Outsourcing

There is no absolute data security anywhere: can you accept that?

It is a fact that your data can be accessed by government agencies exercising appropriate authority at any time, whether it is in the cloud or in your basement server room. Are you OK with that?

Last week, in association with the release of Microsoft Office 365, I asked a simple poll question: Is it practical to run your business via online subscription services? After seeing this article from Zack Whittaker over on sister-site ZDNet, "Microsoft Admits Patriot Act Can Access EU-based Cloud Data," I am wondering if I should have asked about data security.

I am not trying to be an alarmist. After all, it is a fact that your data can be accessed by government agencies exercising appropriate authority at any time, whether it is in the cloud or in your basement server room. For cloud users, the difference is in the "knowing" your data is compromised.

When the FBI shows up at your door, flashes a warrant in your face, and then removes servers (not always the correct ones) from the premises, you will notice. In the cloud, unless your service provider shares the information, you may never know. This gets complicated because the rules about such things can be very different depending on the nation where the data resides and the nation where the service provider resides.

So, I guess the moral to all this back and forth is that your data is not absolutely safe no matter where it is. Not a very comforting thought, is it? Is that just a fact of life that we all have to learn to accept?

About

Mark Kaelin is a CBS Interactive Senior Editor for TechRepublic. He is the host for the Microsoft Windows and Office blog, the Google in the Enterprise blog, the Five Apps blog and the Big Data Analytics blog.

49 comments
dhamilt01
dhamilt01

All previous civilizations have collapsed ... due to the evil at the top. When the rich and powerful start getting scared they're time is up, they start that downhill slide into anarchy by attacking the people. Today, it's your data they take to find out what kinda threat you pose to them. Tomorrow it will be your front door they'll charge through and you'll never being seen again. Can you spell Fascism boys and girls?

Con_123456
Con_123456

We should use a good encryption method before sending any private data to a public area, like cloud, e-mail or Internet.

vaughanm
vaughanm

My data is backed up on a portable hard drive, along with all my important records. This can not be accessed because its not plugged in so its safe. Sure someone can hack in to my computer and see whats on it though I would notice as I watch my data usage and when there's no reason for data to be flowing and it is I investigate.

pschulz
pschulz

This is the only answer. Cloud services are invented and propagated for the sole purpose to create an utter dependency on the internet. Think of it - if everyone has their company data and operations all on the cloud and now someone disrupts the internet. Such as a hostile nation in a war. The entire nation's operation dies - nothing works, nothing can be done. Does not require weapons. Can be done by viruses. And is being done by viruses right now. You don't believe those unbelievably advanced viruses such as Conficker and the like are really created by some back-house hacker, or even a commercially oriented gang of criminals? It's governments, NSA, CIA, FBI, you name it. Our only defense is - DO NOT USE CLOUD SERVICES. They are not here to help. They are here to lull us into a trap of magnitude. The "safety" is really only a marginal concern. You say it's as easy for the FBI to get your servers than getting it on the cloud. Well, it really isn't, and there is still quite some more work to be done. And crashing an entire nation can not be done if no-one uses cloud services and no-one depends too much on internet-only operations.

pschulz
pschulz

Your idea that Europe should be "protected" from the US laws is completely wild. It's already much worse in EU than in the US and has always been. The only difference might be that they don't have as big supercomputers to crack the codes. The US was formed to escape from the tyranny of Europe. That it repeats the tyranny since shortly after its inception is not new either, except to the uninformed public duped by Hollywood movies and the press controlled by the very same people. Just to open your eyes - you probably also believe that Lincoln fought the war against the south states to liberate the slaves, do you? That's as false as anything can ever be. He openly and publicly stated before the war that he does not consider black slaves people of equal rights than white men. The war was dictated by pure financial interests (incidentally just like the current ones in Afghanistan (drugs) and Iraq (oil)). Lincoln spoke about liberating slaves later, when France, England and Russia threatened to enter the war - those Europeans wanted to side with the South to kill the North which represented the free independent America, and Europe wanted its colonies back. So Lincoln announced that his intent would be to free the slaves - and this turned the act of siding with the South into an act of suppressing slaves which was politically unacceptable to those nations. Mere politics, not humanity. While this all sounds like the seemingly unpopular "conspiracy theorists", I invite you to actually trace down who owns the press, in any country of the world. You'll end up with less than a dozen men, on the entire planet.

thegreenwizard1
thegreenwizard1

Actually if I'm not wrong this is the only country which provides privacy to the net. But to send your data there... you go first on the NSA watch system. So that's a catch 21. The best is never put any vital informations on digital form. That's why we have memory.

l_fox2
l_fox2

Only thoughts are secret.

HAL 9000
HAL 9000

Way too many authorities can access your data with sufficient Paperwork and it's always been that way. All Telephony is intercepted and scanned so all E Mail/Fax and so on is readable. Even Encryption Programs [b]Must[/b] have a Backdoor built in so that the various Government Departments can read what is being sent by suspect individuals. Digital Phones could not be rolled out before a way to intercept the voice and Text Communication was available and in place, the same applied to Smart Phones they needed a way to intercept what they where being used for. However the idea of security was never to prevent the Authorities from accessing the Data it was always to prevent the competition from getting access tot he Data. After all if a Government Agency takes your Data they are not likely to show or sell it to your competition so it's still relatively safe in their hands or at least a copy of it. Where real security is involved is to prevent others not in Authority from accessing the Data that you have to keep safe. In the country where I live I can think of 3 places that Intercept all Telephony and one of those is owned by a Foreign Government. The problem that I have is the complete waste of resources duplicating the same thing so instead of one of those Monitoring Places doing a specialist job they all do the same thing and do not share information with the other places. I really don't see the point of this article so what am I missing? Col

Spitfire_Sysop
Spitfire_Sysop

You need mirrors of your data all over the planet for disaster assurance. You need at least one copy in a place that can't be raided by the FBI. It's disturbing to think that you might lose data because someone else in the cloud broke the law. I recommend hosting from international waters.

Michael Kassner
Michael Kassner

Before any kind of decision can be made. I suggest starting with absolute

santeewelding
santeewelding

I believe there is no alternative but for me to hold my breath until I turn blue and expire. Not until, though, I go back and re-think what "me" means. That, and the meaning of "data" in relation to "persona". Maybe I have been careless. Maybe I have confused data and persona with "me". Could be that "I" am not at risk -- ever. I don't care if you understand what I'm saying, or not. Devil take your data and your hindmost.

robo_dev
robo_dev

As we all know, the only way to make a computer 100% secure is to switch it off. The fear, of course, is when technology moves faster than the security and controls that are needed. Take cloud computing, for example. Here you have issues wrapped up inside of other issues. Your data is 'somewhere out there', and the cloud provider has said 'trust me' so it's all secure, right? On one side of the debate, is the fact that the real issue here is outsourcing, and how you validate and manage your service providers. Is a SLA and a SAZ-70 enough, or do you need to do a complete due-diligence exercise, which would wipe out the cost savings to doing the project in the first place..... The flip side of the coin is when those who I call the 'Evil Google Government Conspiracy' types talk about 'the cloud', they say they would never in a million years ever ever put their data in a cloud, ever. Then I confuse them a bit by pointing out what the 'Google Cloud' is: It's a bunch of servers, in a bunch of data centers, with a bunch of disk drives. Now reach into your wallet: - your drivers license (with photo and fingerprint) lives on a server, in a data center, on a disk drive. - that credit card, along with your credit history, every tax return you ever filed ...all these exist on servers, in data centers, on disk drives. Where is this data? No clue. Is it in the cloud? Could be. Are the security controls over this data adequate? 404 on that. Is this data in other countries? No idea at all.... And so it goes. There never has been more or less security over your data, you just never thought too much about it.

Mark W. Kaelin
Mark W. Kaelin

Your data is not absolutely safe no matter where it is. Is that just a fact of life that we all have to learn to accept?

