Is my Data secure in the cloud?

31 10 2011

There is an increasing acceptance and use of cloud computing products and services. I’m a big fan of software applications such as Google docs and Drop box. These tools allow me to store, organize, and collaborate on files and instead of emailing these by email which is difficult with large size files I am able to store my files in the cloud and access it to my data anywhere at any time, I don’t really need a portable memory or carry my laptop in order to access my information or backup my data (the cloud does it for me). But what if I need to store more confidential information? Should I save my tax returns, financial information such as bank statements or private correspondence with friends and family in the cloud?

Recently, Drop box had a security breach on June 2011 in which a failure in their authentication mechanism allowed access to files without the use of password for about 4 hours. According to the company the problem was caused by a “code update” that “introduced a bug affecting the authentication mechanism.”

I wonder if I would have had sensitive personal information that could be compromised or lost, would they be responsible for it? What protection do I have as a user of their services? In order to answer these questions, I reviewed their Terms of service and Privacy policy and I found some interesting things I would like to share.

 Terms of Service

Google has the license to reproduce, modify, translate, publish, publicly display and distribute the content which I submit, post or display using their services. Also, my content could be sent to third party companies.

Google does not guarantee the use of their services will be timely, secure or free from error and that I am solely responsible for any loss of data that results from the download of any material obtained through their services.

Similarly, Drop Box indicates I am solely responsible for any loss of corruption of my “stuff” (data) and if I want to protect the transmission of my data it is my responsibility to use a secure encrypted connection to communicate with their services. Should Drop Box enforce every page to use https?

Privacy Policy

Google as well as Drop box, generally use third party companies in order to process of personal information. So, other companies end up having access to my personal information.

Google and Drop Box, indicates that in case of a merger or acquisition, my personal information could be transferred and become subject to a different privacy policy.

Drop Box, uses persistent cookies to save my registration ID and login password for future logins. Since these cookies aren’t marked as secure (HTTPS only), will it be safe to use drop box in an unencrypted or WEP wireless network?

In conclusion, it seems that they are not responsible for any losses of data, business or profit damages as consequence of malfunctioning. Is that fair?

Who is responsible for the security?

According to a study about security of cloud computing providers performed by Ponemon Institute and sponsored by CA Technologies (published on April 2011). It is important that cloud users be educated about the need to evaluate cloud applications and choose the ones that gives greater security mechanisms to protect their data.

The study was made in the U.S.A. and Europe and included the current cloud user community as well as the cloud provider community one of the questions was who is more responsible for insuring the security of cloud resources? According to Cloud providers 69% of them indicated the customer is responsible for securing the cloud and not them. According to the users, the responsibility should be shared between the cloud provider and the user. The following chart demonstrates the answer to the question:

 Source: Ponemon Institute (Security of Cloud Computing Providers Study)

“Security in the cloud is a joint responsibility and cloud users and providers should consider the importance of working together to create a secure and less turbulent computing environment.” ( Ponemon Institute – security of cloud computing providers, Page 15).

Security of Cloud Computing Providers Study, Independently conducted by Ponemon Institute LLC

Publication Date: April 2011 Sponsored by CA Technologies.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: