Enterprise Security Blog

“You agree to waste precious and valuable time searching for new friends and also boring the daylights out of friends you currently have with the most mundane details of your sad, sad life …” 

These are terms of service in a cartoon by Jeff Koterba in the Omaha World-Herald. In the cartoon a disheveled man is shown staring at his laptop’s screen, reading these terms of service and he says to the laptop: “There are still some aspects of Facebook’s terms of service that bother me …”

I shared this chuckle with our friend Warren Axelrod, speaker and writer on security topics. We had just talked about security in the cloud and discussed Facebook’s unilateral change in terms of service which enable Facebook to broadcast personal photos to the world. This is Warren's reply and I passed this sage advice on to my daughters:

Warren:  Saul Hansel discussed this recent Facebook fiasco in his February 23, 2009 New York Times “Bits” blog with the title “Does Cloud Computing Mean More Risks to Privacy”.

Having worked on developing a number of corporate security and privacy policies, I saw that they universally informed employees that they should have “no expectation of privacy” in regard to their e-mail or any other material that they handle through the company’s computers and networks. Perhaps the expectation should be different when you own the computer; you (mostly) control what you put on it. But, you don’t own the cloud and you don’t own the websites of companies such as Facebook.

It always comes back to that controversial but prescient quote by Scott MacNealy, founder of Sun Microsystems, who in 1999 said: “You have zero privacy anyway. Get over it!”  

The reality is that you should have no expectation of privacy when it comes to the Web. Even if you think that you are protected contractually, mistakes are made and, once the information is out there, you can’t put the genie back into the bottle. We’ve heard that Google is looking into technologies for diving deeper into Web databases, databases they currently cannot search. They seem upset that the information that they do search is only a small percentage of what they’d really like to get their hands on. Who knows what nuggets of personal information they’ll be sharing with the world?

The best way to protect data is not to make it available. To the extent that you have control, you need to be constantly considering each item that you might post and you must think about the consequences were the information to be revealed to the world … friends and others.

Some Intellitactics customers are concerned about security in the "cloud". Some are increasing activity in the cloud - others just contemplating the future. Warren Axelrod and I were talking about the Google fiasco and he offers some good advice - as usual.

From the Desk of Warren Axelrod: When the four-hour outage of Gmail and Google Apps was reported in the February 24, 2009 New York Times “Bits” blog, entitled “Four Hours Without Gmail” the author, Saul Hansel, remarked that several hours after the system going down, Google still hadn’t produced an explanation. He noted that, according to a report from the BBC, Google officials were not able to respond to questions because they use Gmail too!

The critical take away from this anecdote is that as we increasingly move to cloud computing, it is becoming even more difficult to nail down the source of a problem and get hold of someone who will take responsibility for fixing it. And as our dependency on “the cloud” grows, as more critical functions depend on “the cloud” the impact becomes even greater.

 Hansel points out that the saving grace of the outage was that there are many alternative forms of communication available, such as social networks, Blackberrys, and so on … although seemingly not to Google officials.

This situation repeated itself in a host of other emergency situations ranging from regional power outages to terrorist attacks. Most customers are thwarted by not being aware of common points of failure. We frequently do not know which networks and facilities are common to a variety of services, consequently we have major problems when a single failure impacts many different services. We might think that by using a collection of telecommunications carriers and Internet Service Providers, we’ll be fine; only to discover, in the event of a failure, that these services are more interconnected than we could have imagined. 

While we obviously want to achieve some level of redundancy in order to increase resiliency, the ability to achieve this level of service is hampered by not realizing the interdependencies of cloud computing. As IT professionals, it’s on us to come up with a long list of potential failures and then test as many scenarios as is economically and operationally feasible.

 It is also important that, when we make any significant addition, deletion or other change in service providers, resources and processes, we examine the resiliency ramifications of the change and account for them accordingly.