Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Cloud Security IT

Put Your Enterprise Financial Data In the Cloud? Sure, Why Not 91

jfruh writes: For many, the idea of storing sensitive financial and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that information is more likely to be accidentally emailed out to the wrong address than hacked.
This discussion has been archived. No new comments can be posted.

Put Your Enterprise Financial Data In the Cloud? Sure, Why Not

Comments Filter:
  • then/than (Score:3, Funny)

    by Anonymous Coward on Friday June 26, 2015 @12:43AM (#49992589)

    Emailed out, and then hacked! It's a one-two punch of bad luck!

    • ... that 99.999% of the humans are idiots

      At first I did not think much of that saying, but, reading TFA, especially the part about "... people realize that information is more likely to be accidentally emailed out to the wrong address then hacked ..." makes me wonder if there is a need for something far worse than the word "idiot"

      • Ediotor?

      • This really is the problem.

        The vast majority of private data leaks were due to HUMAN error... not vulnerability to hacks. That means that even if your site isn't hacked, some bozo working for the company you're supposed to TRUST is intentionally or accidentally giving out the information on your 12-year-old daughter.

        People REALLY need to get it through their heads that the serious flaws aren't in the technology, they're in THE PEOPLE who implement it. A seriously hack-proof database is still going to
      • Where I used to work, there were a few short terms for idiots who ignored or violated security standards: CEO, CFO, Legal, etc. They'd pass all these security measures for protecting data, and then say, "Oh, but not for me."

        One of them had they RSA keyfob security code statically set at "111111" because it was just too hard to type in the digits (or they changed too quickly, I forget which.)

        He got written up in the security exception reports and such, but was high enough to be able to override it.

        At leas

        • At least it wasn't the code to the planetary air shield generator: 12345.

          That's amazing! I've got the same combination on my luggage!

        • by hawguy ( 1600213 )

          Where I used to work, there were a few short terms for idiots who ignored or violated security standards: CEO, CFO, Legal, etc. They'd pass all these security measures for protecting data, and then say, "Oh, but not for me."

          One of them had they RSA keyfob security code statically set at "111111" because it was just too hard to type in the digits (or they changed too quickly, I forget which.)

          He got written up in the security exception reports and such, but was high enough to be able to override it.

          At least it wasn't the code to the planetary air shield generator: 12345.

          How did he get RSA to custom produce a keyfob with static numbers?

  • by Anonymous Coward

    Yeah, what's the point of security when someone can just email stuff?

    Let's just give up.

    • The first rule of security is don't put all your eggs in one basket. Like a cloud with multiple users data segmented but under one layer of sandboxed admin privs. If anyone thinks that is a good idea then just ask the NSA about it though that might still be a bit of a touchy subject for them with Snowden. In reality the only credentials that should have access to all data would be the service a backup runs under and the backup operator should have a healthy loyalty based paycheck. These are some old sch

      • "In reality the only credentials that should have access to all data would be the service a backup runs under and the backup operator should have a healthy loyalty based paycheck."

        Not even that.

        On a properly configured system for sensible enough data, agents you can't impersonate run on the clients and offer the already cyphered data to the central backup manager. The credentials that can backup the data can't restore it and viceversa.

        On top of that, you segregate data/systems into security realms and you

  • No, just no. (Score:5, Insightful)

    by geogob ( 569250 ) on Friday June 26, 2015 @12:50AM (#49992615)

    Nothing goes into "the cloud". I'm slowly getting sick of this cloud hype. In most cases its useless and its only a security risk - a risk no one can really weight as the cloud is often maintained by an external provider.

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Friday June 26, 2015 @01:00AM (#49992657)
      Comment removed based on user account deletion
      • by jbolden ( 176878 )

        Yes. Web is a return to the mainframe paradigm. People are enjoying the upside of this paradigm and while they are experiencing some of the downsides the ratio is such that mainly things are getting better. Once the environment becomes too monolithic and tightly controlled the freedom of "do whatever you want" will have huge advantages and we will see a shift away.

        You already see this to some extent on mobile with Apple's push for performance away from the almost totally web paradigm that was popular pri

    • In most cases its useless and its only a security risk

      And yet here in TFS we not only have a use for it, but also a realisation that there are far bigger security risks than cloud storage of data.

      How many companies have fallen victim to information theft of data stored in enterprise cloud systems? Compare that to how many companies have fallen victim to utter stupidity, lax internal security, poor practices in general etc

      • My driving a car is statistically riskier to my physical safety than flying. But I drive, because I have more control there. Sometimes convenience wins out over security.
        To make my analogy fit better, the two things should be unrelated: Just because I'll happily drive a car doesn't mean I should now climb a ladder when I could use stairs instead.
        • You drive a car because flying everywhere is expensive and not possible in most cases. You can't fly to the grocery store, to work, to school, etc. This isn't a very good argument. A better analogy is that you trust yourself to do car work better than you trust a mechanic. They are the expert and cost more to do the work but you have to read up on how to fix things and spend your time doing the work yourself. The expert costs money, you cost time (which is also money). Now your engine needs fixing. Do you p

        • Your analogy fails and also comes to a very common conclusion. It fails because flying and driving are two very different things that get you very different places. It's not a one or another option. Choice of data storage is.

