Should Companies Do Most of Their Computing in the Cloud? (Part 2)

Let me start by describing two approaches to the cloud.

Most of the students I meet at Harvard University live their lives in the cloud. Their e-mail, documents, contacts, calendars, photos and everything else are stored on servers belonging to large internet companies in America and elsewhere. They use cloud services for everything. They converse and share on Facebook and Instagram and Twitter. They seamlessly switch among their laptops, tablets and phones. It wouldn’t be a stretch to say that they don’t really care where their computers end and the internet begins, and they are used to having immediate access to all of their data on the closest screen available.

In contrast, I personally use the cloud as little as possible. My e-mail is on my own computer—I am one of the last Eudora users—and not at a web service like Gmail or Hotmail. I don’t store my contacts or calendar in the cloud. I don’t use cloud backup. I don’t have personal accounts on social networking sites like Facebook or Twitter. (This makes me a freak, but highly productive.) And I don’t use many software and hardware products that I would otherwise really like, because they force you to keep your data in the cloud: Trello, Evernote, Fitbit.

Why don’t I embrace the cloud in the same way my younger colleagues do? There are three reasons, and they parallel the trade-offs corporations faced with the same decisions are going to make.

The first is control. I want to be in control of my data, and I don’t want to give it up. I have the ability to keep control by running my own services my way. Most of those students lack the technical expertise, and have no choice. They also want services that are only available on the cloud, and have no choice. I have deliberately made my life harder, simply to keep that control. Similarly, companies are going to decide whether or not they want to—or even can—keep control of their data.

The second is security. I talked about this at length in my opening statement. Suffice it to say that I am extremely paranoid about cloud security, and think I can do better. Lots of those students don’t care very much. Again, companies are going to have to make the same decision about who is going to do a better job, and depending on their own internal resources, they might make a different decision.

The third is the big one: trust. I simply don’t trust large corporations with my data. I know that, at least in America, they can sell my data at will and disclose it to whomever they want. It can be made public inadvertently by their lax security. My government can get access to it without a warrant. Again, lots of those students don’t care. And again, companies are going to have to make the same decisions.

Like any outsourcing relationship, cloud services are based on trust. If anything, that is what you should take away from this exchange. Try to do business only with trustworthy providers, and put contracts in place to ensure their trustworthiness. Push for government regulations that establish a baseline of trustworthiness for cases where you don’t have that negotiation power. Fight laws that give governments secret access to your data in the cloud. Cloud computing is the future of computing; we need to ensure that it is secure and reliable.

Despite my personal choices, my belief is that, in most cases, the benefits of cloud computing outweigh the risks. My company, Resilient Systems, uses cloud services both to run the business and to host our own products that we sell to other companies. For us it makes the most sense. But we spend a lot of effort ensuring that we use only trustworthy cloud providers, and that we are a trustworthy cloud provider to our own customers.

This essay previously appeared on the Economist website, as part of a debate on cloud computing. It’s the second of three essays. Here are Parts 1 and 3. Visit the site for the other side of the debate and other commentary.

Tags: business of security, cloud computing, debates, economics of security, essays, laws, risk assessment, risks, threat models

Posted on June 10, 2015 at 11:27 AM • 31 Comments

Comments

keiner • June 10, 2015 11:45 AM

Same error as in Part 1:

After “Economist” the “end italics” is missing…

Günter Lukas • June 10, 2015 12:12 PM

Eudora? But isn’t it a really bad idea to use unsupported software that might have unfixed security vulnerabilities?

Sophia Katt • June 10, 2015 12:25 PM

For many small businesses the looming cloud question will be “which accounting software to use”, as the desktop version of QuickBooks is getting gradually pushed out at Intuit by its online version. An Australian/NZ cloud based product, Xero, has been receiving major investment while it has been establishing its U.S. debut.

Carlo Graziani • June 10, 2015 12:33 PM

If you have a machine with a static IP address under your own control, or even a Dynamic DNS service pointing to your DSL/Cable service, you can have the benefits of the cloud with data under your own control by using Owncloud.

