Versions Compared

Old Version 2

changes.mady.by.user Jason Ragland

Saved on

compared with

New Version 3

changes.mady.by.user Jason Ragland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleIf you don't read anything else, read this...

Security, privacy, and reliability concerns abound with cloud services. You should consider very carefully the security and privacy implications before becoming reliant upon cloud services. Ask questions. What is their business model? Do they have a history of poor security or privacy issues? How long have they been in business - how stable are they?

Data mining and advertising

...

Security is sometimes an afterthought. Some cloud services, especially storage services, have a history of poor security implementations and compromises. Security is not an important criteria for them; it gets in the way of their business model. Some of the more significant risks posed by cloud services in general are:

  1. Exposure of customer data through a security breach or incompetence on the part of the cloud service provider
  2. The cloud provider sharing customer data with business partners, law enforcement agents, or governments
  3. Employees of the service provider having the ability to access the service in an unauthorized manner or customer data for any reason without express permission (see the next section for examples)
  4. The cloud service provider blatantly lying about the above or other security measures claimed
  5. Loss of data or loss of access to data due to failure of the cloud service
  6. Unintentional sharing of sensitive data through poor design decisions on the part of the cloud provider such as sharing items by file name or data deduplication practices (which also reveal that the vendor has access to the data)
  7. Faulty authentication mechanisms that may allow attackers persist access to data even after typical compromise remediation steps
  8. Man-in-the-middle attacks that compromise the encrypted communications between clients and the cloud service
  9. Malware or phishes that manage to obtain account credentials

...

These policies all reveal that the vendor, regardless of any claims to the contrary or use of encryption, has the ability to decrypt and access any stored data whenever they deem it is deemed necessary.  Such services are not appropriate for use with Category I data in their default configuration. There may be account configuration options that provide enhanced encryption, such as the use of user generated keys with CrashPlan for example.  The downside is that, while these options increase security and may protect the data from the vendor, they invariably make the service harder to use and may break some components of the service (e.g. mobile clients in many cases).

...