          The common conclusion actually fits perfectly into what I'm saying: Some people are afraid of flying. They should not be as they are more likely to die on the way to the airport than they are in a plane crash.

          • Okay, revised:
            "My driving a car is statistically riskier to my physical safety than riding a bus. But I drive, because I have more control there. Sometimes convenience wins out over security."

            My second analogy still stands (altered for clarity): "Just because I'll happily engage in one risky behavior doesn't mean I should now climb a ladder when I could use stairs instead."
            • The analogy stands beautifully. You do a risky activity because of the benefit it brings. You don't go cloud just because. You go cloud when there's a benefit to doing so.

              That's been my point all along. You have something which brings a reward and you weigh it against the risk. The OP assumed all risk and no reward which was false and then compared it to another activity without analysing reward.

              So the analogy which would properly fit the OP's proposition is you're driving a car, vs driving a car blindfolde

      • False comparison as moving data to the cloud does not reduce or eliminate the risk you mention. Adding new security risks isn't the brightest thing to do.

        • by jbolden ( 176878 )

          That's not entirely true though it is mostly true. There are cloud systems and MSPs (and cloud migration exports) that will work on top of many IaaS that offer: auditable procedures, security audits, practice improvement.... Obviously you can implement those things without cloud but for many companies the cost of a SOC is undoable but having a SOC through their MSP is doable.

        • False comparison as moving data to the cloud does not reduce or eliminate the risk you mention. Adding new security risks isn't the brightest thing to do.

          I didn't say elimination. Risk management starts with grading the risks. The risk of using a cloud service is very low when compared with the many other data security risks. The benefit of using a cloud service however can be numerous. It's scaled, offsite, provides a place for data redundancy etc.

          If you care about your risk you would focus on the high risk options and not kill low-risk projects. Adding security risks may not be bright, but it may be necessary for the continued operation of a business. e.g.

    • Nothing goes into "the cloud". I'm slowly getting sick of this cloud hype. In most cases its useless and its only a security risk - a risk no one can really weight as the cloud is often maintained by an external provider.

      Perhaps you would like to sign-on for the newest IT trend then, "... in a box". Tired of the cloud? What is it? Where is it? Does it even really exist? You have none of those question with "... in a box". With our premium subscription service, you can even have the best of both worlds, "Cloud ... in a box"! Our certified consultants with over a millenia of combined IT experience will install our Cloud ... in a box in your data center. You can see it, you can touch it, you can bring in your leadership team t

    • by jbolden ( 176878 )

      How is putting data in a high end professionally managed data center running a high end professional managed infrastructure system a security risk over what most companies are doing with their data?

      • by plopez ( 54068 )

        "How is putting data in a high end professionally managed data center running a high end professional managed infrastructure system a security risk over what most companies are doing with their data"

        How do you know any of that is true? How many people review the data center they are migrating to? How many people vette the employees in the cloud center? There is no incentive for the vendor to do any of that, it just reduces profitability. And the IT management can just say, "It is a professional Fortune {500

        • by jbolden ( 176878 )

          How do you know any of that is true?

          For a customer you can easily have a tour arranged. You can meet with your account manager regularly. You'll know the people assigned to your account.... Your agent can just tell you since we all go on tours.

          How many people review the data center they are migrating to?

          I'd say most customers go their data center at least once and sometimes more than once during the sales process.

          How many people vette the employees in the cloud center?

          You mean like an HR vetting

          • by geogob ( 569250 )

            How do you know any of that is true?

            For a customer you can easily have a tour arranged. You can meet with your account manager regularly. You'll know the people assigned to your account.... Your agent can just tell you since we all go on tours.

            A tour. Is this middle-school? Sure, a tour is nice and fun... and always gives you a good impression, because that's that tours are for. Lets be honest, no company would allow, let alone offer, tours if it had any risk of leaving a bad impression to potential customer. But if you are touring through a corporate Disney park, that they won't say.

            The only way to verify what the previous poster addresses, is through regular audits covering all facets of production, management, troubleshooting, etc. You need to

            • by jbolden ( 176878 )

              Lets be honest, no company would allow, let alone offer, tours if it had any risk of leaving a bad impression to potential customer.