Calendaring, contacts, file sharing, and extensibility through an app architecture (I like the RSS App, freed me from Feedly). I’ve been using it for about a year, and for me it’s been a game-changer.

Of course, system security is as good as your own administration and the maintainers’ security-consciousness. But at least the data routes around google, dropbox, etc.

Andrew • June 10, 2015 12:42 PM

@CouldntPossiblyComment
“…Databases are still databases, regardless of where they’re hosted…”

It’s not that easy, everything in a company could be stored in cloud, emails, data, databases, processes, documents, etc. If you are using a proprietary cloud system, for example Azure Tables, it becomes virtually impossible to change the cloud provider.

Jeff • June 10, 2015 1:13 PM

An additional reason someone is going to use an older product is because they like it. ‘They grew to like the old wine, so the new wine does not taste so good.’ (Same rule for the critics, in reverse. They like the new wine, and so can’t understand the old.)

It might be more of an artistic thing then a technical matter.

Trust, I think is the key term at play here. But, who stores their money in their mattress and does not use a bank? If your card gets stolen, you can report it stolen and the charges removed. If your system username and password gets hacked, same situation. In fact, if any transaction causes you to lose your credentials, the bank will work with you and refund the money. They will also be invested to pursue the hacker. They have the means to do so, we do not, individually.

Control is deceptive. We often want to do everything by our own selves, and not trust others. Not trust their capacity. But then we can end up quickly with too much on our own plate. And our lack of trust of others means we keep an unrealistically low expectation of others. It is a bad state to be in.

It is difficult for highly functioning individuals to trust, because they are so competent. But that is deceptive. You can not be everywhere at once. You can not know everything. Your logic on any matter may be seamless, but that does not mean anything if you do not have all the facts. Others do. And if we stop learning from others, then we stagnate our own selves.

Ray Dillinger • June 10, 2015 1:25 PM

I do not use “the” cloud. Like Bruce, I have made my life deliberately harder by refusing it. And I have refused it for the same reasons. There is no legal framework in place to protect anything I put on anybody else’s machine.

Therefore I shall put nothing I care about on anybody else’s machine unless I can put it there encrypted.

Personal contacts? They’re personal, and besides they don’t want the extra spam they’d get from having their contact information sprayed around carelessly.

Personal calendar? That’s personal too.

Passwords? Are you f’ing kidding me?

I’d like some kind of middleware app that encrypts everything headed for cloud storage before it leaves my machine, that would still allow me to use all those apps. But I haven’t heard about one, and most of those apps run on platforms too closed for anybody to write one.

TimH • June 10, 2015 1:40 PM

@Carlo Graziani
You suggest “…the benefits of the cloud with data under your own control by using Owncloud”.

But it isn’t under your control, is it? No externally managed cloud can be. Any promises about backups, downtime, access, freedom from passing your data across without an order etc are just that: promises.

name.withheld.for.obvious.reasons • June 10, 2015 1:46 PM

The issue of “where” or to whom to entrust data to is a complex question. The number of non-technical factors include; legal and jurisdiction requirements, long term archival support, integrity and security of the host system(s), the value, availability, access control(s), data management features, client interfaces or applications, and ease of use.

Technically:
1.) Approximate value of data
2.) Encryption of storage or devices
3.) Granularity and strength of access controls
4.) Host systems (under what jurisdiction), archival format support with encryption, off-site stores, retention policies
5.) Due diligence and fiduciary constraints (Sorbanes, Soxs, etc.)
6.) Programmatic support features, extensible or API-based extensions
7.) Compliance and practices support
8.) Change control, configuration management, and version-ing
9.) Auditing, monitoring, and reporting support/features
10.) Visibility and branding (internally and externally)

George • June 10, 2015 1:58 PM

This is a bit simplistic, which you know, of course.

Not all data is the same. I doubt you host (yourself?) this blog on the same system that you might use to manage your personal finances (unless you’re the last user of checkbook registers).

Some data is fine in the cloud. Some is not.

rgaff • June 10, 2015 2:02 PM

@ TimH

“Owncloud” is something you install on your own server that is physically at your own house, for example, providing cloud-like file sharing services. Note that since they are fully and completely under your own control, this is not technically a cloud at all, it’s just remotely-accessible.

