Wednesday, May 4, 2011

Episode 5: Cloudy with a chance for goofballs & legal headaches.

Cloud. Security. Two words consumers of the cloud want together, side by side. Hand in hand. In the early days of the cloud, it was the easiest card to pull to deter people from moving to the cloud. To some degree, it's less of an issue with the normalisation of 'cloud' (or is that rebranding of existing systems as cloud, another debate for another day) into every-day Internet services such as Google GMail, Apple iTunes, SalesForce, MSN Hotmail, & the countless other software-as-a-service or platform-as-a-service interactions we consume online.

And yet, a study released last week by the Ponemon Institute in conjunction with CA Technologies shows that in Europe 35% of I.T. professionals strongly agreed or agreed that I.T. leaders in their organisations are concerned about the security of cloud computing resources that is provided to their customers. That is utterly incredible. Not to mention utterly irresponsible. In the U.S. this figure was even lower at 23%. (To see a breakdown on the sampling, click here).

Even on the face of this set of statistics alone, in Europe a little over a third of people tasked with setting the I.T. agenda in businesses that deploy cloud services care about the security of use to be extended to their own customers. Some people when presented with this would be horrified & retreat further from ever going near the cloud. 

What is scarier again is that in Europe, approx. 46% of cloud service providers think that security is important when it comes to their operations & how they handle data, & the study went further to then suppose that security is not part of the reason people use their cloud services.

So, almost half the cloud providers in Europe have a complete disregard for the security of your personal data & assume because as a customer you don't state it up front, & the biggest reason to move to the cloud for people is to reduce cost, it's something they should disregard. Now, there's a train of thought (and legally bound via the Data Protection Act) here that says that as the owner of a business, you are ultimately responsible for the security of your customer information; i.e. credit cards, customer details etc.. This goes for the customer using Cloud services to enable their business, & also the cloud service provider.

Want the truly scary statistics? In a combined result of U.S. & European cloud providers just 37% responded they were either confident or very confident they could identify & authenticate users before granting access to services/data/systems, while 81% of that same sample said they were also confident or very confident they provided access to highly qualified I.T. security personnel.

81% said they can provide access to highly qualified I.T. personnel, yet those same people are only 37% confident in an absolute fundamental of security, leaving I.T. aside - access control; making sure the right people are able to access a resource & keeping the wrong people out. That is not only mind-blowing, but nothing short of disgraceful. Whatever about maintaining up-time, or performance, controlling access to the data of god knows how many people's personal information should at all times be paramount to absolutely everything else. There should be NOTHING more important than rigid controls on that aspect. Losing people's personal data through poor access control is the equivalent to leaving your house unlocked or unsecured.

I could go into further shocking details or summaries from the report, but I've linked it earlier in the article, & will close instead on the real crux of what I'm trying to get at here with these revelations.

You start an Internet business. It's great because you can keep costs down unlike a traditional bricks & mortar business. You can get up & running fast, & buy 'expertise' to do so relatively cheap & from around the world. And that's great, but there's one absolutely fundamental question you should always ask yourself;

"If this was a business on the high street, what considerations would I be giving to security, insurance & risk?"

The recent breaches with Sony should bear enough testament to how much furore, unwanted media attention & pending legal action in the U.S. & Europe they have brought down upon themselves over the breaches of approx. 77 million PSN users. Sony is also being investigated in Ireland by the Data Protection Commissioner over the incidents that affected Irish PSN users. Lets us not forgot the incidents in Ireland in recent times, two high-profile ones being the Irish Blood Transfusion Services, & Bord Gais  .

Data protection breaches are bad for business, & will earn you as a business a very uncomfortable conversation with the Data Protection Commissioner of Ireland, who in recent years following high profile incidents has taken a shine to dispensing costly fines to businesses. A good blog post by ICS IT Law was written a little over  a year ago on this topic, which provides a compelling further exploration on this topic. If as a business you are unsure about data protection, or the levels of data protection exercised by your cloud service provider, please read the information at this link from the Irish Data Protection Commisioner.