Put Your Enterprise Financial Data In the Cloud? Sure, Why Not 91
jfruh writes: For many, the idea of storing sensitive financial and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that information is more likely to be accidentally emailed out to the wrong address than hacked.
then/than (Score:3, Funny)
Emailed out, and then hacked! It's a one-two punch of bad luck!
There is a saying ... (Score:2)
... that 99.999% of the humans are idiots
At first I did not think much of that saying, but, reading TFA, especially the part about "... people realize that information is more likely to be accidentally emailed out to the wrong address then hacked ..." makes me wonder if there is a need for something far worse than the word "idiot"
Re: (Score:2)
Ediotor?
Re: (Score:2)
The vast majority of private data leaks were due to HUMAN error... not vulnerability to hacks. That means that even if your site isn't hacked, some bozo working for the company you're supposed to TRUST is intentionally or accidentally giving out the information on your 12-year-old daughter.
People REALLY need to get it through their heads that the serious flaws aren't in the technology, they're in THE PEOPLE who implement it. A seriously hack-proof database is still going to
Re: (Score:3)
Where I used to work, there were a few short terms for idiots who ignored or violated security standards: CEO, CFO, Legal, etc. They'd pass all these security measures for protecting data, and then say, "Oh, but not for me."
One of them had they RSA keyfob security code statically set at "111111" because it was just too hard to type in the digits (or they changed too quickly, I forget which.)
He got written up in the security exception reports and such, but was high enough to be able to override it.
At leas
Re: (Score:2)
At least it wasn't the code to the planetary air shield generator: 12345.
That's amazing! I've got the same combination on my luggage!
Re: (Score:2)
Where I used to work, there were a few short terms for idiots who ignored or violated security standards: CEO, CFO, Legal, etc. They'd pass all these security measures for protecting data, and then say, "Oh, but not for me."
One of them had they RSA keyfob security code statically set at "111111" because it was just too hard to type in the digits (or they changed too quickly, I forget which.)
He got written up in the security exception reports and such, but was high enough to be able to override it.
At least it wasn't the code to the planetary air shield generator: 12345.
How did he get RSA to custom produce a keyfob with static numbers?
What's the point (Score:1)
Yeah, what's the point of security when someone can just email stuff?
Let's just give up.
Re: (Score:2)
The first rule of security is don't put all your eggs in one basket. Like a cloud with multiple users data segmented but under one layer of sandboxed admin privs. If anyone thinks that is a good idea then just ask the NSA about it though that might still be a bit of a touchy subject for them with Snowden. In reality the only credentials that should have access to all data would be the service a backup runs under and the backup operator should have a healthy loyalty based paycheck. These are some old sch
Re: (Score:1)
Security through obscurity is not security, fox guarding the henhouse applies as well, these also could be elaborated on by the NSA, and being that they author security policy for the rest of the government explains a lot about the latest breach of security clearance information. This is part of a larger picture though, the problem is lack of government accountability. Corporations are pulling political strings, but the corporations got where they are because they got in good with the mob. I say we elect
Re: (Score:2)
"In reality the only credentials that should have access to all data would be the service a backup runs under and the backup operator should have a healthy loyalty based paycheck."
Not even that.
On a properly configured system for sensible enough data, agents you can't impersonate run on the clients and offer the already cyphered data to the central backup manager. The credentials that can backup the data can't restore it and viceversa.
On top of that, you segregate data/systems into security realms and you
No, just no. (Score:5, Insightful)
Nothing goes into "the cloud". I'm slowly getting sick of this cloud hype. In most cases its useless and its only a security risk - a risk no one can really weight as the cloud is often maintained by an external provider.
Comment removed (Score:5, Informative)
Re: (Score:2)
Yes. Web is a return to the mainframe paradigm. People are enjoying the upside of this paradigm and while they are experiencing some of the downsides the ratio is such that mainly things are getting better. Once the environment becomes too monolithic and tightly controlled the freedom of "do whatever you want" will have huge advantages and we will see a shift away.
You already see this to some extent on mobile with Apple's push for performance away from the almost totally web paradigm that was popular pri
Re: (Score:2)
In most cases its useless and its only a security risk
And yet here in TFS we not only have a use for it, but also a realisation that there are far bigger security risks than cloud storage of data.
How many companies have fallen victim to information theft of data stored in enterprise cloud systems? Compare that to how many companies have fallen victim to utter stupidity, lax internal security, poor practices in general etc
Re: (Score:2)
To make my analogy fit better, the two things should be unrelated: Just because I'll happily drive a car doesn't mean I should now climb a ladder when I could use stairs instead.
Re: (Score:1)
You drive a car because flying everywhere is expensive and not possible in most cases. You can't fly to the grocery store, to work, to school, etc. This isn't a very good argument. A better analogy is that you trust yourself to do car work better than you trust a mechanic. They are the expert and cost more to do the work but you have to read up on how to fix things and spend your time doing the work yourself. The expert costs money, you cost time (which is also money). Now your engine needs fixing. Do you p
Re: (Score:2)
Your analogy fails and also comes to a very common conclusion. It fails because flying and driving are two very different things that get you very different places. It's not a one or another option. Choice of data storage is.
The common conclusion actually fits perfectly into what I'm saying: Some people are afraid of flying. They should not be as they are more likely to die on the way to the airport than they are in a plane crash.
Re: (Score:2)
"My driving a car is statistically riskier to my physical safety than riding a bus. But I drive, because I have more control there. Sometimes convenience wins out over security."
My second analogy still stands (altered for clarity): "Just because I'll happily engage in one risky behavior doesn't mean I should now climb a ladder when I could use stairs instead."
Re: (Score:2)
The analogy stands beautifully. You do a risky activity because of the benefit it brings. You don't go cloud just because. You go cloud when there's a benefit to doing so.
That's been my point all along. You have something which brings a reward and you weigh it against the risk. The OP assumed all risk and no reward which was false and then compared it to another activity without analysing reward.
So the analogy which would properly fit the OP's proposition is you're driving a car, vs driving a car blindfolde
Re: (Score:2)
False comparison as moving data to the cloud does not reduce or eliminate the risk you mention. Adding new security risks isn't the brightest thing to do.
Re: (Score:2)
That's not entirely true though it is mostly true. There are cloud systems and MSPs (and cloud migration exports) that will work on top of many IaaS that offer: auditable procedures, security audits, practice improvement.... Obviously you can implement those things without cloud but for many companies the cost of a SOC is undoable but having a SOC through their MSP is doable.
Re: (Score:2)
False comparison as moving data to the cloud does not reduce or eliminate the risk you mention. Adding new security risks isn't the brightest thing to do.
I didn't say elimination. Risk management starts with grading the risks. The risk of using a cloud service is very low when compared with the many other data security risks. The benefit of using a cloud service however can be numerous. It's scaled, offsite, provides a place for data redundancy etc.
If you care about your risk you would focus on the high risk options and not kill low-risk projects. Adding security risks may not be bright, but it may be necessary for the continued operation of a business. e.g.
Re: (Score:1)
We must be working at sister companies. Or upper management is "cloud sourcing" 80% of IT (the server part). I have no doubt that they will eventually get rid of company employees for "desktop support" and likely outsource it. Given them, probably to "Geek Squad".
Long ago we had "cloud sourcing". But we called it "remote time sharing". ref: http://www.computerhistory.org/revolution/mainframe-computers/7/181
What is old, is new again.
Re: (Score:2)
Nothing goes into "the cloud". I'm slowly getting sick of this cloud hype. In most cases its useless and its only a security risk - a risk no one can really weight as the cloud is often maintained by an external provider.
Perhaps you would like to sign-on for the newest IT trend then, "... in a box". Tired of the cloud? What is it? Where is it? Does it even really exist? You have none of those question with "... in a box". With our premium subscription service, you can even have the best of both worlds, "Cloud ... in a box"! Our certified consultants with over a millenia of combined IT experience will install our Cloud ... in a box in your data center. You can see it, you can touch it, you can bring in your leadership team t
Re: (Score:2)
How is putting data in a high end professionally managed data center running a high end professional managed infrastructure system a security risk over what most companies are doing with their data?
Re: (Score:2)
"How is putting data in a high end professionally managed data center running a high end professional managed infrastructure system a security risk over what most companies are doing with their data"
How do you know any of that is true? How many people review the data center they are migrating to? How many people vette the employees in the cloud center? There is no incentive for the vendor to do any of that, it just reduces profitability. And the IT management can just say, "It is a professional Fortune {500
Re: (Score:2)
For a customer you can easily have a tour arranged. You can meet with your account manager regularly. You'll know the people assigned to your account.... Your agent can just tell you since we all go on tours.
I'd say most customers go their data center at least once and sometimes more than once during the sales process.
You mean like an HR vetting
Re: (Score:2)
For a customer you can easily have a tour arranged. You can meet with your account manager regularly. You'll know the people assigned to your account.... Your agent can just tell you since we all go on tours.
A tour. Is this middle-school? Sure, a tour is nice and fun... and always gives you a good impression, because that's that tours are for. Lets be honest, no company would allow, let alone offer, tours if it had any risk of leaving a bad impression to potential customer. But if you are touring through a corporate Disney park, that they won't say.