Of course I can’t vouch for how buggy or safe it is…. but at least it’s open source, so you do have a chance at discovering any deliberate or accidental backdoors if you have the technical expertise to do so.

bobXt • June 10, 2015 2:36 PM

I don’t use the cloud either. But you forgot the 5th reason we don’t: we’re both crotchety old guys who have done it one way for years, and just hate to change.

Thoughtful comment • June 10, 2015 3:06 PM

For me the cloud is not a practicable option as upload speeds are too slow.

Cheap hard drives are easy to come by nowadays and providing you follow the ‘[backup] rule of 3’ it’s quicker, more convenient and offers greater security and flexibility.

I too sacrifice convenience for security/privacy and only use the cloud for storing the most critical of my data (absolutely cannot lose)

That said prior to uploading I will manually encrypt the file and then sign it with my PGP key. Then, in the event that I require access, I can establish its integrity (i.e. that it hasn’t been tampered with) and I can be as confident as reasonably possible that the data hasn’t been compromised.

I don’t trust solutions like (the new incarnation of) Boxcryptor as there are issues with key management. A much better solution is to upload an encrypted volume using Truecrypt (or AxCrypt for individual files/or to encrypt a ‘compressed folder’).

A more elegant method is SecureZIP from PKWARE. It integrates with Outlook, Word, PowerPoint and Excel or can be accessed from the context menu or application.

With a solution like SecureZIP you can sign and/or encrypt the file using PGP, S/MIME or a conventional passphrase. They support AES: 128, 192, 256 or 3DES (168).

Personally speaking I think that encrypting a file with a certificate (self-generated or otherwise) is a much better way to secure your data. Using a passphrase alone, unless exceptionally long, won’t be sufficient for AES 256. They used to offer a free version for personal use which is no longer advertised (but still available). Or you can hand over $40, support their work and get the latest version.

WinZip integrate Box, OneDrive, Dropbox, Google Drive etc. but don’t offer the ability to use PGP or X.509 certificates. They also limit the useful functions to the more expensive ‘professional’ edition.

I know that Microsoft are introducing BYOK (Bring Your Own Key) for cloud data and emails. That’ll be very interesting (some businesses are already using it) but this will also limit device interoperability (smartphones, tablets). The keys are kept on Thales HSMs so should be reasonably secure. Transfer of the keys can be done using a designated program, by post or in person.

But until the complex legal, jurisdictional, commercial, privacy and security issues are resolved I’ll continue to manage my own encryption.

And for storing properly encrypted data, the cloud is great.

AT • June 10, 2015 3:19 PM

Your points of trust, control, and security are entirely illusive. You’re simply pushing all three lower down the abstraction stack, but, in the end, I bet you
are no safer against government or determined corporate prying without the cloud
than with it. In some ways, one could argue that it is safer to live in the cloud
and know that your data is out of your hands than to assume otherwise outside the
cloud.

winter • June 10, 2015 3:36 PM

I use both Dropbox and Google Drive. Here the cloud data is mirrored on my computers (its small). Important stuff is mirrored on both services.

So the risk of losing data is mostly covered. The data on these services are not privacy sensitive. Convenience rules this part of my data.

I have also stored a Truecrypt container on Dropbox with stuff I want to protecy. In the end, it is mostly an experiment. I hardly use this solution.

On the whole, Dropbox and Google drive have made my life easier. It is all stuff I publish and share anyway, so the privacy angle is irrelevant to me.

The same holds for my use of Google Documents.

I think I understand the “young ones”. If you know what you are doing, the cloud can make your life a lot easier (meaning more productive professionally and socially) while you can still keep the downsides in check.

65535 • June 10, 2015 4:45 PM

It’s back to control, ownership and security. For junk photos, movies, and games the so-called cloud is doable. Who really cares about that junk? In fact, you can basically use Gmail as a file server.

For sensitive items from finance to medical records the risks outweigh the rewards. Thumbs down on the dark cloud.

