Rights of disclosure

On December 29, 2008, in Security, by

Mac owners are supposed to be buzz loving, cutting edge, technology loving folks, right?

HP MediaSmart Home Server may get some competition from Apple | 9 to 5 Mac:

So when a mac web site talks about how the Home Media Server now supports Mac’s as a backup-able client as well as integrating iTunes, and the discussion turns to hosted models, notice on that post how many technology loving, cutting edge Mac users are saying “I don’t trust the cloud for my data”.

So here’s a question that’s been bugging me about all of this cloud computing stuff.  Okay so I’ll be the first to admit that I don’t do “best practices” when it comes to separation of networks and duties and all that.  I don’t have my databases restricted from the Internet, I don’t have workstations that also deal with SSNs separated out either.  But while “they are out to get me”, they aren’t out specifically to get me.  I’ll be nailed by stupidity as much as I will be for insecurity. 

Fast forward to when yours, mine, and ours is on the web on one set of data centers, won’t that be a site that is extremely targeted by every Tom, Dick and Harry hacker?  Why try to build malware to go after desktops and capture information when one can put their sights on the Perot Data Centers in Plano Texas (which is where some of my vendors host their servers).  There’s another fundamental sticky question that everyone is glossing over a bit (in my opinion).  The risk of the data all plopped down in one spot (or one distributed spot held by a vendor).

I’m speaking not as a techno geek head here but as a person tasked with making business decisions about my clients’ very sensitive (and regulated) data.  I’m seeing that many small businessess are careful with their data.  To the point of paranoia and want assurances. 

So when all of our vendor is housed in Data Centers in Plano Texas, or in Northwest Washington, or in containers in Chicago, they are behind banks of known IP addresses right?  And they can’t be entirely restricted from access since I need to get to that data myself.  So there still needs to be access, data transmitting across lines,

So my question that I don’t know the answer to is about risk:  When the data is there all in one spot.  Can they, with all of their best practices provide enough safeguards that my small pot of data has by being lesser of an economic target.  I’ve also been in situations where I’ve seen data centers not have transmissions to them protected via SSL.  With one particular vendor this has occurred twice.  Neither time did this vendor give me appropriate guidance as to whether I needed to disclose this to the impacted clients and I had to investigate on my own.  Do I have the right to inspect their external Security audits?  Should my clients have the ability to do ask me sticky questions as well? 

It’s in a vendor’s best interests to manage a security incident, let’s be honest about that.  Will this fundamental issue of clients’ rights of disclosure only get addressed via regulation?

Needless to say, it will be interesting as we go forward, fasten your seat belts!


2 Responses to Rights of disclosure

  1. Joe Raby says:

    I think you actually “get” the cloud: It’s there. It’s accessible. And therefore, it’s a security risk.

    It’s always a good idea to have privacy policies on hand for content hosting providers, as well as a level of service contract. If it’s for regulated data, make them sign a security clause that includes transparency of external security auditing as part of that contract.

    Yes, they hate that when you ask about it! >:)

  2. David says:

    Your comments about cloud computing are so appropriate. There is a local TV station in Jacksonville, FL, that announces promptly at 10:PM daily, “It is 10:PM, do you know where your kids are?” I think we ought to be asking the same question about our data.