              It is not so much a bad impression or good impression it is an accurate impression. Obviously they are going to spin things positively. But it is not to their advantage for the customer to not know the upsides and downsides. They don't want to sell services they can't provide. So for example if the data center offers 24/7 smart hands they will present that. If they offe

  • by fahrbot-bot ( 874524 ) on Friday June 26, 2015 @12:52AM (#49992621)

    ... information is more likely to be accidentally emailed out to the wrong address then hacked.

    ... "then" or "than" ? Because they're different.

  • obvious ad (Score:5, Insightful)

    by jarkus4 ( 1627895 ) on Friday June 26, 2015 @01:04AM (#49992681)

    advertisment in pretty clear form.
    "I went to this company conference and they told me they're cool and I have nothing to worry when storing my data on their great services"

  • "Insane" is too sane a word to describe this.
  • Once all the data is in the cloud... the only data breaches will be to the cloud itself. Because it becomes a tasty, tasty target.

    I'm also positive that government regulators couldn't possibly find financial irregularities by grabbing you documents from the cloud service provider, since there's no such thing as contradictory laws which make it impossible to not be in violation of one or the other of them...

    • ... government regulators couldn't possibly find financial irregularities by grabbing you documents from the cloud service provider, ...

      The courts said you have no expectation of privacy one you put your data in the hands of a third party. Great! Let's convince all those "evil corporations" to store all their data in the cloud. Then the government can go after them any time they want. B-b

  • by xxxJonBoyxxx ( 565205 ) on Friday June 26, 2015 @01:22AM (#49992735)

    ...that most "brick and mortar" banks have been outsourcing their "back end" account management (i.e., your money) to "the cloud" for decades? (OK, back in the day, no one called it "the cloud," but it was the same damn concept.)

    What else do you think EDS, FIS, Fiserv, Jack Henry, etc. have been doing all these years?

    • EDS hasn't done anything for several years...since it hasn't actually existed as a company in awhile. I, however, still have an EDS license plate, and work with many former EDS people at the old SABRE center (now owned by HP). White the "spin-off" of HP Enterprise, we're all assuming it will also not be HP for much longer either...
    • Writing software which was then mostly run in house on data stored in house. Smarter banks had teams that did the installation and maintenance in house as well. In the banks I spent those same decades you mention contracting for, they rented their wire transfer software (which I worked on) and we had complete access to the source code and managed the compilations and never once did the financial data leave bank systems for storage. Even the backup machinery was bank owned. Hell, when it was still being
  • bullshit (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Friday June 26, 2015 @01:22AM (#49992737)

    Is data in the cloud vulnerable? Well, yes, all data everywhere is theoretically vulnerable and the cloud is no exception.

    "the cloud" has proven time and time again to be not just vulnerable but exceedingly vulnerable to attack. what's worse is that companies are under no obligation to tell you when (not if) they get hacked. worse yet, they aren't held responsible for getting hacked, so all you can do is switch to a new "cloud provider" and pray it doesn't happen again.

    • by Anonymous Coward

      "the cloud" has proven time and time again to be not just vulnerable but exceedingly vulnerable to attack.

      That wouldn't even be my biggest worry with hosting financial data in someone else's computer (let's call it what it is guys). The big worry is the guy who owns the someone else who owns the computer snooping through said computer to find out how company they own that competes with you can outperform you in the market.

      It's not a "what if?", it's guaranteed this will happen. In fact it's guaranteed this is already happening. Only a complete idiot thinks Google (for example) is not using Google docs and gmail

  • I posted on their article itself... "Spreadsheets and email documents are a bigger threat than the cloud" Typical high-level executive thinking. There can only be one reason for anything, only one "real" reason and all else should be ignored. Because there is zero chance that BOTH email and the "cloud" are security issues...

    Just because an accountant is "satisfied" with marketing double speak about the "cloud", that just shows how clueless they are. If they think that offsite, connected storage is
    • "Just because an accountant is "satisfied" with marketing double speak about the "cloud", that just shows how clueless they are."

      Of course, anything new needs to be analyzed and put into perspective, but I really don't understand this rabid hate for cloud services except being afraid of lose job security (OK, "cloud" is marketspeech, then let's call it for its real name: outsourcing).

      Basically 99% of what's needed for our business is already outsourced: from building the place we are working on to most of i

      • After all, data about money can't be more important than money itself and money safeguarding/management has already outsourced to banks since, when? always?

        "Next time there's a server security breach, I'll call my accountants to come fix it right?"

        How's this any different to a physical bank security breach (aka robbery)? Next time the bank your accountants work with is robbed will you call them to fix the mess too?

        You should look into how much people trusted banks with their money before the advent of FDIC. People trust banks with their money because the government is insuring it against theft or loss. No such guarantee comes with Cloud storage.

        • "You should look into how much people trusted banks with their money before the advent of FDIC."