Even if there was no CALEA, NSA, 702, EO 12333 and Freedom to Spy Act, there are other bad actors in the shadows. There could be any number of paid moles in cloud providers who may steal your data. Once you give your data to another person it will eventually be copied or stolen.

Currently, the cost of storage in multiple terabytes HDD’s and the current compression programs and applications make ownership of your own data manageable. I don’t embrace the foggy cloud with all of its attending shady legal “Terms of Service.”

EudoraExplora • June 10, 2015 5:07 PM

I am also a Eudora user (same version even). I switch to WLM and had to give it up as unreliable after one year of use. Eudora still meets my needs and just because it is old, doesn’t mean it is a target. Newer systems such as Gmail, Hotmail, and probably even Outlook suffer more issues (though the comparison is in Eudora’s favor probably due to a small user base).

In a nutshell, it still does the job.

BoppingAround • June 10, 2015 5:16 PM

This reminds me of two quotes I have in my nonsense.txt file:

‘She had been struck, in talking to the children she met, that they had no idea at all how the internet actually functioned. They had bought the ethereal idea of “the cloud”, that benign mystical repository of all knowledge and data; when she asked them where they thought it was, they all looked heavenwards.’

‘Yes of course, all that “cloud” and “like” and “friend” and “google” and “twitter”. The nursery language makes it seem a safe Teletubby land where nothing bad could happen.’

I don’t remember who was the author of these.

Ray,
I have gone even farther and decided to abstain from storing it even if it’s allegedly encrypted. The reason for this is, first, that my crypto knowledge is weak at best. Then, even if I would have known everything there is to know about crypto, there are another pack of problems: incorrect implementations, rigged PRNGs, other software errors, untrustworthy underlying layers, whatever. Is it secure just because it looks like gibberish to me? That old maxim about not getting too cocky if you have managed to make a cypher you cannot break comes to bite me in the arse again.

Simply, as has been said already, all you have is trust and to me that seems like having almost nothing. Trust is too fragile. A [regular] glass armour against a .30-06 round.

Nick P • June 10, 2015 6:02 PM

@ Bruce

” It wouldn’t be a stretch to say that they don’t really care where their computers end and the internet begins, and they are used to having immediate access to all of their data on the closest screen available.”

A school known to create companies pushing products is now also full of students who are the product. The times are changing.

“In contrast, I personally use the cloud as little as possible. ”

Good for you. The good news is that there’s a niche market producing equivalent things that are under owners’ control. Look into those a bit more and you might be surprised.

“Most of those students lack the technical expertise, and have no choice. ”

Remind them that MyKolab, Threema, SpiderOak, and so on require little technical expertise. They just require a decision to be made along with a small amount of money.

“Lots of those students don’t care very much. Again, companies are going to have to make the same decision”

Like in liability discussions, this is always the case because there’s little consequence. I think security will be a minor point for most companies.

” Try to do business only with trustworthy providers, and put contracts in place to ensure their trustworthiness. ”

Best point and very good advice.

“My company, Resilient Systems, uses cloud services both to run the business and to host our own products that we sell to other companies.”

That was a surprise. I figured that, like many IT startups, you all could do a lot with a little using the various FOSS or appliances out there. There is an argument, though, about putting more money in core business than IT. I could easily see management making that argument.

Note: I’m with Gunter on your use of Eudora. More for maintenance than security: it’s future is quite uncertain and pieces of it in many directions. Evaluate alternatives to switch to. If you have too much saved email, then you can just keep a copy (or even VM) for those.

@ name.withheld

Nice breakdown.

@ winter

I had a similar setup with Truecrypt and Dropbox. Worked fine. I have Gmail, Facebook, and so on for non-critical stuff where they’re appropriate. I’ll add that Gmail’s track record on data integrity is much better than mine given their resources let them loose plenty more HD’s before data is toast. I lost three and there went everything. My gmail stuff is still accessible going back years. So, definitely advantages. Even more if one can split trusted and untrusted appropriately.

“I think I understand the “young ones”.”

You understand the convenience part. I’ve talked to enough of them to be sure most either don’t understand or don’t care about the use it right part. They just do what their friends are doing or the cool thing they saw online. Easy prey for black hats.

