Information Security – Clouding the Issue

0
4371

Ever since the National Security Agency (NSA) revealed that they had secured access to private information from IT and communications giants, the public has been understandably jittery about the safety of information in the cloud. It didn’t help when Edward Snowden revealed some of the more disturbing details of what goes on within that organization and others that spy on the nation’s friends as well as adversaries. Even when everything is done legally, the laws protecting privacy are not completely reassuring.

Although companies like Google are hard at work defending their right to collect data of consumers and protect it from the government, the feds have the upper hand. In the name of national security, your information can be accessed by federal agencies with the full cooperation of international bodies like the EU.

What can you do to make sure your proprietary information is as secure as it needs to be? First, you need to know a little more about how the cloud works and how industry giants interface with it. For example, Microsoft Azure is a suite of integrated cloud services which include capability for analysis, maintaining databases and computing, interface with mobile devices, as well as network and web activity. If you’re already somewhat computer savvy, you might consider enrolling in an online Microsoft Azure certification course.

Such a course will help you get familiar with cloud computing functions such as virtual machines, web apps, SQL databases and how they integrate within the system. You don’t need to be a web developer or database administrator to take such a course, but that’s the level of knowledge you should begin with. Understanding how cloud apps are made and implemented is central to keeping your information secure.

Can you unintentionally run afoul of the authorities in trying to make your data inaccessible to anyone but you? To answer this, you should first understand that the industry itself is working hard to limit government access. Google is now one of the major Washington lobbies, in the same class class with defense contractors like Raytheon and Lockheed. Google maintains over 55,000 square feet of office space for its lobbyists – floor space that rivals the White House – and employs over a hundred professionals. They divide their money and attention equally between the two major parties.

In addition, Google contributes liberally to universities and think tanks from the libertarian Cato Institute to the conservative Heritage Action for America and the Federalist Society. They invest in advocacy groups and are busy creating pro-business coalitions clothed as projects that serve the public interest. The number of think tanks, trade groups and non-profit advocacy organizations that receive Google’s donations more than doubled in the four years following the NSA disclosure. Indeed, Google sells cloud storage and services to government agencies including the intelligence community and Department of Defense.

Focusing on the current conservative administration makes sense, despite Google’s roots in liberal Silicon Valley and conspicuous employment of highly educated immigrants. Google has brought conservative players to Mountain View for tours of its campus and hosted free training workshops to educate government officials on the use of Google services that can help them more effectively reach voters.

With the loss of trust in US-based servers, many people are looking to access cloud-based services from organizations based outside the US. Three years ago, Amazon revealed its plan to open new data centers in Germany, which would assure its customers of protection of EU and German privacy laws. If you lean toward paranoia, you might consider dealing with a server based in another country.

You should of course not neglect the basic data protection practices by protecting your information at the file and application level through encryption. Other strategies may include dynamic data masking and tokenization.

A very effective way to block access to sensitive data is by setting up a key management model. It allows for access control by limiting possession of encrypted data to only those with a need to have it. There are two models: 1) you own and handle the key or, 2) you delegate key management. You should consider the amount of risk you are willing to undertake, but for maximum security, you should manage your own keys.