The only way to verify what the previous poster addresses, is through regular audits covering all facets of production, management, troubleshooting, etc. You need to
Re: (Score:2)
It is not so much a bad impression or good impression it is an accurate impression. Obviously they are going to spin things positively. But it is not to their advantage for the customer to not know the upsides and downsides. They don't want to sell services they can't provide. So for example if the data center offers 24/7 smart hands they will present that. If they offe
Um... (Score:3)
... information is more likely to be accidentally emailed out to the wrong address then hacked.
Re: (Score:2)
Antonin is that you?
obvious ad (Score:5, Insightful)
advertisment in pretty clear form.
"I went to this company conference and they told me they're cool and I have nothing to worry when storing my data on their great services"
Re: (Score:2)
They double rot 13 encrypt it just to be safe....
What?!?! (Score:2)
Once all the data is in the cloud... (Score:2)
Once all the data is in the cloud... the only data breaches will be to the cloud itself. Because it becomes a tasty, tasty target.
I'm also positive that government regulators couldn't possibly find financial irregularities by grabbing you documents from the cloud service provider, since there's no such thing as contradictory laws which make it impossible to not be in violation of one or the other of them...
Re: (Score:2)
... government regulators couldn't possibly find financial irregularities by grabbing you documents from the cloud service provider, ...
The courts said you have no expectation of privacy one you put your data in the hands of a third party. Great! Let's convince all those "evil corporations" to store all their data in the cloud. Then the government can go after them any time they want. B-b
What if I told you... (Score:4, Interesting)
...that most "brick and mortar" banks have been outsourcing their "back end" account management (i.e., your money) to "the cloud" for decades? (OK, back in the day, no one called it "the cloud," but it was the same damn concept.)
What else do you think EDS, FIS, Fiserv, Jack Henry, etc. have been doing all these years?
Re: (Score:2)
Re: (Score:2)
bullshit (Score:5, Insightful)
Is data in the cloud vulnerable? Well, yes, all data everywhere is theoretically vulnerable and the cloud is no exception.
"the cloud" has proven time and time again to be not just vulnerable but exceedingly vulnerable to attack. what's worse is that companies are under no obligation to tell you when (not if) they get hacked. worse yet, they aren't held responsible for getting hacked, so all you can do is switch to a new "cloud provider" and pray it doesn't happen again.
Re: (Score:1)
"the cloud" has proven time and time again to be not just vulnerable but exceedingly vulnerable to attack.
That wouldn't even be my biggest worry with hosting financial data in someone else's computer (let's call it what it is guys). The big worry is the guy who owns the someone else who owns the computer snooping through said computer to find out how company they own that competes with you can outperform you in the market.
It's not a "what if?", it's guaranteed this will happen. In fact it's guaranteed this is already happening. Only a complete idiot thinks Google (for example) is not using Google docs and gmail
Re: (Score:2)
So... for the first production run, the vendor decrypted the data, then emailed it back to the entire project team to see if it was right. This was names,family members/relationships, addresses and SSNs for about ten thousand people.
One of my clients is a medical practice. They've got an internal, non-cloud practice management database, which is stored on a computer right in the office. They got an upgrade from the provider, as part of their service contract, which had a slightly different database format, which for some reason, the provider hadn't written the program to upgrade by itself; it had to be run through an upgrade process at the provider's location.
So, the provider's tech connects up using GoToMyPC, or something similar, g
instead of just posting here... (Score:2)
Just because an accountant is "satisfied" with marketing double speak about the "cloud", that just shows how clueless they are. If they think that offsite, connected storage is
Re: (Score:2)
"Just because an accountant is "satisfied" with marketing double speak about the "cloud", that just shows how clueless they are."
Of course, anything new needs to be analyzed and put into perspective, but I really don't understand this rabid hate for cloud services except being afraid of lose job security (OK, "cloud" is marketspeech, then let's call it for its real name: outsourcing).
Basically 99% of what's needed for our business is already outsourced: from building the place we are working on to most of i
Re: (Score:2)
After all, data about money can't be more important than money itself and money safeguarding/management has already outsourced to banks since, when? always?
"Next time there's a server security breach, I'll call my accountants to come fix it right?"
How's this any different to a physical bank security breach (aka robbery)? Next time the bank your accountants work with is robbed will you call them to fix the mess too?
You should look into how much people trusted banks with their money before the advent of FDIC. People trust banks with their money because the government is insuring it against theft or loss. No such guarantee comes with Cloud storage.
Re: (Score:2)
"You should look into how much people trusted banks with their money before the advent of FDIC."
This *is* a valid point. Just as current bank regulation and standards didn't grow overnight, these kind of somehow novel services will need time to settle. Not a intrinsic problem of the services themselves but of their maturity status. But still you see the vast majority of critics are directed to the services themselves, not their development status.
