The elephant in the room: The trust deficit issue with public clouds

There was a time when sharing information between computers required people to exchange floppy disks. With the onset of the networking era and the Internet coming into its own, emails with attachments became prevalent (one could argue they still are).

Then, the email clutter becoming a bit much to handle and the fact that mail servers couldn’t handle very large files as attachments, people started turning to USB drives (just bigger floppy disks in a way). This went on for several years, until cloud storage came along and completely changed the way people share files. Dropbox and Google deserve much of the credit for completely changing the file synchronisation and sharing paradigm in such a fundamental way, that now several players (Microsoft and Apple included) are in the race to dominate the cloud storage domain.

The Risks with the Public Cloud – Why one should be Worried

While cloud storage has certainly revolutionised the way people store and share data – all is not as well as it might seem. The problem is a little thing called Privacy.

Most of the companies that provide customers online storage in the cloud have privacy policies, but that doesn’t necessarily mean they’re guaranteeing your privacy. In many cases, when you say “I agree” to a Privacy policy, you’re actually granting the company certain permissions and/or licenses to your data. If you read through the legalese patiently, you’ll find out that in almost all cases, you’re giving away permissions to these companies and allowing access to your information to varying degrees. With several cloud services the cloud vendor gets a license to your information as soon as you upload it. One leading cloud drive vendor’s terms of service state clearly that you’re giving them the “right to access, retain, use and disclose your account information and your files”. Twitter has a more user-friendly policy which states that it will only disclose user information “in compliance with US law to valid legal process. For example, requests for contents of communication require a US search warrant”. But the fact remains that your data is still not private, even if only from the US government.

What amplifies this risk is how simply ubiquitous cloud based storage has become. Your employees probably routinely use file sharing services to exchange sales and marketing data, not to mention strategic plans in the form of power point slides. Most new services are now available exclusively in the cloud – be it source code control repositories, customer resource management tools, or HR management software.

This whole situation is set to get a whole lot worse shortly with the wave of IoT. IoT implies a world where a number of things that many of us don’t consider computers will have a chip in them and be connected to the internet. While many think of IoT as being something that only affects individual consumers (who wear smart watches and drive smart cars), the reality is that IoT will impact businesses just as much. This could be in the form of energy meters in offices, parking meters in parking lots, or air conditioning units and refrigerators in factories. So, all of these will soon be speeding along the internet superhighway whether we like it or not. And the main thing these objects will be doing on the internet is – you guessed it – transmitting large volumes of data. Many companies are devoting their time to solving the Big Data problem this is going to create and what kinds of analytics tools they should use to mine the wealth of information they suddenly get as a result, but few if any are worried about customer privacy.

While much of this information can be used to improve products and provide better services to customers, the reality is also that the information isn’t private anymore.

This is the conundrum that most users have to wrestle with when it comes to cloud storage. How do you trade off the convenience with the compromise of privacy? Sadly many users are unaware of the implications of saying “I agree” to the privacy policy – and the ones that do care have simply reconciled to the fact that they can’t store certain types of information on public cloud storage. Hardly an optimal situation.

What can you do about it?

Fortunately, there are solutions that don’t need you to make these compromises.
Encryption

One approach is to encrypt the data that is kept on the cloud storage. But, wait – surely companies like Google and Dropbox are encrypting the data their customers are entrusting to them? Sure, they are – but they are using encryption keys which also allow them to decrypt the data should they want to. It is locking your front door, but entrusting the keys to Dropbox or Google. Would you feel as safe about that arrangement as you would if you had the keys with you? Probably not.

An approach that works is to have a way to encrypt the data, with your encryption key, before it leaves your home or office on the way to the cloud. And similarly decrypt the data as it comes back into your home or office and before it gets served up to you on your computer or tablet or smartphone. Solutions such as this exist – but they’re inherently a bit clumsy because they are software based solutions which require you to download a special client onto your computer which performs the encryption and decryption for you. Apart from the fact that it is difficult to fit these solutions into the seamless workflow you may be used to when using Dropbox or Google, there’s the question of how this will work if you’re working from a different computer; or accessing Dropbox’s portal directly.

Tokenisation & Obfuscation

Another approach that is especially useful when you’re using a SaaS application is to have software that intelligently monitors the data traffic as it leaves and enters your data center. Using pattern recognition methods, the software can identify strings that may be confidential in nature or personally identifiable information (PII) and selectively obfuscate those. This is done in such a way that the SaaS application server in the cloud still believes it is dealing with valid data. When data is returned back into the data center from the SaaS servers the process is reversed for the benefit of end users.

Private (or personal) Clouds

Yet another approach that is really simple is to simply not put your data out there in the public cloud. What if you are able to get all the benefits of a cloud storage solution including sync, share, etc. but with a private cloud? One that you can host inside your company’s data center, or even inside your home? Such an approach is indeed practical and such solutions do exist as well.

With the increase in awareness around privacy and the pitfalls of letting personal data take its course in the hands of the public cloud vendors, we’re sure such solutions are going to gain currency and become more mainstream.

Anand Prahlad is the President and CEO of Parablu specialists in Cloud security.