Amazon has announced its new storage service Zocalo aimed right at the enterprise market. This is notable because Amazon has served as the backbone of the file storage industry for the last five years. Simple APIs coupled with massive storage capabilities and extremely competitive pricing resulted in Amazon becoming a central pillar in the design of many cloud based and hybrid storage systems. This is a subject close to my heart because I’ve spent significant amounts of time mucking around in their ecosystem and have my own storage product built on top of it called SenderDefender. When I first saw the article the first thought I had was, “great, more competition” but in reality what we have is more of the same.
Companies that leverage systems like Dropbox, Box, or now Zocalo are making a mistake. They are ceding complete control of their data to a third party, and in exchange for inexpensive and accessible storage are opening themselves up to a host of insider threats. A few months ago I gave a talk on insider threats in a military setting, and there is a common misconception that the term only applies to the employees within an organization. The reality is that it applies to the employees within every organization that you interface with. When you leverage services like Amazon’s Zocalo offering you are dramatically increasing the attack surface of your company.
The attack surface is a nebulous security phrase, but it boils down to the idea that the more systems, components, and people who have access to your internal data the less secure you ultimately are. Now, in addition to worrying about the disgruntled former employee, you need to worry about Amazon’s disgruntled employees, and Dropbox’s, etc. There is an amplification effect at play that results in a greater chance for corporate espionage and data theft. These are very real issues, that target American corporations and individuals in the form of identity theft and fraud every single day. People are all too willing to exchange convenience and cost for security. The weakest link is always the person with the most access, and the most to gain from a security breach.
Now as a small business owner or individual you may think this doesn’t apply to you, that you aren’t a target, that nobody is interested. The reality is quite different. Your data is commingled with thousands of other companies on shared servers. Someone could be targeting SSN or credit card numbers, maybe they are just grabbing all word documents, or files that include actionable intelligence. They can do mass collection and sweeping where your data is just collateral damage. Numerous companies have already been compromised because of the lacks data security policies of most cloud service providers. I haven’t even started talking about Google Drive and Microsoft one drive, both of which have a similarly atrocious security policy. They have a vested interest in being able to read your data, the advertising business model depends on it.
The thing is, there is a real solution to this problem. Cryptography. Strong user-controlled cryptography, that denies third party organizations any access to the underlying data. SenderDefender is built on those principles, that nothing short of mathematical security can keep people out of your private data. As we consolidate onto cloud services this is becoming increasingly important. Why would you trust Amazon or Dropbox or Google with your private legal documents, personal information, medical history? Yet people do, every single day, because they have masterfully blurred the lines. There is a perception that your data is private, when in fact it is completely open, accessible, search-able, and indexed. We need to support next generation services that provide convenience and ease of use, while also taking a real stance on these issues.
I’ve said it before but its time for a corporate version of megaupload, a completely opaque, well integrated and seamless encryption experience for every day users that keep their data out of the prying eyes of government, malicious hackers, and profiteers. We are tantalizingly close to being able to realize that experience, but consumers need to be educated to the risks involved when they use online storage services, and the potential monetary benefits of keeping full control of their information.