defunct Google Reader (RIP!), I’m not personally surprised to start seeing a lot of discussions around whether corporations who outsource cloud storage or other services to third parties should be worried about privacy risks.
For example, an article this morning from the folks over at ZD brings up some great points about both the pros and cons about the great cloud race and how it could ultimately affect how data ownership is perceived.
That article can be found at http://www.zdnet.com/biz-face-trust-overdependency-issues-with-cloud-providers-7000017674/
There are some real significant points here. First, the minute you trust any third party with your data there has to be an understanding that there is going to be some kind of trade off. We see it all the time with availability, as when your provider goes offline, you are really at the mercy of their IT teams to get the environment up and running. This is why disaster recovery and business continuity are so critical when it comes to outsourcing resources that affect your production environment.
From a privacy perspective, the cloud provider is ultimately responsible for several key privacy and compliance requirements. First, when it comes to ensuring your data is protected from unauthorized access, a quick check of the SLA should clearly state who has access to you data (including technical folks, support folks and integrators). If they don’t clearly state these, it’s up to you to make sure you have it in writing. Last thing you want is someone accessing your data without your knowledge. This is where system back doors are usually hidden.
Second, encrypt. Yes, ensure that your environments are properly encrypted and that they are separated by logical barriers that are also protected. Extracting data from VMs on a shared hypervisor is not unheard of, and new attacks leverage the hypervisor itself which could affect the security posture of the individual VMs.
Third, read the fine print. Who owns your data once it goes offsite? Does the cloud provider own it? What access do they have to it? Most importantly, what can they do with it
If you go with a reputable cloud provider, these issues shouldn’t be new discussions for them. Everyone is concerned about privacy, and the providers also have strict compliance and security requirements. Use these, let them do the heavy lifting to give your organization a highly secure and compliant environment, and leverage it for your own data. It not only saves you the cost and headaches to build it internally (if you haven’t already), but they often have more skilled resources to manage it. The learning curve for cloud is steep for everyone involved, so as long as you have the ability to retain rights to your data and to move to another provider you can remain flexible as technologies and providers evolve.
After all, if your organization is leveraging a cloud provider to cut costs and become more efficient, there is no reason to not continue. The trick is really due dilligence on your part to ensure that whomever you trust your data with is worthy of trusting your overall organization with.