Clive Robinson • June 11, 2015 11:23 AM

@ Bruce,

In contrast, I personally use the cloud as little as possible.

That is actually a wise choice for a whole load of reasons, many of which people think about.

But there are a couple you don’t see come up very often because the FUD that the IC has spread –thicker than ten years of organic herbivore fertilizer– makes people think that they must be criminality related…

As you are aware it’s not just criminals with secrets, no business can expect to survive if their competitors have access to all the data.

Which brings me to the two points everybody –yes I do mean everybody– who has data should actually take a little time to think about,

First off, even if all your data is encrypted there is no guarantee the encryption system you used does not have defects, or how you selected the key was sufficient secure. With not just the NSA keeping your data forever it kind of makes sense not to rely on just the encryption process if you don’t have to. (For those about to scream… go away and look at a bit of crypto history then have a good think). Even if you think you are encrypting junk that nobody could be possibly interested in think again. Just look how long it took this blogs readers to get the position of that supposed ISIS HQ from that photo the other day and that was just in leisure time… Further as Cardinal Richelieu once remarked even a few of your thoughts when confided to a more permanent form are enough to hang you…

Secondly, if you keep your data under a sensible level of control, when people want to get at it for some reason, you are probably going to know about it. If it’s in the public(ish) cloud then you are only likely to know when somebody drags you in for a non cossey chat, or somebody is making a killing of your hard work.

For those that still believe in “If you’ve not done anything wrong…” please grow up, the real world has teeth and claws and it’s only forethought or chance that stops you getting savaged.

John Henry • June 11, 2015 1:26 PM

Another happy Eudora user since 1994. Currently on v7 last updated 2006. I have tried Thunderbird, Mulberry, seamonkey and one or two others. When I say tried, I mean used daily for all email for a month or more.

The school I teach at made me use Outlook for a couple years.

I have not found anything as good as Eudora. Perhaps someday someone will develop something. Today is not that day.

I do use Evernote and find it very handy as a way to write down writing ideas, memory verses, books or websites that someone mentions and the like. The kinds of things I’d write on a postit or a napkin otherwise.Not as a to do list, contact list or the like.

I’ve never understood the point of the whole cloud thing. I have a phone, tablet, laptop and desktop and have never had any trouble keeping them synced on the stuff that matters.

Without using the cloud other than Evernote, which is very handy.

My data, under my control. That seems to be the best way.

John Henry

Steve • June 11, 2015 7:46 PM

You mention that at Resilient Systems you take a lot of precautions to ensure that you’re using trustworthy cloud providers, and that you are a trustworthy cloud provider. I looked around the site and couldn’t find any obvious whitepapers/docs that explain any of how you approach this, but would be interested to hear your practical thoughts on this. How far do you take it? (I work for a small enterprise software company that faces the same challenges and we’ve also chosen the SaaS path, but are always looking for ways to ensure we’ve maximized the reasonable security assurances we can offer). Thanks!

Nick P • June 11, 2015 8:37 PM

@ Bruce
re Steve’s comment

I second that. What criteria did your company use for selecting various cloud providers? And what evaluation framework would you recommend? Or specific companies?

. • June 12, 2015 9:52 AM

Since you brought up fitness trackers. This just in:
http://it.slashdot.org/story/15/06/12/1243208/samsung-lg-smartwatches-give-up-personal-data-to-researchers

Spaceman Spiff • June 13, 2015 9:50 AM

“My e-mail is on my own computer — I am one of the last Eudora users — and not at a web service like Gmail or Hotmail.”

I use gmail exclusively. My email address is an ieee forwarding address that feeds into my gmail account. One thing I like about gmail is that I can download my emails for backup when I want (using POP) to a personal email client.

Fascist Nation • June 15, 2015 6:50 AM

Thank you for this column! It laid out the reasons I give to people for why I hate “The Cloud,” only far more articulately than I have done. I can point to it now.

I am called paranoid, despite the fact I can point to when governments and big corporations have routinely abused data stored on their servers and “in the cloud.” In fact, such intention to abuse is contained in user agreements one checks approval of when one signs up (or pays) for these services.

