The other day I wrote a post titled While the fat versus thin debate is no longer relevant in the cloud, ownership of and accessibility to sensitive data is now the key consideration, in which I broached the subject of data security in the cloud, especially as it relates to unwanted government access to confidential information.
The real question is how do you operate in a global business community without compromising your interests or those of either your partners or customers so as to avoid a possible lawsuit such as the current action involving Amex?
The answer as my 49th Parallel co-host Jim Bouchard would say is a simple, not easy.
With this seeming paradox in mind, and rather than offer my two cents on the subject – after all you can read what I have to say anytime, I sought out the opinion of another one of Procurement Insights’ resident experts to provide their take on the question regarding data ownership and access.
Renown author of books such as Surviving Cyber War and the highly informative and controversial ThreatChaos.com blog, international security expert Richard Stiennon provided in his usual succinct fashion, incredible insight relative to my above referenced post.
Here is what Richard had to say about data ownership and security in the cloud:
Very interesting piece Jon. I have not been tracking the Amex case. I was familiar with Canadian and European concerns over using data centers in the US, particularly for email archiving. There is a wide spread fear that the NSA reads everything, or at least has the power to grab those records. The other way, when data is stored overseas, giving the NSA jurisdiction, I had not seen.
That said . . .
Protecting data is actually quite simple Jon. ALL data should be encrypted ALL the time in the cloud. View your provider as the enemy. They cannot control their privileged users and they are subject to subpoena or lawful intercept. If encrypted and if the encryption keys are stored off the cloud, you have control over your data and do not have to worry about third party jurisdictional issues.
So, what are your thoughts relative to Richard’s recommendations? Do you agree or disagree?
As always, use the comment space in this blog post to throw your hat into the proverbial opinion ring.