          This *is* a valid point. Just as current bank regulation and standards didn't grow overnight, these kind of somehow novel services will need time to settle. Not a intrinsic problem of the services themselves but of their maturity status. But still you see the vast majority of critics are directed to the services themselves, not their development status.

          You see, one can somehow compare current cloud services' s

        • by jbolden ( 176878 )

          People trust banks with their money because the government is insuring it against theft or loss. No such guarantee comes with Cloud storage.

          Yes they do. There are many auditing agencies that supervise and audit clouds. For example once a cloud provider has agreed to be a data partner they become subject to HIPAA, And there are insurance programs you can buy that include data breach.

    • by jbolden ( 176878 )

      Do you want your info on the same service that Sony uses the next time North Korea decides to mess with them? That's a very real potential issue.

      Sony was hacked because they were utterly incompetent and didn't believe they would ever be subject to a APT type attack. financials, pharmaceuticals, social networks... have no doubts they will be subject to APT type attacks. So were Sony on a cloud Sony likely isn't successfully hit at all. Nothing happens other than the ineffective attacks the internet infr

      • I did a bit of research on it, the "SpiritWORLD" media system was written by (from what I can tell) five Indian contractors. It's some SAP / Oracle media DB app and it was part of the initial breach in Brazil that they ignored. Well, they didn't totally ignore it...part of their IT noticed something, they told someone else, and then whomever the escalated it to ignored it. I'd guess someone managed to get some video on it that called out to a pre-infected codec, probably by spoofing an email address and s
  • When I read this title: ENTERPRISE in cloud stood out. What happens when it rains? Clouds are notorious for dropping stuff on us helpless mortals.

  • by Anonymous Coward

    "Cloud" has morphed into a buzz word that providers want you to believe means "all your IT problems and costs replaced by a simple monthly fee", but in reality it's a private company that will lease you access to their private equipment which you can access through the Internet. Ignoring the same issues that exist with cloud or on-premises servers (administration, software updates etc) the issue is how how you can trust the cloud providers staff. If you haven't encrypted you cloud data it's physically acces

  • If company A gets sued by some one planning to use the discovery process as a fishing expedition, A will fight it very hard, demand to see the court orders and will do everything possible to comply with the letter of the court order while defying it in spirit. No one thinks A will just let the discovery process go unimpeded. A will do anything short of being convicted (not merely accused) of obstruction of justice. And it would cost money and it would take considerable risk.

    If company B has a cloud provide

    • by jbolden ( 176878 )

      This is somewhat true. Let's narrow a bit. First we are talking civil discovery only and then that's just an argument against IaaS vs. Colo though. Obviously for a criminal case where the government is seriously pissed i.e. the government issues a warrant and ceases the servers they will get the data in either case. Also don't kid yourself once they take the servers your IT staff can be terrified by "obstruction" type charges and will help them get data.

      OK so with that off the table. If you intend to

  • by Anonymous Coward

    For goodness sakes, we've JUST HAD a massive hack of a Government resource of personal information, and this article is trying to convince us that the probability of a hack occurring and causing grief is not really within the realms of possibility.

    Keep in mind that the Government works for itself, is not profit driven and has a vested interest in security (if only because breaches look bad in the public eye). Private organizations only have eyes for the $ and will cut corners if they think they can get away

    • Why do you think the government is that strict about security? The people making the decisions usually aren't held responsible. Government agencies have often been listed as having terrible security by the GAO.

  • Wot me worry? Let me rewrite OP:

    > For many, the idea of storing nude photos and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that nude photos is more likely to be accidentally emailed out to the wrong address then hacked.

    And OP was stupid before I changed it to nude photos eg
  • by jon3k ( 691256 )
    It's scary how much more faith most of you put in some random IT department than the engineers at cloud providers. For everyone hacked provider using the cloud are 10 that had their own internal systems hacked.

    Have you ever met anyone who worked in corporate IT? As someone who works in corporate IT let me tell you, 99% of them are idiots. And that's being polite. Your data isn't any safer in their hands than Google's.
  • Title: "Put Your Enterprise Financial Data In my Butt? Sure, Why Not"

    The tag-line to the dullest porn *ever*.

  • a hosting platform for your company's secret patent and financial data, you store it on my servers, i sell it off to your competitors, the company is closed and i go retire... since it's a american corporation i won't be held liable for my subterfuge, worse case i blame it on "hackers".

  • I'm working at a government agency as a contractor. Not only do they want to outsource the servers, e-mail, v-mail, they even want to outsource the desktop. No, really. When we login, we're actually firing up a win license for our desktop to run the local vdi stuff to get to the real desktop (somehow we're saving licenses, though we aren't). You can't do anything with the local box other than run the vdi client. That desktop - another license or so actually runs our stuff. This is for an agency of more than

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...