If You Don't Read Anything Else, Read This
You should consider very carefully the security and privacy implications before becoming reliant upon cloud services. Ask questions. What is their business model? Do they have a history of poor security or privacy issues? How long have they been in business - how stable are they?
Data mining and advertising
There's no free ride. If a vendor is providing a service for free, the business model likely involves using your data to further their own business interests (e.g. Google) - either by mining your data to obtain information with which to advertise to you and/or selling your personal information to their business partners. This activity alone would violate the policies governing the use of Category I data in most cases, as access to the data must be controlled, restricted, and audited.
Security is sometimes an afterthought. Some cloud services, especially storage services, have a history of poor security implementations and compromises. Security is not an important criteria for them; it gets in the way of their business model. Some of the more significant risks posed by cloud services in general are:
- Exposure of customer data through a security breach or incompetence on the part of the cloud service provider
- The cloud provider sharing customer data with business partners, law enforcement agents, or governments
- Employees of the service provider having the ability to access the service in an unauthorized manner or customer data for any reason without express permission (see the next section for examples)
- The cloud service provider blatantly lying about the above or other security measures claimed
- Loss of data or loss of access to data due to failure of the cloud service
- Unintentional sharing of sensitive data through poor design decisions on the part of the cloud provider such as sharing items by file name or data deduplication practices (which also reveal that the vendor has access to the data)
- Faulty authentication mechanisms that may allow attackers access to data even after typical compromise remediation steps
- Man-in-the-middle attacks that compromise the encrypted communications between clients and the cloud service
- Malware or phishes that manage to obtain account credentials
It is important to choose a vendor that has security as a primary focus. Unfortunately, this can be difficult to determine sometimes as even historically insecure services advertise themselves as secure and utilizing "industry standard" measures to protect user data.
Privacy is not policy. The privacy policies of cloud companies can be an invaluable resource for assessing their security posture and understanding how they will manage your data. For instance, consider some excerpts from the privacy policies of some popular cloud storage services:
www.dropbox.com/privacy: We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary.
http://mozy.com/privacy: We may view your file system information (file extensions, sizes etc. but not your file contents) to provide technical support.
http://www.sugarsync.com/privacy: We do not share your files stored on our servers with any third parties unless instructed by you and allowed by SugarSync. We will not disclose your files to anyone unless you instruct us to do so or a court orders us to do so ... We may share with third parties certain pieces of aggregated, non-personal information, such as the average number of photographs being stored by users.
http://www.carbonite.com/en/terms-of-use/privacy: Carbonite will not view the contents of your backed-up files. Carbonite may view your file system information (file and/or folder names, file extensions, sizes etc. but not your file contents) to provide incremental backups and file comparisons, quality control, and technical support. Carbonite will not disclose your personal information, including the contents of your backed-up data with Carbonite, to third parties unless disclosure is necessary to comply with the law.
These policies all reveal that the vendor, regardless of any claims to the contrary or use of encryption, has the ability to decrypt and access any stored data whenever they deem it necessary. Such services are not appropriate for use with Category I data in their default configuration. There may be account configuration options that provide enhanced encryption, such as the use of user generated keys with CrashPlan for example. The downside is that, while these options increase security and may protect the data from the vendor, they invariably make the service harder to use and may break some components of the service (e.g. mobile clients in many cases).
Long-term dependability and availability is an unknown. The service simply may not exist tomorrow. There hasn't been a tremendous amount of consolidation in this industry yet, but it's bound to happen eventually that some cloud services will be bought or sold to competitors or go out of business. When this happens, the ability to recover or migrate services and data to new providers is very much an unanswered question. Vendor lock-in can be an especially big concern with platform as a service options, as the code and applications designed to operate on a given platform may not be portable to a new service.
Besides concerns over future viability, dependability in the present is also an issue. A number of high-profile services from multiple vendors have had outages or experienced data loss events. Some of these have had far-reaching impacts on their customers. For instance, Amazon's heavily utilized Elastic Computer Cloud (EC2) has had a couple of outages in the past year, which caused downtime for customers such as NetFlix, Reddit, and FourSquare, among others. Carbonite, a cloud storage provider, in 2007, over the course of several hardware failures, lost backups uploaded by over 7,500 customers in separate incidents. While most of their users were able to simply reupload their data, in effect creating a new backup, some affected by the hardware failure were relying upon the service to recover from their own technical problems at the time. Carbonite indicated that an unspecified number of customers lost their own data during this period of hardware failures and were not able to recover from Carbonite, as they had no doubt counted on.
The lesson is to outsource to companies with proven track records and, even then, having multiple copies of critical data and business continuity plans to deal with service outages is always a good idea.