Adopting a Cloud App means entrusting your information to someone else, and you need to know if that information is safe. There are obvious risks: Is it safe from hackers and malicious employees? Is it safe from natural disasters such as earthquakes or man-made ones such as bankruptcy? And maybe not so obvious ones: Will I be able to download my data in a usable format? Will I be able to delete it if I cancel my service? Will it be shared with law enforcement or litigants in a civil lawsuit without my knowledge? And most importantly what can I do to make sure my information is safe?
Keeping you data in the cloud magnifies some existing security threats and also creates some new ones. The well-respected Cloud Security Alliance detailed the “Notorious Nine”. But for creative entrepreneurs there are really only four main security threats.
1. Your Account is hijacked.
Account hijacking is when someone obtains your login credentials and passwords and is able to access your cloud-based account. A recent study by Experian found that login information for a Twitter account is worth more on the black market than a credit card number. Since people often reuse credentials and passwords, access to one account can lead to access on other accounts. Also the attacker can eavesdrop on your activities and those of your social circle. This is a threat specific to cloud-based software applications. Traditional software on your laptop required physical access to the device.
While this information is now targeted in hacker attacks (Sony Playstation), the tried and true methods of phishing, fraud, and spyware are still significant avenues (iCloud Nudes).
Protecting your login credentials is pretty straightforward: use different passwords for different accounts, create hard to guess passwords, don’t share sensitive information online, avoid public Wi-Fi, use https, etc. You have heard all of that before however the discipline required and the inconvenience involved means most people don’t do this very well. Here is a good guide on protecting yourself online and offline.
2 Your information is stolen.
“Data Breach” is when personal or sensitive information is stolen from the company storing it. You may envision a hacker or foreign government exploiting a vulnerability in the company’s firewall, but malicious employees and negligence account for about 59% of these incidents. A typical data breach law requires a notification letter be sent to those affected and in some cases identity theft protection services are offered.
Every week brings new data breach reports from companies such as Target, Home Depot, or Sony Pictures. But we only hear about them at all because individual states have enacted data breach notification laws. Starting with California in 2003 a patchwork of laws now exist in 47 states. And some industries, such as financial services, are covered by Federal data breach notification law.
Unfortunately for users of Cloud Apps this patchwork means your data may reside in a jurisdiction with strong, weak, or no regulation. In fact in some areas cloud services are specifically exempted from breach notifications. In this environment it is very difficult for a creative entrepreneur to independently verify that their data has been breached, so it comes down to trusting the cloud app provider to notify you.
3 Your information is lost.
“Data Loss” traditionally refers to the cloud service provider’s inability to provide you your data. To accommodate cloud-based apps I have segmented and expanded this definition to include three conditions that reduce or eliminate your ability to use your data: Loss of Access, Loss of Portability, and Loss of Identification. Let’s look at these in more detail.
Loss of access occurs when you are unable to access your data. This includes the traditional categories of data loss: accidental deletion by the service provider, damage to infrastructure from natural disasters, or inadequate backups. In addition this category should include loss of access to data due to the bankruptcy of the cloud service provider, failed system upgrades, end-of-life support for existing platforms or versions, and denial of service attacks.
Loss of Portability (also called Lock-In) occurs when you are unable to easily switch to a new cloud or non-cloud provider. Loss of Portability is often due to lack of adequate download utilities or use of proprietary file formats. For example you may have spent hundreds of hours entering, cleaning, and enhancing your customer information in a cloud-based Customer Relationship Management tool, only to find out that the only data you can download is a basic customer list. All of the meaningful information in that CRM system such as tasks, opportunities, quotes/orders, service requests, marketing activities, and the metadata relationships are unavailable to migrate to your new system without reentering all of this data. Proprietary file formats is another way that some cloud service providers keep you from going somewhere else.
Loss of Identification means you are unable to assert your rights to your data. This could happen for example if you were to lose an encryption key code or a physical key dongle. Loss of Identification can also happen due to the death or incapacitation of the user. In which case is a family member or business partner able to obtain full or limited access? Another example is if your cloud service provider subsumes your intellectual property rights such as to photos, movies or music on a social media website or books or screenplays on a reviews website. Also in this, admittedly somewhat eclectic, category is deletion of an account by the owner who later has second thoughts. Some cloud service providers place your account in a “quarantined” or suspended state for a period of time, with the ability to reactivate the account if you so choose.
4 Your information is used against you or others.
This section briefly discusses the threat of your data being used against you or those close to you as a result of being accessed by law enforcement, government agencies, and litigants in civil lawsuits. I promise this is not the paranoid aluminum foil hat section. Read on.
Cloud data is different than local data. The Fourth Amendment prohibits unlawful search and seizure and requires a judge to grant a search warrant. Data on a user’s hard drive has the full protections of the Fourth Amendment, however data voluntarily transferred to a third party, in this case a cloud service provider, may lose this shield and be used in a number of potentially damaging ways.
