Image by
radiospike
photography via Flickr
I started writing this post after learning about the data breach that
happened to President-Elect Barack Obama. Midway through the post, I decided to
make it as a part of SaaS Risk
Reduction Series. This is the fourth post in the series.
Recently, the tech blogosphere was buzzing with news about the data breach
that happened with President-Elect Barack Obama’s Verizon mobile phone account.
This raises important questions about the security of our data in the hands of
third party vendors. As cloud computing evangelists, we need to address this
problem again and again until SaaS users are made aware of the risks involved
and how it can be minimized to take advantage of the power of SaaS.
Well, if you wonder about how this incident is related to SaaS, this post is
just for users like you. All our digital communications, whether it is
telephone, mobile phone, VOIP, email, web browsing, web search, etc., leaves a
trace about our activities on the third party (read vendors) servers. The
actions are recorded for various reasons, with security being the most important
reason. The trail left by the users of digital communications can be exploited
to get information about people and/or their business activities. Remember, even
if you use proxy services, you are leaving a trail with some third party servers
and if you are in doubt, please go and ask the son of the Tennessee State
Legislator who used proxy services to log into Sarah Palin’s account. What
happened to Mr. Obama falls into this category.
If the trail left by the users of digital communications in the log files
sitting on the vendor’s servers can expose information about the user,
irrespective of whether it is due to an overzealous employee or hack attack or
government subpoena, imagine what could happen when we put all our data,
including documents, personal photographs, banking information, etc.., into
either a cloud based storage or with a SaaS vendor. Clearly, it is a very
big risk for anyone embracing the idea of cloud computing and SaaS. The threat
is real and if anyone dismisses this as unimportant, the person is either lying
or ignorant about it.
Having said that, I want to point out that this risk is not
unique to cloud computing and SaaS alone. The same threat comes into
existence the moment we let another person get our data in their “hands”,
whether it is an employee sitting on a desk going through paper based filing
cabinets or an employees using a desktop computer or when a desktop connected to
the internet is used to store data or a company storing the data in an in-house
data center. The same kind of threat is present in all of the above mentioned
instances. If anyone think that storing the data in our own datacenters is
foolproof, they should call Intel and ask them about their
story.
There will be fear mongers, whose business interests are threatened by Cloud
Computing, and there will be people who have careers loving these businesses.
They will all predict doomsday scenario when talking about moving the data and
the apps to the cloud. Such fear mongering always happens whenever there is a
technological leap like the current jump to cloud based computing. Ask your
grandpa about what happened when he first started using telephone in his
business. He might recount the fear mongering that happened around telephony in
those days. Fear mongering is a natural human behavior that happens either due
to complete ignorance or due to vested business interests. Such fear mongering
should not stop anyone from moving to SaaS based applications or cloud based
storage of their data. Any failure to adapt newer technologies will leave a
business in a totally disadvantaged position, especially in today’s fast moving
global recession economy.
Even though I will disagree with the idea of not moving to the clouds because
of the risks mentioned above, I would strongly urge every SaaS user (and the
prospective ones) to do research about the SaaS vendors (especially, if they are
startups) before putting data into their cloud. Such checks could include
- Checking out the company’s background, including finding information about
their financial backers - If it is a startup, it is better to check out if t top management is visible
in the tech blogosphere or if people like Robert Scoble have interviewed them in their
videos, etc.. - Check if they identify themselves properly in their “About Us” page and make
their company postal address and telephone available to the public, etc.
Once you do the necessary background research about the company, you should
at least ask some
of these important questions to them and get a satisfactory answer. If users take care of all these precautions, they can definitely minimize the
risks associated with moving their data to the clouds. It is foolish not to fly
just because there is always a danger of an airplane accident. It is the case
with SaaS adaption too. The chances of a SaaS user having their data breached is
less likely than the data breach of Mr. Obama or the data breach that can occur
inside a data center where your company’s servers are hosted or the data breach
that can happen in your bank or the data breach that can happen within the
confines of your company by a rogue employee. It is, definitely, less likely
than any privacy breach that can happen to citizens when government asks
telecom companies to let them listen on the citizens telephone calls. We should
not be missing out on the upsides due to some risk that is similar to the risks
we face in our everyday life. A successful business will be smart enough
to understand the risks due to various threats and act wisely than just succumb to any
fear mongering. A smarter way to do SaaS is by understanding the risks and
minimizing it.
Previous articles in the series:
- SaaS
Risk Reduction – Open Format - SaaS
Risk Reduction – Don’t Keep All Eggs in One Basket - SaaS Risk
Reduction Series
Krishnan,
I believe that this incident is being hyped up to be more than it seems? As far as I know, it was about three employees who checked out Mr. Obama’s billing information without due authority or reason?
This sort of thing is not really dependent on whether you are a consumer or provider of Saas services? Even my dear old Mother is susceptible to this sort of protocol breach and she hasn’t even got a computer.
Every day, post office workers, telecom company technicians, police officers, public servants etc. have the ability and knowledge to pull up some sort of transactional history on me. I think in this day and age it is impossible to prevent this (although it is easier to detect), and if you are a public figure, then you are infinitely more attractive as a target!
Cheers,
Devan
Thatz exactly my point too. Such risks are everywhere.