The Patchwork Cloud - "Breaking laws you didn't know applied"

GigaOM is running a summary wrap-up of their Structure 2012 conference and it raises some interesting questions, and should raise your eyebrows a bit.  It would seem as though through the seemingly religious quibbling about how the cloud should be built and run there runs a recurring theme - legal implications of hyper-scale cloud computing.

 

Note: I just want to make it clear that I'm neither an attorney, nor am I offering you legal advice, but this topic simply begs analysis and conversation.

 

On the off chance you're running your business "in the cloud" you're probably starting to think about what my colleague Christian Verstraete calls "computing without borders".  When all the servers you were using were physical and you could, on command, go and point to them - life was relatively easy compared to where we're going next.  From tthe article, here were a couple of speakers at Structure that mentioned "software defined data centers" (which is a new concept to me, admittedly) and the types of capabilities that super-agile companies are looking for such as completely deconstructing the physical server as we know it today.  Are we on the precipice of seeing an extinction of the physical server?  Only time will tell ... but there are more than just the physical vs.. software implications here.

 

In particular, what caught my attention is a piece at the end about how any organization using DropBox is probably breaking the law.  First reaction ... what?!

 

 After I thought about it for a while it makes perfect sense.  Dropbox allows you to store data in any way you please, and you can store medical information off a computer in Canada, which means it's stored in "the cloud", and you can log in from the US, or anywhere else in the world and download the data in the same format... data without borders.

 

I can only imagine how many organizations have Dropbox, or Box, or SpiderOak, or some other data synchronization service and are storing patient, secret, or proprietary data in the cloud while breaking corporate policy as well as national data laws.  This makes this type of cloud service both extremely beneficial, and dangerous at the same time.  While you can't always account for your employees' actions you as an organization will still be held liable for them.  The explosion of computing operations without physical boundaries and physical systems is bringing this entirely new level of change and confusion.

 

The typical security-minded reaction of "simply don't allow it" is invalid, I'll just say that straight off.  I can tell you that if you disallow cloud-based file synchronization services as a whole, on company assets people will find a way to be productive in spite of your policy lock-down, and will still get creative and accomplish the same thing.  The challenges of dealing with a completely connected, ubiquitously computable world are that data can be moved, stored, and used anywhere and that the infrastructure that moves that data around is less and less under your control.  That's an interesting thing for information security professionals...

 

I see one solution, and one solution only to this problem.  Organizations must learn to protect data itself, not the systems or pathways on which it travels.  We've failed with DRM (Digital Rights Management) which is cumbersome, breakable, and largely ineffective - so what's the actual answer?  I'm not sure ... but it will be an evolutionary step forward in the way we as technologists see data.  This is a challenging time, and we need evolutionary thinking, not the same old draconian policies to keep our data and information safe.

Comments
Michael Fornal(anon) | ‎06-25-2012 11:25 AM

Raf,

 You bring up a very interesting topic. Cloud storage is a hard one and i think its going to be a new fight for security professionals much like BYOD has been for the last few years. In my current place sites like Dropbox etc. are blocked because they aren't HIPAA compliant but I'm sure someone has probably found a work around. I agree with you in that simply blocking them is not the answer. I'd be interested in knowning what other companies are doing with this issue. i know some allow it but have put restrictions on what can be uploaded to them and others have created an extranet type enviroment so files can be uploaded and at least monitored.

 

Thanks,

@fornalm

Matt Joyce | ‎06-27-2012 04:16 PM

When we were first deploying OpenStack at NASA under Nebula, we had some very interesting issues as a result of FISMA and local compliancy concerns. 

 

Private cloud is more or less a necessity for anyone doing financial services, healthcare or government.  And there's nothing wrong with that.  Most of the providers in that area should be hosting their own data.  That's just being responsible.

 

At the end of the day how you architect a cloud comes down to risk assessment and logistics.  Nothing else.   I'd love to drop some dox on how we've architected some very flexible openstack deploys in restrictive environments.  Submitted a talk for the cloudopen event... but no joy on that.  =/

 

Maybe I'll just blog it.

Julia Mak(anon) | ‎06-28-2012 01:31 PM

I do agree that using existing consumer cloud services like Dropbox, Box are often breaking corporate policy and security requirements. The root of the problem is that existing service ask their users to upload content into the public cloud in order or provide mobile access. If the demand is about access, then IT can actually leverage Oxygen Cloud to provide mobile/cloud access to data while still keeping all corporate data on-premise within their own storage and maintain control over policies and infrastructure. 

 

As a disclosure I do work for Oxygen - a lot of our customers come to us to solve their "Dropbox" problem. BYOD isn't going away and users expect to be able to work mobile the way that they are accustomed to using their own phones and tablets. Our approach it to enable cloud access to private storage, so IT won't have to lose control or violate security and compliance policies. 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation