• United States




Why you shouldn’t trust cloud service providers

Oct 16, 20155 mins
Cloud SecurityData and Information Security

It’s hard enough really trusting your own employees these days. So when it comes to employees of cloud service providers, columnist Rob Enderle writes you definitely shouldn’t trust them.

cloud security ts
Credit: Thinkstock

Simply stated, you can’t trust the employees of cloud service providers. Frankly, I don’t think we can really trust our own employees anymore either, but at least our capability to monitor them is far greater. Early on we had warnings of the problem of just anyone having access to secure data when Google Engineers got caught stalking Google customers through their access. Their getting caught and our finding out about it was pretty remote. I’ve seen, over the years, crimes ranging from theft to sabotage that result in the employee’s termination when caught, but never result in any external report.

We currently exist in a world where nation states like China and Russia are aggressively probing data repositories and these cyber spy organizations aren’t particularly secure either, suggesting where the states go criminals will follow. The easiest way in remains getting access to an employee’s credentials or getting the employee to pull the information like Snowden did.  

[ Related: There Are No Secrets: Edward Snowden’s Big Revelations ]

Given the massive value put on this information and the tools a state could use to either phish or coerce an employee to provide access to it, I believe it’s time to seriously start thinking about reviewing cloud services and ranking them based on whether they can protect your data from themselves.  

Protecting data from governments

One of the clear areas being attacked are communications servers. This is particularly visible at the moment with the disclosure that Hilary Clinton, the Democratic candidate for U.S. President, used a private email server, and that this server was likely compromised because it wasn’t adequately protected. Given the Snowden disclosures it is as yet not clear whether this information would have been effectively more secure inside the government. (It strikes me with some irony that given the government leaks, it is possible her email server could have been made more secure than the government solution, but that clearly wasn’t done).

Communications have broad exposures that can cripple a company or a country if they are made available to those without the authority to view them. IT employees either inside or working for a cloud service provider should never have the authority to broadly view communications and yet, as we learned from the Snowden breach, this is far from where we are today.

Ideally, the communication should be encrypted adequately (per policy or law) at the source and only decrypted by the people authorized to view the correspondence. Certainly with a cloud provider the encryption should occur and be adequate to protect the package when it leaves the company and remain encrypted and inaccessible until it returns.

At no time should a cloud service provider either accidently or on purpose be able to successfully read a secure file in their care.

Analytics is a problem

The big problem as I see it is analytics and compliance. The firm itself needs to be able to analyze the secure information both to catch and identify illegal activities going on inside the company and to effectively respond to legitimate discovery/access requests. If this can’t be done the firm could be forced to either remove the security or create a permanent back door for access either of which would eliminate any value connected to the encryption in the first place.

This suggests two approaches, one where the service resides in the cloud in encrypted form but inside the company in a form that can be analyzed. Or, one where the service resides completely in a secure virtual pod that only the firm can access but providing the headroom needed to both serve the communications requirement and whatever analytics and reporting function are required by policy and law.

In fact, as I think about it, the pod/container approach should likely exist in the company as well to better protect against internal illicit activities.   And once contained in a virtual pod moving it between cloud service providers or even between on and off premise should be relatively easy.

It goes without saying that all of this should be wrapped with some kind of access control and assurance offering because no container is secure if the folks that are accessing it can’t be monitored and assured.  

It’s time to rethink security

You shouldn’t have to trust an employee at a cloud service provider.   Given the current environment even assuring your own people is problematic, but a given the attractiveness as a target and the attack surface of a cloud provider there really is no practical way to assure their employees (and, if you can’t assure their employees you can’t assure their security).

So, instead, focus on making sure no one can access your confidential information without authorization regardless of whether it resides inside or outside the company. Then assure that those authorizations are tightly managed and monitored, and then maybe you can argue, for now, that your security over that information is adequate.

At least with this approach you can focus on the availability, performance and price of a cloud provider and be a tad less concerned with what is happening to the information that they are holding for you. Though, granted, this alone may not protect you from laws preventing certain types of information crossing national borders.  

This all reminds me why I am so glad I’m not a CIO.   The worry would have killed me by now.


Rob Enderle is president and principal analyst of the Enderle Group, a forward looking emerging technology advisory firm. With more than 25 years’ experience in emerging technologies, he provides regional and global companies with guidance in how to better target customer needs with new and existing products; create new business opportunities; anticipate technology changes; select vendors and products; and identify best marketing strategies and tactics.

In addition to IDG, Rob currently writes for USA Herald, TechNewsWorld, IT Business Edge, TechSpective, TMCnet and TGdaily. Rob trained as a TV anchor and appears regularly on Compass Radio Networks, WOC, CNBC, NPR, and Fox Business.

Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group. While there he worked for and with companies like Microsoft, HP, IBM, Dell, Toshiba, Gateway, Sony, USAA, Texas Instruments, AMD, Intel, Credit Suisse First Boston, GM, Ford, and Siemens.

Before Giga, Rob was with Dataquest covering client/server software, where he became one of the most widely publicized technology analysts in the world and was an anchor for CNET. Before Dataquest, Rob worked in IBM’s executive resource program, where he managed or reviewed projects and people in Finance, Internal Audit, Competitive Analysis, Marketing, Security, and Planning.

Rob holds an AA in Merchandising, a BS in Business, and an MBA, and he sits on the advisory councils for a variety of technology companies.

Rob’s hobbies include sporting clays, PC modding, science fiction, home automation, and computer gaming.

The opinions expressed in this blog are those of Rob Enderle and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author