HAL 9000
HAL 9000

At the time most people seemed perfectly satisfied to allow things to continue as they always had. Be that the Roman Empire or Germany prior to WW11. Remember that Hitler was Democratically Elected and as he was the will of the People he must have been what they wanted. Same for Amin as well if you want to carry on like that. The truth is that when things are OK for most people they just accept who they are offered and will make a choice on who they feel will do the best for them at that time. The Systems that you are looking at where OK for the majority of the people at the time till they got corrupted and then they fell along with the society that promoted them at the time. At some point in the future its perfectly possible that Historians will look at what we call Democracy and be providing long dissertations on the evils of it compared to their current system. Till we find a [b]Perfect System[/b] we just make do with what we have. ;) Col

Lamini
Lamini

yes, you can trust us and all your personal data, bussiness&company propriatary information, your sensitive/info, your trade secrets, on all of your hard drives, just skip all the fine print pages and sign here...

pgit
pgit

Put your data on DVDs, pack it in a box with cookies wrapped in tin foil and mail it to a host in Iceland. :)

AnsuGisalas
AnsuGisalas

it was designed to perpetrate industrial signals espionage, to "level the playing field" for the corporations of participating nations. The claim was that they were losing market shares to companies relying on corruption. Which may have been the case. So, that's one government agency in the hands of which no secrets were safe.

dogknees
dogknees

>>Even Encryption Programs Must have a Backdoor built in so that the various Government Departments can How do they put a backdoor in an encryption program I (or anyone else) write myself? Seems a bit of a stretch to say they can do this in ALL encryption programs. I think the reality is that you can be secure as long as you're prepared to do a little work yourself and not rely on other peoples products.

pgit
pgit

I would consider having a dummy mirror that has bogus, but similarly structure data, and make it known this is "your data," that if they seize it they will hit the wrong facility. A tall order for some, but a small business does this regularly, the "two sets of books" phenomenon. But yes, regardless you better have a copy somewhere you can keep to yourselves, if for no other reason so you can continue to operate normally.

bboyd
bboyd

They drop in a phone home in your outgoing data. It phones home from each mesh location. The FBI removes the homeland based servers. The State department requests the ones in friendly nations. The CIA uses Chinese proxy servers to smoke the remainder. or more simply. The NSA decides you violate some provision of the Patriot act. A judge secretly orders a search warrant. The Phone home program uses the MS backdoor to smoke all the data. (This paranoid delusion brought to you by conspiracy theories Inc.)

pgit
pgit

You apparently have thought hard about this. See my post above "we're doomed then." There is a DISTINCT difference between your flesh and blood and the "person" the government deals with you as. The latter has zero "rights," merely privileges. You have to assert your unalienable rights or they run roughshod right over you. You will prevail if you assert those rights correctly. The way they have the system rigged, the way to do that is to assert nothing, actually. You ask one question that they cannot answer without proving they are moving in fraud. I worked with a fellow who used to get himself into court as often as possible, for the sheer sport of aggravating a bunch of self serving criminals acting like they have authority. You call them "the justice system." The guy was a hoot and a real treasure, bless his soul. He passed away in Russia, after the "authorities" finally resorted to using their one true "authority" against him: raw violence. They could never beat him in their own so-called courts. He was one of a half dozen people I studied all this with, for well over a decade. I personally put in over 10,000 hours reading cases, laws and regulations, congressional records, writings of the founders and a lot of ancillary stuff like the histories of religion and society as a whole, including governments. If the American people knew 1/10 of what have seen there would be a revolution tomorrow morning and the entirety of DC would be fenced in and turned into a prison. Believe me, they are not your government down there. Absolutely not.

Spitfire_Sysop
Spitfire_Sysop

That was the first post of yours that I actually did understand! Very existential. I think the Buddha would agree with you but he doesn't believe in the devil. I concur.

Jean-Pierre-
Jean-Pierre-

you said : "As we all know, the only way to make a computer 100% secure is to switch it off." You forgot one thing: the bad guys could still physically access your computer.