You see, one can somehow compare current cloud services' s
Re: (Score:2)
Yes they do. There are many auditing agencies that supervise and audit clouds. For example once a cloud provider has agreed to be a data partner they become subject to HIPAA, And there are insurance programs you can buy that include data breach.
Re: (Score:2)
Sony was hacked because they were utterly incompetent and didn't believe they would ever be subject to a APT type attack. financials, pharmaceuticals, social networks... have no doubts they will be subject to APT type attacks. So were Sony on a cloud Sony likely isn't successfully hit at all. Nothing happens other than the ineffective attacks the internet infr
Re: (Score:2)
Re: (Score:2)
GOP in the above is whom? I'm assuming you don't mean Republicans.
Captain! She can't take no more! (Score:1)
When I read this title: ENTERPRISE in cloud stood out. What happens when it rains? Clouds are notorious for dropping stuff on us helpless mortals.
It's a matter of trust (Score:1)
"Cloud" has morphed into a buzz word that providers want you to believe means "all your IT problems and costs replaced by a simple monthly fee", but in reality it's a private company that will lease you access to their private equipment which you can access through the Internet. Ignoring the same issues that exist with cloud or on-premises servers (administration, software updates etc) the issue is how how you can trust the cloud providers staff. If you haven't encrypted you cloud data it's physically acces
Great for lawsuits and discovery. (Score:2)
If company B has a cloud provide
Re: (Score:2)
This is somewhat true. Let's narrow a bit. First we are talking civil discovery only and then that's just an argument against IaaS vs. Colo though. Obviously for a criminal case where the government is seriously pissed i.e. the government issues a warrant and ceases the servers they will get the data in either case. Also don't kid yourself once they take the servers your IT staff can be terrified by "obstruction" type charges and will help them get data.
OK so with that off the table. If you intend to
Oh FFS (Score:1)
For goodness sakes, we've JUST HAD a massive hack of a Government resource of personal information, and this article is trying to convince us that the probability of a hack occurring and causing grief is not really within the realms of possibility.
Keep in mind that the Government works for itself, is not profit driven and has a vested interest in security (if only because breaches look bad in the public eye). Private organizations only have eyes for the $ and will cut corners if they think they can get away
Re: (Score:2)
Why do you think the government is that strict about security? The people making the decisions usually aren't held responsible. Government agencies have often been listed as having terrible security by the GAO.
Re: (Score:2)
You shouldn't trust the cloud providers. Even if the CSP and its employees are trustworthy, if they get a court order or double-secret-probation security letter, they have to turn the data over.
Whether that matters or not depends on what you are doing with the cloud though. If you are using cloud storage as a "big scalable drive in the sky", then you just need to encrypt the data on-premise where YOU control the encryption keys. Server(cloud)-side encryption helps with hackers, but not against three letter
Re: (Score:3)
*You shouldn't trust the cloud providers. Even if the CSP and its employees are trustworthy, if they get a court order or double-secret-probation security letter, they have to turn the data over.*
You *shouldn't* trust banks. Even if the bank and its employees are trustworthy, if they get a court order, they have to lock your accounts and/or hand your money to the government.
Re: (Score:2)
If the NSA, FBI, CIA ask for a copy of your data your IT staff will give it to them. Don't kid yourself. Your IT staff is not going to jail for their "at will" employer.
There are plenty of cloud providers with very rigorous controls and audit reports. That is readily available. Not
Nude photos (Score:1)
> For many, the idea of storing nude photos and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory needs — and people realize that nude photos is more likely to be accidentally emailed out to the wrong address then hacked.
And OP was stupid before I changed it to nude photos eg
Scary (Score:2)
Have you ever met anyone who worked in corporate IT? As someone who works in corporate IT let me tell you, 99% of them are idiots. And that's being polite. Your data isn't any safer in their hands than Google's.
I love Cloud to Butt (Score:2)
Title: "Put Your Enterprise Financial Data In my Butt? Sure, Why Not"
The tag-line to the dullest porn *ever*.
my cloud idea (Score:1)
a hosting platform for your company's secret patent and financial data, you store it on my servers, i sell it off to your competitors, the company is closed and i go retire... since it's a american corporation i won't be held liable for my subterfuge, worse case i blame it on "hackers".
But don't answer yet! (Score:1)
I'm working at a government agency as a contractor. Not only do they want to outsource the servers, e-mail, v-mail, they even want to outsource the desktop. No, really. When we login, we're actually firing up a win license for our desktop to run the local vdi stuff to get to the real desktop (somehow we're saving licenses, though we aren't). You can't do anything with the local box other than run the vdi client. That desktop - another license or so actually runs our stuff. This is for an agency of more than