This betrayal is dismissed. I just hope I do not get to say ‘I told you so’ in their future. It is your data. Once it is out there it is out there.

PJ • June 15, 2015 3:41 PM

Also being an old fart, I can sympathize with Bruce’s position, but I have a couple of different reasons.

Old programs and old habits retain value: you already know how to use them! It takes time (and time is money) to learn the quirks of a new tool. I am still annoyed at googlemaps for changing the user interface. It is almost criminal to release a completely new user interface without allowing previous users to get back to the “classic” interface.

I finally went to the cloud for email because I am almost done with Seamonkey and I didn’t want to be dependent on it. I also wanted to try protonmail for its security, and it is cloud only. I now see the point – any computer I can find allows me to access my email. I’m still a bit nervous that my emails are no longer in my computer, but they are probably safer on protonmail’s servers than here. Anyway when I die, the value of my emails goes to zero; nothing lasts forever.

My bottom line is to use the old tools and old ways “as long as possible, but no longer”. At some point it does make sense to be dragged kicking and screaming to the new tool. But Heaven preserve us from gratuitous diddling of user interfaces.

idealscorp • September 24, 2015 8:55 AM

An M&A process that uses a virtual data room has the advantage of being shorter in duration because fewer manually intensive activities must be carried out by the seller. A potential buyer experiences significant time savings when using a virtual data room, and the seller also benefits by not having to spend time printing, supervising and assisting, as they are required to do in a physical data room.

James • February 18, 2021 8:44 PM

As far as I know, New Zealand is still campaigning to increase the non-privacy of cloud services from governments:
https://www.beehive.govt.nz/release/international-statement-end-end-encryption-and-public-safety

Any sign of them starting to become trustworthy?

xcv • February 18, 2021 9:21 PM

@James

More on topic hopefully, something of more general interest.

https://www.beehive.govt.nz/release/international-statement-end-end-encryption-and-public-safety

There’s a “queen bee” with a royalist New World Order elitist agenda at that site.

Essentially private encryption and private use of cryptography is totally forbidden by that agenda. (Agenda21?)

Is that sort of stuff why the cops hate me so much, especially from a stateside perspective?

Five Eyes a.k.a. UKUSA (not to mention Canada and Australia as well as New Zealand) is at it again with FISA warrants that enable law enforcement agencies to skip overseas and bypass domestic requirements of due process and probable cause for search warrants.

And it’s “for the children” — i.e., a naked pro-organized-crime agenda of kidnapping, extortion, and murder-for-hire on an international theater of war. Except war is peace and we in the U.S. must submit to all these peace treaties with countries where social undesirables, mental defectives, targeted individuals, prohibited persons (like me) who have been blacklisted are not welcome under any circumstances and quite probably face serious criminal charges upon arrival if we were to travel to any of these countries.

xcv • February 18, 2021 10:56 PM

beehive.govt.nz ??

You wouldn’t think a “queen bee” has anything to do with CIA- and US military-associated hits and assassinations carried out by “drones,” would you? But this, too, is a clue.

https:\\web.law.columbia.edu/human-rights-institute\counterterrorism\drone-strikes\counting-drone-strike-deaths

The “top secret clearance” and highly encrypted remote command and control of “drones” is what enables their operators to, essentially, get away with murder.

It is not a very desirable job in the Air Force, I’m told. There’s a lifetime commitment to extreme secrecy, simply to avoid discovery and retribution by the enemy, not so much a “friendly” criminal charge for disclosing classified information.

Now, I am trying to find out if I am on a top secret official or unofficial and unacknowledged drone hit list. I have reason to believe I have enemies in the government and in the military. There was a locker room crowd of bullies when I was in high school, and I was heavily targeted for military recruitment at that time. There were some aspects I found interesting about military service, but my high school experience of being picked on, bullied, teased, harassed and left out by people who would have been expected to be my friends and equals is definitely not something I would have wanted to endure in a military locker room jock setting.

Schneier on Security

Comments

Leave a comment Cancel reply