Spitfire_Sysop
Spitfire_Sysop

Make new laws. There are things we can do as a people to fight back. Until we are truely safe and free we will have to get creative.

pschulz
pschulz

happened next? I know of a guy who did it, he had no clue of "standard" encryption algorithm so he invented his own, quite clever one, and used it in some file transfer program between offices in his company. You won't believe it - a few weeks later the office was raided and they took that computer away. They didn't take anything else. Never happened to him before, and there was no data of any value in there. This was France, by the way, not the US. And it didn't happen in 2011. There was no Patriot Act yet. So nothing you write about here is new. Remember your history - Europe has a longstanding tradition and experience of suppressing its populations any way they can. Your idea that Europe should be "protected" from the US laws is completely preposterous. It's already much worse in EU than in the US and has always been. The only difference might be that they don't have as big supercomputers to crack the codes. And believe me, there is no code which cannot be broken. It does not matter if there is a back door or not. A text of 100 characters does NOT have an infinity of encoding or encryption possibilties. Try them all with a Teraflop supercomputer and you get the data. The backdoors are for mere convenience. Just look at the computer viruses around - the famous Conficker virus used an encryption algorithm a week after it had been completed in research by some university. Who is really behind this game? You can guess for yourself.

HAL 9000
HAL 9000

How many Cray's or similar do you have at your Disposal? Ever heard of M$ Coffee or any of the other Utilities made available to the Law Enforcement & Government Authorities? Why where Digital Phones not made available to the General Public till after the Government Agencies had the means to listen in? Probably more importantly what makes you think reasonably that you could write a Encryption Program not based on existing Technology that has been cracked by these people? Or Just how is it that a Guy I brought into the Agency knows exactly where I am whenever I use another???s computer without accessing my Personal Accounts for anything? Why is he constantly telling me that I have a position whenever I want to return and he tracks me? Col :^0

HAL 9000
HAL 9000

I mentioned above I have a different prospective. :D Col

pgit
pgit

I used to teach a computer science class, I would get some point across then show the students how it could be used for nefarious ends. This always really nailed the underlying concept, better than giving them the "actual use" scenario. Then after they saw it, I would add "and you can bet that if a shmoo like me can fathom this, then somebody out there is damn sure already doing it!" So if it is at all technically possible, guess what...

Spitfire_Sysop
Spitfire_Sysop

They only wish they were that good. Thanks for the delusion of the day. Let us all hope it does not come to that.

robo_dev
robo_dev

would cause deafness to blind man...or something like that.

jsaubert
jsaubert

... the only way to make a computer 100% secure is to unplug it and then melt it down.

old graham
old graham

Ha! So can the good guys! At least the guys holding the warrant.

Lazarus439
Lazarus439

You can't be both. The same freedom you want to enjoy allows the miscreant to rob your house, steal your car or assault or kill you. Laws are meaningful only to those who choose to obey them. I am far less worried about the big, bad government seeing my stuff than I am about a criminal getting to that same data and stealing my identity.

mikev9359
mikev9359

This is a great ideaology, but the true, simple fact is that you cannot be truly safe AND free. Also, If you are TRULY free, you will never be safe. THAT is a FACT!!!!

s046007
s046007

Okay, this is not IT related but is security related to this article, why not get out and vote next time elections are held. You don't need to reply but just ask yourself if you voted during the most recent election in your area, and if you didn't don't justify or make the excuse to yourself that "I didn't vote because nobodys worth it or it doesn't matter anyway it's all a sham" Voting for elected officials is our only recourse. That or start your own grassroots campaign to make some changes. All I am saying is put yur money where your mouth is.

dogknees
dogknees

There are several good encryption algorithms in the public domain. Implementing them is no different from implementing any other algorithm. Use big enough keys and it will be secure.

HAL 9000
HAL 9000

But it gets more than a bit disconcerting when it happens all of the time. :D The poor sod still thinks I did him a favour and helped him no end so I suppose he feels obligated to return the favour. :^0 Col

HAL 9000
HAL 9000

Wasn't the net though but at the end of the month the Phone would drop out on a very regular basis. Several times a day and it got to the stage that I would pick it up just to check that I had a dial tone every tine I walked past. 4 call outs didn't result in any solution and again next month the same guy would come out and say nothing wrong this time either. The last time he came out the phone was out so he looked a bit deeper. Rebooted the Modem and walked away. 5 minutes latter it was off again so he pulled the cover off the Box on the Street and half a gallon of water flowed out. Apparently those things aren't meant to be Water Cooled. :^0 What I found interesting was just how many of the electronic components fell off the circuit board and the thing still worked. ;) Col :D

TD88888
TD88888

I had the same problem. Took 6 months to convince Comcast. No problems since. The internet connection is very sensitive, so you might not notice a problem with your TV.

pgit
pgit

I don't care who's doing what to my internet connection, but dang it can ya make it seamless? I get booted off the net every 4 minutes now that I got the cable-phone modem, it's pissing me off... ;)

AnsuGisalas
AnsuGisalas

I can clap with one hand (either), and the sound is - sadly - rather mundane.

ben
ben

If by "the cloud" we mean internet-based computing, then remember the internet knows few jurisdictional boundaries. While it'll be great fun for legal minds to debate domesntically the expectation of privacy, there are many other governmentand private agencies not bound by US law who will not really care what our courts decide. Definitely figure that into the risk analysis.

pgit
pgit

Dood, if voting changed anything, it would be illegal. No, we need an "American spring," but a successful one, not the sham globalist puppet swap going on in the middle east. News flash: government doesn't work for you or a mythical "the People," it is it's own carnivore. And a tip to Mark: they almost never have any true "authority." Government cannot be the author of it's own authority. That is the very definition of "authoritarian." The so-called "courts" are a sham. Ask them to show you where they derive their "authority," how they were created and from what part of any constitution they arise. You'll see some very interesting things happen in a hurry if you do. Nowhere in the constitutions or in any "law" does it say the government may initiate a lawsuit against any flesh and blood man or woman. So they don't, they wave a wand and you become a "person," a fiction. They go after that, and you believe it's all A-OK. It ain't. Wonder how they "elevated" corporations to "person" status recently with the supreme "court" cases saying they can give as much money to a political candidate as they want because it's "free speech?" Guess what, they didn't. They merely clarified that YOU, being a person, is no better than a corporation, which is equally a "person" in the eyes of the "law." It really is that simple. It won't stop goons at the door with guns, but depending on what capacity you are acting in, you can get them to drop any issue that would impact your life, liberty or property in their courts. Just food for thought on this Independence day, not to be conflated with "government day." http://batr.org/reactionary/070311.html For instance, when was the last time you were allowed to calculate a "profit loss statement" and deduct expenses etc, in figuring out your "taxable income?" If a corporation is a "person" with free speech rights and all, and YOU are a "person" on equal footing... why can't you deduct the light bill, phone and internet, upkeep including food, your travel expenses etc, just like your brother and sister corporations do? If a corporation gets caught KNOWINGLY dumping billions of gallons of mercury laced dioxins into the Niagara River, they can shutter the doors and go bye-bye, and nobody can touch any of the human beings responsible for the damage, regardless of how bad it is. It's just "oopsie!" and the bad guys walk under a shield of "limited liability." But you get caught dumping one load of used motor oil on your own property and watch what happens. There has been jail time for this. So when are we gonna reassert our independence here, People? Anyone with me? EDIT: I have corresponded with this fellow, we disagree on a couple things, but this video is DEAD ON: http://www.youtube.com/watch?v=BFNdUeCAZa0&feature=player_embedded

Spitfire_Sysop
Spitfire_Sysop

I did vote last time around and I have since I was 18. I didn't see anywhere on my ballot anything about the patriot act. There was not a measure to restore my freedoms. I have written my local congressmen and senators and found that they support a lot of the same things I do but they are the minority. We need to raise national awareness. One way of doing that is though legal action. Another way is public opinion like this forum or other media outlets.

Editor's Picks