With the revelations of Edward Snowden, it is clear that government agencies have the ability to monitor Internet traffic and data at internet service providers. It is a chilling Orwellian thought that a creative entrepreneur who was creating art, film, or software that might be counter to certain interests could be monitored through their electronic lives. For the vast majority of people and uses this is only a theoretical, not an actual, threat but one you should consider in your own situation.
A more common concern is that cloud data could easily be subpoenaed in a civil lawsuit. This might be in regards to a business related dispute with a client or vendor, but in the creative professions this could also be a dispute about intellectual property, royalty sharing, or digital assets. Companies are often required to comply with “eDiscovery” requests that force them to turn over e-mails and other electronic documents related to the civil dispute. If information is particularly sensitive the creative entrepreneur should have the highest level of control over that information and a cloud-based repository may not be appropriate.
How to choose a cloud provider that will keep your information safe?
There are two paths to finding a cloud service provider that will keep your information safe. The first is looking to see if your cloud service provider has information security certification such as ISO‐27001, has passed a security audit such as SSAE 16, or qualifies for seals such as those from TRUSTe. The second is asking key questions of your cloud service provider and evaluating the answers based on your situation. I suggest you do both.
The best source of questions I have found to ask your cloud provider comes from a group of thoughtful and distinguished industry experts at a retreat held by the Consumer Federation of America in 2010 that produced a document Consumer Protection in Cloud Computing Services: Recommendations for Best Practices that is available here, and from which I have reproduced the two relevant appendices below.
We come to the end of another post. Just to review this post discussed the 4 major Information Security threats facing creative entrepreneurs and how to select a trustworthy cloud service provider. A future post (Part 2) will focus on the other side of the coin: Information Privacy.
The remainder of this post is derived from the Appendices in the Consumer Protection in Cloud Computing Services: Recommendations for Best Practices from a Consumer Federation of America Retreat on Cloud Computing, November 30, 2010. Please download the full report, but for your convenience I have reproduced the 2 Appendices below. Find it at this web address: http://www.consumerfed.org/pdfs/Cloud-report-2010.pdf
Appendix A: Best Practices in Disclosure for Business‐to‐Consumer Services
*Answers to the questions provided are illustrative.
- What is the cloud service provider’s business model?
- “We charge consumers a fee for this service.”
- “We serve advertising based upon consumers’ interests in exchange for the service”
- “We analyze consumers’ information in order to serve advertising based upon their interests”
- What entity actually provides the cloud service?
- “We provide it directly”
- “We provide it directly, and use the following subcontractors…”
- “We subcontract all services to…”
- Is consumer content or transactional data shared? If so, with whom? What choice mechanisms are in place?
- “Yes, we share information with affiliates, and you can opt out by X”
- “Yes, we share information with third parties, and you can opt out by X”
- Is consumer content or transaction data used for purposes not required for the technical operation of the service?
- “Yes, we use content/transaction data to target advertisements”
- Is the provided service a private or public cloud?
- Private cloud: the service is provided by a single entity
- Public cloud: many consumers may be using the same service
- What data can the consumer export and in what format?
- The consumer can export all data that the user provides in standard formats, including csv, txt, xls.
- The consumer can export data only in proprietary formats
- Will users be notified of security breaches?
- Yes, according to the law of [jurisdiction]
- Will the consumer be promptly notified if there is a law enforcement or civil request for data about the consumer.
- Yes, if we are legally able to notify users.
- In what jurisdiction are the data stored?
- [list of one or more countries]
- [indicate whether user or service has discretion to select storage locations]
- What jurisdictions’ laws govern the privacy and security aspects of the cloud providers’ services, and what is the relevant consumer protection authority?
- What procedures are followed when closing accounts?
- We will give consumers 30 days of access before closing their accounts for non-payment
- In the event of discontinuance of service, we will give consumers 30 days of access to extract data
- Who is responsible for consumer and privacy issues and what is their contact information?
- Name responsible employee and provide contact information
Appendix B: Sample Disclosure (from cloud service provider)
We provide services to you for a fee.
We own and operate the equipment for this cloud service.
We do not share content or transactional data with third parties.
We only use content and transactional data for purposes required for the technical operation of the service.
You can export data uploaded and generated on this service in standard formats, including csv, txt, and xls.
If possible, we will notify you if another party requests data or information about your use of this service.
Your service level is a private cloud, meaning that we are using a dedicated infrastructure for your services.
Our cloud operates in the following countries: the USA and Canada.
Our cloud services are governed by the laws of the USA and Canada and by the following regulators:
U.S. Federal Trade Commission Privacy Commissioner of Canada
If we become aware of a security breach, we will inform you of it consistent with the law of California.
In January 2010, our service was certified as compliant with ISO‐27001/2 by our auditor.
In the event of a termination of our services, or nonpayment on your account, we will give you notice and 30 days to export data from our cloud.
Our privacy and security contact is:
Joan A. Privacyofficer
1 Embarcadero Center
San Francisco, CA 94001
(415) 555‐1212 email@example.com