Q's about the "cloud" thing

[asmo]

Well since this is what I do for my day job I guess I should answer. However, the answer is: 'its complicated'.

First and foremost - if your just storing a couple of photos and some MP3s out there then you are probably just fine. There is some basic security in the anonymity of being one of a billion people with your boring junk out there. Even if you were 'hacked' what would you loose? Weigh the risk of all your data stored out there either suddenly being gone - and/or all your data out there suddenly becoming very very public.

All that said, if you are business moving your applications and customer data out to 'the cloud' then you have a TON more risk - and this is where the increase in system complexity becomes the #1 issue. By moving your applications to the cloud you offload the complexity of the system to a 3rd party. Those 'cloud' systems are incredibly complex to setup and maintain - and your applications become just 1 of a million that the cloud owners are trying to manage. As a result your system is no longer 'special' - you are just lumped in with the general optimizations. This is a hackers Disneyland since if you pop one system you, in many cases, pop them all.

Further, that 3rd party, in almost all cases, say that 'security' is not their issue. For example the following is a summary of the most salient findings from a recent study of cloud computing providers:

• The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.

• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.

• Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.

• Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

Again this is for businesses putting their applications and customer data into the cloud. If its just you and your MP3s and a couple of pictures - who cares.

Me personally I would never store anything sensitive in the cloud unless it was encrypted by me first. This is my advice to billion dollar customers and the agencies I consult for: pretend the data stored and operating in the cloud is completely public and base your security processes on that concept.

[Byte Stryke]

Well since this is what I do for my day job I guess I should answer. However, the answer is: 'its complicated'.

First and foremost - if your just storing a couple of photos and some MP3s out there then you are probably just fine. There is some basic security in the anonymity of being one of a billion people with your boring junk out there. Even if you were 'hacked' what would you loose? Weigh the risk of all your data stored out there either suddenly being gone - and/or all your data out there suddenly becoming very very public.

All that said, if you are business moving your applications and customer data out to 'the cloud' then you have a TON more risk - and this is where the increase in system complexity becomes the #1 issue. By moving your applications to the cloud you offload the complexity of the system to a 3rd party. Those 'cloud' systems are incredibly complex to setup and maintain - and your applications become just 1 of a million that the cloud owners are trying to manage. As a result your system is no longer 'special' - you are just lumped in with the general optimizations. This is a hackers Disneyland since if you pop one system you, in many cases, pop them all.

Further, that 3rd party, in almost all cases, say that 'security' is not their issue. For example the following is a summary of the most salient findings from a recent study of cloud computing providers:

• The majority of cloud computing providers surveyed do not believe their organization views the security of their cloud services as a competitive advantage. Further, they do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers.

• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.

• Buyer beware – on average providers of cloud computing technologies allocate10 percent or less of their operational resources to security and most do not have confidence that customers’ security requirements are being met.

• Cloud providers in our study say the primary reasons why customers purchase cloud resources are lower cost and faster deployment of applications. In contrast, improved security or compliance with regulations is viewed as an unlikely reason for choosing cloud services.

Again this is for businesses putting their applications and customer data into the cloud. If its just you and your MP3s and a couple of pictures - who cares.

Me personally I would never store anything sensitive in the cloud unless it was encrypted by me first. This is my advice to billion dollar customers and the agencies I consult for: pretend the data stored and operating in the cloud is completely public and base your security processes on that concept.

This^ +1

essentially, do NOT put anything on the cloud you do not want every Russian hacker, Identity thief, Local thug and every law enforcement official to read.

for the sake of safety consider "for every security measure, there is a "bypass" for it."
There might not be one today... but there might be one tomorrow.

[Delfuego]

Well since this is what I do for my day job I guess I should answer. However, the answer is: 'its complicated'.

Great answer!

I dont always trust them for "sensitive" information. But mundane routine backups its great. We always have a local and a cloud backup. It is very dependent on the provider too. Do you trust some new upstart with the only copies of your children's photos? Or your Tax return? If you were an enterprise customer you could use a company like StorageTek (Oracle), do I trust them... yes.

Check out Jungledisk, works good for backup; not necessarily "high availability cloud storage" though.

DropBox is pretty cool, and pretty free for cloud storage with easy access from any PC or your phone. (shoot me a PM and I'll send you an invite, they then give me extra storage. You can then invite others and you gain more storage.)

Cheers,

Delfuego