NIL Cloud Security

A few days ago a fellow colleague opened a very tipical question of storing data off premise, more precisely, in the cloud of (any) provider. While individuals seem to, virtually blindly, entrust cloud services (and their providers) with their data (and much more), companies are very reluctant to store enterprise data on “someone else’s server”. But is this reluctance justified? Absolutely not.

Among the general public and unfortunately also among a section of the professional public, I notice a kind of reluctance to store documents and other business data in the cloud. People I discuss this with often (call into) question the safety of this type of data storage, claiming, nobody can guarantee that no one will browse our data, read them through, sell them to the competition, etc.

In my professional career I closely deal with both cloud computing and information security, so I decided to publicly share my view on this topic. For those who don’t want to read the whole article, let me quickly answer these two question: “What is the real-life likelihood that somebody who has an interest in my data that are stored in the cloud of any given provider would steal and/or misuse it?” And the other question: “What is the likelihood of losing my data stored in the cloud due to an error of the provider?” The answer to both questions is “Almost none or considerably lower than with alternative ways of storage”.

If you want to find out why, keep on reading …

How does a small company nowadays manage its data? It probably has on-site data storage, i.e. storing data on one or two servers in a dedicated server room. If the company loses its data, it fails (or at least that’s what the surveys say – 90% of companies do not recover after data loss). Larger companies tend to take better care of their data. However, they also go through a difficult ordeal if for some reason they are left without their data. Disaster recovery (when a backup copy exists) still usually takes a week or two. Then there is the cloud, typically with 3 or more storage locations i.e. backup copies, so data cannot be lost. Yet we are still more afraid of the cloud and possible data misuse.

Who are we actually afraid of? Industrial and other types of spies? The NSA? Do we really see ourselves as important enough for the NSA to stick their nose into our business? We must ask ourselves who would actually benefit from our data? In the end, only two potential “attackers” remain. The competition and the state (or rather its secret services).

The likelihood of data theft is, of course, also connected with the feasibility of such an act. Every attacker, even occasional, first considers how much effort needs to be invested for such a “feat”. What is the price that one of these “attackers” has to pay to get ahold of your data? 

In a small or mid-sized company with local data storage, which can be accessed by the cleaning lady as well as the IT personnel, the price of data access is relatively low. It comes down to paying about 10 or 20 monthly salaries to the cleaning lady to get her to unlock the door for us to simply copy the data to our disk. Let’s not forget that social engineering is probably the cheapest method of attack in the world of information security. So for 10 to 15 thousand euros we get ahold of the data and surely get our money's worth. The feat can be worth all our efforts.

If our data are stored in an access-controlled safe room, for example, such as used by numerous local cloud providers, the price for accessing the data is higher. To gain access, you would have to reach deeply into your pocket. Paying off a disgruntled IT guy will set you back more than 20k. The investment might seem excessive, but it would still be worthwhile to someone.  

Next is data storage with a global “hardcore” data center provider that offers payable services. To get to this data center it will take a lot more than just a drive across Slovenia. It is a real challenge to even find one, since Google and Microsoft maps keep them hidden – their locations often just show a picture of an open grazing pasture. Physical security at such locations is extraordinary. Even the “anointed” visitors must pass a security check before entering. Nobody wanders alone through the data center. However, even if you somehow manage to access to such a data center, you would still be faced by the next insurmountable challenge – first, how do you even find the three to five servers storing your data when there’s thousands of servers? Second, you would have to take your time to retrieve the right disk from each server (keep in mind that an individual server unit holds several hundred disks). Now, I can already hear you say, “We’ll just bribe the IT guy again.” This time it will not be that easy because the logical and physical parts of the data center are completely dislocated, and the administrator of services and virtualized databases does not even know exactly on which drive your data are stored. Plus, he cannot access them without the customer’s knowledge. In this case the security mechanism chain is truly long. In other words, the costs for the attacker are just too steep. Hypothetically, data theft from such data center would add at least one zero to the figure – i.e. making it an even million euros. Are your data really worth that much?
Honestly, if you’re not a pharmacist or own a patent for perpetual motion, storing your data in the global cloud provider’s storage is absolutely safe. Of course, it goes without saying that for Slovenian companies cloud storage is significantly safer than on-site storage.
I would say that security is not the problem here. Trust, however, is.

So, do you trust your provider?  Even if you don't, you can still encrypt your data ... but that’s a topic for some other occasion.