By Doug Miller
Steve Wozniak’s recent comments on how cloud computing is going to cause “lot of horrible problems in the next five years” and comments such as…
“with the cloud, you don’t own anything. You already signed it away”
… has sparked wide-ranging commentary in the media and blogosphere.
One of the points Mr. Linthicum makes is…
“I suspect he’s referring more to consumer-oriented clouds and social networking sites that leverage your information in exchange for use of their services.”
Both of these folks raise some valid points. However, to Mr. Wozniak’s claims, if you go with the right cloud solutions with the right privacy agreements and terms of services, the data ownership and protection issues should be properly addressed – right? Mr. Linthicum’s point that this is more about consumer-oriented clouds raises questions as well.
Is Wozniak right or wrong? The answer may be within our control.
Whatever cloud service you are using – whether it is Twitter, Facebook, Skype, DropBox, Salesforce, Office 365, Gmail, Amazon Web Services or Pinterest – you should click on the privacy and terms of service links on the provider’s web page and really read what it says – especially if you are storing business or government data in the cloud. Don’t go by what the vendors say in the press or even what they say on their promotional web sites. Whatever the policies say is what counts.
While privacy gets a lot of play in the press, there at least six key elements that need to be checked:
- Privacy: The cloud vendor’s privacy agreement should clearly define exactly what types of information (including personal identifiable information) or data (including business files, emails etc.) it will collect from you and how they will use it. Is it really necessary for a cloud vendor to gather all that personal information or to have access to your uploaded content?
- Data ownership: Most providers will happily tell you that you your data belongs to you and that it will remain yours after uploading it to the provider’s cloud service. That may be true but the next point is really the more important one.
- Security: Most cloud providers will make promises to secure their cloud services and hopefully prevent intrusions from unauthorized users. Yet, despite these assurances many providers have had at least one breach of security which had the potential to expose user data. Even when technology is in place to protect the cloud, people and process issues have the potential to nullify basic security technology as illustrated by the recent Amazon / iCloud security debacle. As the author notes, had he used two-factor authentication with his Gmail account he might have prevented the attack. Security extends to users as well as weak passwords are still one of the most common ways for intruders to break into a cloud-based account. Another aspect of security is how well the cloud information is protected from internal malicious intruders. Can a worker inside the cloud provider gain access to your data? And do you know where your data is stored? Technologies such as at-rest encryption and stronger password enforcement may become more common as ways to better protect cloud data.
- Confidentiality: Most providers will promise that they will keep some or all of your data confidential – that is, they won’t share your data with other third parties such as advertising networks. However, these promises do not mean anything unless you put them into the context of the other four areas above. For example, if the provider promises to keep your data confidential, but also reserves the right to use your data for its own purposes, then the confidentiality language is pretty worthless. Surprisingly many government contracts include clauses that cover confidentiality but rely on consumer-oriented policies for other aspects of privacy and data use.
- Trust: This is a tough one. While all providers say “trust us” it is ultimately up to you or the people in your organization that sign up for a cloud service to decide whether the cloud service provider is trustworthy or not. Regardless of what the policies and service agreements say, do you really trust the provider to do what they say they are going to do? Or do they have a track record of privacy abuse, security breaches or legal issues?
Clearly, all of these areas need to be considered before you take the leap to move your data into the cloud and trust the cloud service provider to do the right thing with your information.
And finally, there is one more thing to think about. Many professional cloud services – which are covered by decent data protection policies – have ties into consumer-oriented services – which have much more permissive data policies. For example, does your blogging site have a link for a Facebook “Like” button? Does your email service have a link to a consumer search service? Does your business smartphone run a consumer service that tracks your location? I believe more corporate and government data is leaking back into the consumer world than anyone is willing to admit.
Ultimately we may find that there needs to be a well-defined wall between our personal, social cloud existence and our private use of the cloud for business and government workloads. Carelessly mixing these two worlds or failing to understand how our data is being used by cloud providers could – as Woz predicts – lead to “horrible problems” down the road.