When I do a presentation about the cloud, one of the first questions I know I’ll face from any IT person relates to security. “Why should I trust you? How can I trust the cloud? Who are you, anyway?”
When it comes to security we are still very much reptilian: we tend to trust what’s close to us, people we know, what’s inside the group, inside the nest, inside the firewall. We prefer to trust Bob, the guy responsible for the company backups, rather then send our data out on AWS S3. We think, “Why would Bob screw us? I was just at his wedding, what a great guy he is.” While you’ll hear lots of rationalised arguments about why data is safer within the organisation, at the core of this claim there is actually very little that’s rational.
The example I like to use to illustrate this is close to me, geographically at least. This story, a story that would be considered too extravagant to make a decent movie, recently sent an electroshock through the Swiss federal administration.
The story starts in 2012 when a banker at a random branch office received a guy who wanted to know whether he could open a “numbered bank account.” Oh, it wasn’t for him, it was … say … for his mother. After the banker told him those things only existed in James Bond movies (sorry for the spoiler), the banker went beyond his call of duty and warned the police about the strange request he had received from the guy. Good call. It turns out the guy was working for the Swiss Secret Services (think local CIA/NSA) and part of his duty was to be responsible for the…backups. This gentleman was pissed after recent management changes, pissed at his new boss, so had decided to teach those guys a lesson and steal some data. It turns out he had been able to leave the Federal building with complete un-encrypted backups of the secret services, including intelligence shared by friendly countries, and had started negotiating with foreign intelligence in order to sell them those backups. Easy. If it hadn’t been for the leak from that banker (and probably a certain lack of street-smart cred from Mr. Backup), the Swiss secret services would not have detected anything until it was too late. Unique example? Just Google for similar stories including: HSBC’s 24,000 accounts stolen data or the stolen data officially bought by Westphalia (German region) on Swiss bank accounts. Examples are numerous.
The bottom line is that this is not about being “inside” or “outside,” it is not about Bob doing the backup locally vs. storing data in AWS S3, it is about applying the right tools and the right processes. If you think your company is safe just because it is not using the cloud, you are hiding behind your little finger.
So, what’s the relationship between all of this and the PRISM drama? Well, I think we are making the same mistake with PRISM that we are making with security in general. You think your company data is not safe from the government’s oversight simply because it sits in the cloud? Well, then, tell me: were the United Nations and the European Parliament cloud bigots? Certainly not. Is your IT going to suggest that your sales guys should stop using phones? I guess not.
If anything, PRISM reminds us that being secure is not something you are just by virtue of staying “inside.” If you didn’t get the memo yet, there is no INSIDE anymore, data flows everywhere, data has to flow to be useful, the good old boundaries of in vs. out are legacy, the next mobile application IT will rollout to your sales force will be as useful as Tetris if it can’t use internal data. This is the 21st century, the data genie is already out of the bottle: you’ll only get secure by applying the right tools and the right processes, not by merely trusting Bob and keeping your data under your desk. Sorry.
If I had to choose, I’d rather not have to trust Bob (and the server in our basement with a “sensitive data” sticker on it). I’d rather host my files replicated in multiple data-centers, spread over a dozen different storage racks, fully anonymized, and those data-centers that would also be hosting data for tens of thousands of other companies. Our job would then be to apply security best practices, covering topics such as strong encryption and key management. The cloud would then become an integral part of the solution; it wouldn’t be the problem anymore.