By secure, I don't mean the machines itself and access to it from the network. I mean, and I suppose this could be applied to any kind of hosting service, when you put all your intellectual property onto a hosted provider, what happens to the hard disks as they cycle through them? Say I've invested million into my software, and the information and data that I have is valuable, how can I be sure it isn't read off old disks as they're recycled? Is there some kind of standard to look for that ensures a provider is going to use the strictest form of intellectual property protection? Is SAS70 applicable here?
Asked
Active
Viewed 421 times
4 Answers
3
If you've invested that much into your software, buy your own servers and co-locate them somewhere that you have control over. Servers aren't that expensive in relation to a development effort of that magnitude.
If you have something sensitive, keep it in an environment you control.
Justin Scott
- 8,798
- 1
- 28
- 39
-
Good point. Now what if I didn't invest that much. What if I just want to be sure of its safety. Is there a procedure that is standard for dealing what I've described above? – Rhubarb May 30 '10 at 01:21
-
1Yes, run it in your own environment. There's a reason that cloud environments are generally considered unsuitable for sensitive things like e-commerce applications that handle live credit card data. You can't secure what you don't control. If you must use an outside provider, work the level of security you require into your contract. There is no be-all end-all standard line item to look for on a checklist of features they offer. – Justin Scott May 30 '10 at 05:10
2
When you control the physical environment, you have the ability to control the security of the environment completely, limited only your ability and wallet.
In a cloud environment, it is different -- your only way to control the security of your piece of the environment is via legal contract. That's both good and bad... think email. On the one hand, Google or Microsoft isn't going to negotiate terms with you, you have to take or leave the terms of service. On the other, a professionally run, Fortune 10 organization has the resources to run a really secure environment.
I'm not an attorney, but based on conversations that I've had with attorneys, another issue is that legally, many of the US laws relating to custody of data (ie. situations where e-discovery, subpoenas, etc) hinge upon the physical location of your data. So if you are in an industry where litigation is an issue, you may have to retain counsel in another state or country to deal with e-discovery.
You need to think about your requirements real carefully, and take SAS-70 or other certifications with a grain of salt. There are no standards that will address all concerns.
Things that I would consider:
- Are you in an industry where litigation (or labor arbitration, etc) is common, or is your company at risk of being sued?
- Are you handling sensitive data? PPSI? Health data? Banking data? Trade secrets?
- Are you a custodian of other people's data?
- Are you large enough (or are your providers flexible enough) to customize contractual arrangement or terms of service to meet your unique needs?
- Is it cost effective for you to move non-sensitive data to the cloud, while keeping the key stuff in a secure environment elsewhere?
- Are you in a regulated industry?
- Are your customers subject to privacy laws or data leakage disclosure law? (ie. the EU, many US states)
Don't be scared away, just make sure that you understand what you are required to do, and what the implications of a cloud environment are. In many cases, you might be more secure in the cloud that if your rolled your own!
duffbeer703
- 20,797
- 4
- 31
- 39
-
great point about the physical location, and also remember that it's also about ownership of the hardware. Currently (to the best of my knowledge and IMNAL) the US considers cloud providers service providers, analogous to the phone company. – Jim B Jun 01 '10 at 14:43
-
Control is the key. When you release you cease to control it. Contracts are fine but can your business bear up under the sometimes less than quick pace of the legal process? Can that provider guarantee that your site, data, etc will be placed on its own server or will you share a server with a business or organization that gets hit with a DDoS attack and find that your business being impacted? – jl. Jul 14 '10 at 14:11
0
It's all going to depend on the provider. If you were simply hosting your machines at a colo who handled hard drive replacement, you'd have all the same questions...Really, it's the same thing except with the "cloud" you don't have to worry about the actual hardware.
Call them up and ask their procedures. Read their godawful terms of service agreements, which absolutely cover their responsibility in cases of data breach. Talk to your superiors about how much they want to invest, and then make your choice.
I'd say most of the big boys were pretty reliable, but it really depends on how valuable your data is. "Pretty good" is what most people would have called BP's safety record.
All else fails, you could encrypt the data before you send it to them.
Satanicpuppy
- 5,946
- 1
- 17
- 18
0
i'd suggest to try to control it 2-ways... on your end and on hosting-service you are using
[] On Your End {its better to be confirmed from your end first}
->(General) try and follow all methods for a secured n/w and strong password at your end
->(Specific) all data you host @ cloud, try to store more of encrypted (at your end) data there when its sensitive to you... this is the one way you could confirm your data security from forensic attackers on recycled disks
[] On Other End
->check for all Encryption mechanisms provided and at what all levels (n/w, hdd) the encryption is made available... and make sure you opt for the most secure Encryption Policy
AbhishekKr
- 217
- 1
- 3