Recently, hackers managed to erase the online life of a US journalist. They were able to do this by exploiting two major points of weakness.
Firstly, the journalist had everything stored in the cloud and accessible through a single gateway. Secondly, the hackers were able to successfully talk their way past the two cloud service providers’ security controls, giving them open entry to the journalist’s entire digital life. To make matters worse, the writer had not backed-up any of his information.
It would be easy to dismiss this story as an example of individual error and oversight. But does that mean it can’t happen to you? Is a business of ten, a hundred or a thousand people any better protected or prepared for the new vulnerabilities introduced by the cloud?
Gartner’s 2012 Information Technology Predictions lists cloud computing as a maturing technology; one of the four main forces currently transforming the information technology landscape. In the face of such breathless enthusiasm and hype it can be easy for businesses to be swept away before properly understanding the advantages and potential business risks.
The term “cloud” refers to applications, infrastructure and platform services. For information management professionals, particularly in mid-market firms, the cost, convenience, flexibility, scalability and storage advantages of the cloud can prove irresistible. Firms or those with an increasingly mobile workforce have a lot to gain from storage applications that can be accessed easily from anywhere.
All this good stuff should be set against the potential risks introduced by cloud-based storage. For example, if your company stores large volumes of information in the cloud, moving that data to and from the cloud can take time and requires substantial bandwidth capability.
Security is, somewhat appropriately for a concept named cloud, a rather grey area. Cloud storage often means your data is downloaded onto a physical disk or server and moved around among and alongside other organisations’ data.
Often you have no idea where it is at any moment in time or even under which country’s data protection legislation it falls. What would you do if your cloud provider went out of business or suffered from a cyber-attack? How about a power cut or hardware failure? What measures are in place to prevent data corruption, or to recover data that has been corrupted?
None of this means you should avoid the cloud; it simply means that you should understand the risks and do what you can to mitigate them.
The key is to build robust and secure information management systems that blend emerging and established methods. Such a blended approach has a lot to offer firms looking to harness the potential of cloud services.
A good way of explaining this is to consider the “Second and third laws of computing” as defined by Guardian journalist Jack Schofield. The second law states that “data doesn’t really exist unless you have two copies of it.” In business terms this translates to: “don’t stop using back-up tapes.” Reliance on a single cloud solution could leave your firm dangerously exposed if anything goes wrong. Back-up tapes, stored securely off site will protect your business from irretrievable data loss.
Tape is also ideal for storing sensitive data you don’t want to see floating freely around the cloud. Schofield’s third law states that, “the easier it is for you to access your data, the easier it is for someone else to access your data.”
As illustrated in the above example, the cloud exposes new vulnerabilities in terms of data control, so highly sensitive information such as intellectual property or share-price sensitive items may best be kept out of the cloud and stored securely on tape.
Thirdly, tape is ideal for providing the security, reliability and longevity of data needed for legal compliance and business continuity. It enables your business to keep going should your internet access be cut off, regardless of whether this is caused by criminal master-minds intent on global cyber-domination or the builders down the road accidentally drilling through your power cable.
As part of Iron Mountain’s commitment to corporate information responsibility – an international campaign for the ethical management of information – we are passionate about helping organisations of all sizes to protect and make the most of their data.
The cloud offers so much, but does not absolve users of their data management responsibilities. The best advice we can give is to embrace the potential but protect with the proven. Keep some of your eggs, and copies of the rest, securely tucked in your own basket.
Christian Toon is head of information risk at Iron Mountain Europe.
Share this story