6 May 2018
For many years, there were voices who expressed concern over “safety”, “security”, and what not with regards to could computing. To me those concerns seemed to come from people who hadn’t touched any machinery in a long time. Because it is almost always much easier for an insider to commit a serious data breach than for third parties to steal your data in the cloud. At least by an order of magnitude, is my guess. Alas, you are not supposed to say that out loud, but now you know my bias. You should much less suggest actually testing those internal security hurdles, lest you find out something disconcerting…
Most recently, the Equifax breach seems to have flared up this discussion again. If nothing else, it has raised awareness about sensitivity of data – probably a good thing. 143 million people saw their SSN, birthdate and address compromised, and with “just” those pieces of information you can do a lot of damage. A major reason why these risks play up more in the US than elsewhere, is because there is such a lively trade of secondary data sources that criminals can leverage. And also, because the use of SSN as a business key is so widespread and convenient for those of bad faith. This structural phenomenon was well documented and analyzed by Simson Garfinkel in his excellent book “Database Nation” (2000). Garfinkel continues to write and speak on these topics.
Identity theft or identity takeover has been a considerable problem, most prominently in the US. In 2016 this amounted to a reported $16 Bn loss, affecting over 15 million consumers. That’s the damage to consumers. Corporations incur huge brand equity and settlement losses, and this affected the likes of Yahoo, LinkedIn, Apple, Microsoft, all seasoned IT/cloud aware organizations (see e.g. this overview of infamous cloud breaches). Only the most ignorant can hope to be safe… Or as Jerry Weinberg famously said: a crisis of often merely the end of an illusion.
Safety and security are part of the services you buy when you work in the cloud – you still need to think about them, but it will give you far fewer headaches. The cloud itself is pretty safe, and the fact that molochs like AWS, Azure and GCS need to make “safety” their primary business more or less guarantees that the best and brightest stay on top of it. It’s not the technology, but rather the people who are the weakest link. If you buy into that notion, then it becomes clear that governance, enforcing a company wide security policy and awareness raising needs to be –and stay– on (senior) management’s agenda.
Relying on the technical opportunities of cloud computing implies that “security service” can be purchased (rented, rather). More importantly, less overhead means you can develop faster and be more nimble as a corporation. It’s hard to quantify the value of those opportunities, but I find it telling that Jeff Bezos, who essentially turned Amazon around, conquering the cloud market by storm, is now the richest man on the planet.