No Data Privacy In The Cloud

Most people understand that data in the cloud won’t have the same level of security and privacy that data inside your corporate firewall has. But some recent news has shown just how insecure your cloud-based data really is.

My colleague Howard Marks recently wrote about the problems with the Dropbox cloud storage service, and how they exposed the accounts of users. These problems led to Howard, and many other users, dropping their own use of Dropbox.

Of course, it wasn’t just the fact that Dropbox made it possible to log into anyone’s account that was the problem (as bad as that was). It’s also the fact that Dropbox has the keys to the encryption of the data, meaning the company (or any party it chose or was forced to give the keys to) could view your data.

The importance of someone else having access to your data became even clearer during the recent Office 365 launch, when Microsoft admitted to a ZDNet reporter that it would turn over data from European companies, in European-based servers, if the data was the subject of a U.S. Patriot Act investigation or request.

Now, everyone has always known that data held in U.S.-based server locations could be the subject of a Patriot Act request, and that the businesses and persons that were the subject of the request might not ever know if their data had been turned over. But I think a lot of companies, especially overseas, were surprised to find that the U.S. government could request their non-U.S.-based data simply if the company running the service was U.S.-based.When I personally look at things like this, my mind goes even further down the rabbit hole. Does this stop just at the United States and Patriot Act requests?

If the Chinese government (or any overseas government) asked a firm with a large presence there to turn over data of U.S. companies stored in servers in the United States, would the firm do it? My own pessimistic take is that there are more than a few companies that would be happy to do so. And given that the Chinese government is a partial owner of every Chinese company, would your data end up in the hands of a competitor?

In the end, both of these scenarios are good arguments for having strong encryption for cloud-based data and having the keys for that encryption solely in the hands of your own business. If the cloud provider can’t decrypt your data, it can’t turn the data over.

This is also a good argument for private cloud deployments, where a company can get some of the deployment and virtualization benefits of the cloud without having to wonder about the security of the data.

Because, in the end, if your data is on someone else’s servers, and they can see or decrypt the data, then it isn’t just your data anymore.