Cloud Computing – A Few of the Hidden Factors to Consider

I am a big fan of cloud computing (CC) and have been using CC to backup my essential files since I first heard of Jungle Disk in 2007 (Jungle Disk is a great product for home, SOHO, and small businesses to backup and share files). I have also been working with some friends on a business which uses cloud processing. Before choosing CC, organizations need to evaluate a number of factors. Here are a few that don’t get much attention.

Who Owns the Data? Who Cares if You Use PIE

There is great debate about who owns the data that is stored on the cloud. What about data that might get stored in different countries? What about subpoenas? This is a legal issue which will take time to be litigated. Mark Rasch, director of cybersecurity & privacy consulting at CSC, has an excellent primer on this topic at: http://www.api.org/meetings/proceedings/upload/SessIVRaschPres10Nov10.pdf I recommend that my clients use “PIE” or “pre-Internet encryption,” a term coined by Steve Gibson of the Security Now podcast. The idea is to encrypt your data BEFORE sending it to the cloud. You know the key and no one else. If your data is hacked or a subpoena is served, all that will be visible is random garbage. If you are a small business, Jungle Disk uses your own AES 256 key to encrypt. There are products like Trend Micro’s CC suite which encrypt enterprise-level data.

Just Because Your Cloud Computing Supplier is Big, Doesn’t Mean they Are Smart

This is a corollary to using PIE. Amazon had a well-publicized outage a couple of months ago. What was not publicized was that a small amount of data (less than 1%) was permanently lost. If that was your customer database, you could have been screwed. Another CC supplier Dropbox had a software glitch recently caused when they were updating software. The glitch meant that no one’s password was being checked so anyone could log into a Dropbox account with no password or any password. Last year Google fired a system administrator who was accessing customer files using his administrator access. Using a “big supplier” doesn’t mean they do everything right. You need to protect yourself. If you were using PIE, in any of these situations you would be protected.

Bandwidth, Don’t Assume It Will Always be Free

CC uses lots of bandwidth. Some CC supplier’s like Amazon charge for bandwidth but what about your ISP? Most ISP’s are looking at instituting bandwidth caps and/or charges. How would bandwidth charges from your ISP change the economics of CC?

Privacy by Design: Key Concern for VCs and Start-Ups

When I was at AOL, I was a big proponent of “privacy by design.” When we detected a problem with an “existing” product, fixing it was often very expensive. Build in privacy from day 1. But not only does it apply to big established companies by start-up’s need to incorporate “privacy by design” principles into their business plans. I know that many VC’s are expecting to see cyberscurity & privacy included in the start-up’s business plans.

The URL below links to an article from the Information Law Group written for startups. It addresses:

  • Your business model
  • Your market
  • The legal risk environment
  • Integrating privacy by design

http://www.infolawgroup.com/2011/05/articles/privacy-law/privacy-by-design-a-key-concern-for-vcs-and-startups/

 

Password Lessons Learned from Sony Breach

When I was at AOL I spent considerable effort fighting for stronger passwords. There was a “discussion” with marketing on “security versus convenience.” An analysis of the Sony breach by Troy Hunt (http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html) showed a number of things to take note of:

  • Sony had stored over 1M passwords in “plaintext.” The first lesson in “cybersecurity 101” is never do this.
  • 2/3’s of users that had accounts at both Sony and Gawker (another site recently breached) used the same password on both sites. The second lesson is don’t resuse passwords.