Every time you reach for your smartphone to access your social media feed or dig up a contact, you are tapping into remote servers that house your data, also known as the cloud. And while most people probably don’t give this a second thought, they should – if they want to keep their information private and secure.
When a company moves its data to the cloud, consumers only know they can access their email or finances – or even their digital assistant – whenever and wherever they need them. In that, they are at the forefront of cloud migration. But when it comes to security and privacy, “the vast majority of consumers” don’t necessarily know “whether it’s in the cloud or … sitting in their house or on the server,” said Cisco’s Chief Technology Officer for Cloud Security, Dan Hubbard, in an interview.
But that knowledge is crucial in the age of cloud-driven mobility. Connected wearable devices, digital assistants and other gadgets that are listening, collecting vast amounts of information about users and sending them back to remote servers for storage, who knows for how long, for what purpose, and whether the companies in question are doing enough to protect that information or are transparent about the way it is being handled.
This is particularly true when using ‘free’ cloud services, which, in truth, are not so free.
Whether they know it or not, consumers actually ‘pay’ for these services in the same way that they cede a piece of themselves and their life to a search engine when looking up free information. Sometimes, cautioned Hubbard, consumers “underestimate what that means,” thinking they can get a free service and keep their privacy at the same time.
“You need to understand the price of you using a free service is that potentially they’ll do something like deliver ads to you,” he said.
Ads collect huge amounts of data about users’ habits and profiles in order to target them with personalized products, with or without their consent. So before you hand over your data to a free cloud service, you need to understand how the company works and how it intends to protect your privacy. And you should probably look out for sudden changes that give away your personal information wholesale.
This week, note-taking app Evernote updated its privacy policy to allow some of its employees to access user content, saying this was intended for machine learning research. But there are indications this has been going on for some time, though Evernote users were kept in the dark.
And messaging service WhatsApp, for example, which initially claimed it protected its users’ privacy, turned around and decided to share their information with its parent company, Facebook. Users were furious, and Facebook later halted the sharing in response to complaints from the European Union.
“You have to read the fine print,” said Kevin Barnicle, CEO of Controle, a company focused on the governance of electronically stored information.
“I myself as a business owner am very leery of storing content in free applications because they do have access to the information,” he said. “They’ll be able to read it. They’ll be able to mine it for whatever reason they would want to. You need to be careful.”
Before storing or backing up your information in the cloud, make sure the company encrypts your data “even in their own environment so they cannot actually see what the data is,” he added. And read the convoluted privacy policies, which Hubbard believes should be more straightforward.
Cloud providers should be transparent about “how they secure their information, what their privacy policy is, how they use the data, and making sure it’s not buried somewhere in this crazy, big, long thing that no one’s going to read,” he said. And they need to “make sure the users understand when they store their information there what they’re giving away,” he added.
Providers should understand that consumer data in the cloud “is actually owned by the people that created it,” he stressed. That in turn defines who should or shouldn’t have access to that information.
“The only people that should have access to that information should be the people who are creating it – for example, the company,” he added. “They should have the right and the ability to decrypt and encrypt that information without the hosting provider having access to it. … They need to provide very strong ways that people can authenticate to get access to the data.”
There are many large companies that add multi-factor authentication, which asks for a combination of security safeguards, including passwords, telephone numbers, and personal questions to verify user identities. They also have mechanisms in place to “identify if nefarious stuff is happening to that user’s account or to their data,” said Hubbard, and in many cases, do “a tremendous” job securing their data.
But there are no guarantees and no way of knowing if a company is doing its best to protect your data. A case in point is internet giant Yahoo’s revelation this week that it experienced a second gigantic breach of security that compromised up to one billion accounts in 2013 – the largest ever and the second for the company.
An uneven landscape
As more people collaborate and share documents stored in the cloud, securing the data becomes even more daunting. Recent research has uncovered malware in shared folders in the cloud. And in 2014, celebrity pictures stored in Apple’s iCloud were leaked by intruders who bypassed the company’s security safeguards.
Safeguarding cloud data involves a lot of factors, including identifying what it is and who should or should not get access to it, especially if it involves sensitive information like tax returns or health records.
“Is it misconfigured? asked Hubbard. “Do the wrong people have access to it? Am I putting information in the cloud that shouldn’t be in the cloud that should be in the traditional data center? That is definitely an aspect of things you need to start thinking about, especially when it comes to confidential information.”
But the process is more complicated than that. Large companies often have “thousands of different regulations that they’re supposed to abide by” to manage content, said Barnicle. And things becomes so complicated that, in some cases, companies just “keep all of our data forever and they will never delete anything.”
Many companies don’t even abide by their own regulations. And some smaller companies that might offer free services do not abide by the same rules, let alone figure out which regulations need to be enforced.
Nevertheless, migration is projected to continue as companies cut IT costs and find new revenue opportunities in the cloud. But for the time being, consumers might find it cheaper to manage their own data, said Barnicle, given continuing privacy and security concerns.