Gone are the days when we could assume corporate data was safely snuggled down in the corporate data centre. Today, it's just as likely that it will be stored somewhere in a cloud. And yet more information about your company, its employees, and possibly its customers, is often also scattered hither and yon on supplier and vendor sites, or with their cloud providers.
In the wake of news of yet another data breach, you've got to wonder, though, who can you trust? When a security company – Veeam – accidentally exposes its unencrypted, unpassworded marketing database containing a whopping 445 million records to the open Internet for 13 days before a security researcher came across it and notified the company, and its response is basically, "oops" (its president did admit that they should have done better), there’s reason to be uncomfortable about its general attitude towards data. The company says all the right words (but let's face it, everyone does); actions just didn't match. The CEO's advice to others, according to The Register, was "Don't get complacent."
The cause of the mess was a database move on Amazon Web Services (AWS) in which the destination was improperly configured. Yes, good old "human error". But it's not uncommon. The Register's story noted, "Corporations leaving cloud-based MongoDB databases open for all to see, and discoverable using tools such as Shodan, are not a rare occurrence. Cybercrooks have developed a scam that involves deleting the content of MongoDB databases before charging an extortionate fee for the safe return of data." Multiple hacker groups jumped in on the scam, and some didn't even bother to copy the data they were allegedly holding for ransom – they just demanded cash with the lie that they could restore the deleted database.
In Veeam's case, no data was deleted, but it's almost guaranteed that it was stolen by one or more hacker groups. This may be an expensive "oops", too, since the breach had to be reported to regulatory bodies and there will likely be penalties (especially if GDPR enforcers get involved). Never mind that it was, the company claims, an old, unused database – information was still exposed.
We can't blame this bit of oopsie-ness on the cloud, though. While, yes, a cloud service was involved, all that many companies buy from AWS is the infrastructure – disk space, computing capacity, and network bandwidth. The customer is responsible for managing it. So when that MongoDB is left waving in the breeze, the only people at fault are the corporate IT folks who forgot a few configuration steps when moving the database. The cloud, for all of its benefits, is not idiot-proof.
It's also not one size fits all. You can buy anything from basic infrastructure to a complete managed service package that lets you put all of the details in the provider's hands.
But – and this is a huge but – you have to read and understand every word of the infernally long, convoluted contracts and terms of service to know precisely who is responsible for what. Those contracts can be brutal. They are, after all, designed to limit the supplier's liability, just as software terms of service, which often basically say (in reams of legalese), "you agree that even if it's the supplier's fault, it's the customer's problem", are designed to make sure that very little liability can be pinned on the provider.
So, bottom line is be paranoid. Spell out the details of who does what in contracts or SLAs, even those nitpicky bits that don't seem important at the time. And, as an experienced CIO (who learned the hard way) recently said, if the vendor isn't willing to talk about the division of responsibility, run far and fast.
Contract law can be your friend, so get legal involved. They can determine what's enforceable and what's not. They can also navigate the labyrinth of weasel words to ensure that the contract doesn't contain clauses that will come back to bite you, and they can help you rephrase things to balance the terms. Providers are usually willing to negotiate.
Some specifics to think about:
- Who has access to your data? Nobody except your employees or designates should be able to get at the information, though the provider may need access to the bits and bytes to perform contracted backups. (Hint – technologies like split key encryption can help here?
- Who owns your data? It had better be your company; anyone who tries to sneak any claims into a contract is not to be trusted.
- Is it end-to-end encrypted, so no-one can access it in motion, in use, or at rest?
This seems like common sense stuff, until you find, for example, that some consumer email services that are also used by corporate users snoop through email content to build user profiles for targeted ads.
You should also decide how much responsibility you want placed on your IT folks, and what you want your provider to handle. The more you pass over to the provider, the more it costs, but you gain the expertise of a well-trained team who perform what some have called the ‘janitorial’ functions every day, freeing up your IT team for more value-adding activities like innovation.
You will need to think about regulatory constraints. For example, if data sovereignty is an issue, does your prospective provider have multiple data centres in your jurisdiction to support you in the event that its primary location becomes unusable and it has to fail over to its backup?
As always, legislation is usually a step or two behind the Real World, and many companies, including service providers, are a step or two behind new legislation. For example, the European Union's General Data Protection Regulation (GDPR) that came into effect last May has been front and centre for several years, yet many organizations are still not ready. And some of them will pay a steep price for that dawdling; this regulation has sharp teeth. US websites such as the LA Times and Chicago Tribune have even resorted to blocking users coming from the EU rather than put in the effort needed to comply. Make sure your provider is current on legislation and industry standards.
As with any business decision, the devil is in the details. Picking a cloud provider, and deciding on the level of service you want from it, shouldn't be a spur of the moment decision. Leaping in without doing all of your homework could be an expensive mistake.