Careful As She Goes, Captain!
Paw Prints: Writings of the maddog
One of the big stories this month has been the attempts of crackers to break into email accounts being held by Google and other companies.
There have been a lot of accusations flying back and forth, with many people commenting on the security of web browsers and whether or not Google should pull out of China or continue to do the censoring required by the Chinese government. I am not going to discuss the political issues on both sides of the situation, I will leave that for other people.
One point that I have not seen discussed is the concept of whether or not the "Cloud" is safe for a person's or company's data given a company could lose or give up its franchise to operate at any time. From the point of view of the "end user", whether or not Google is right or the Chinese government is right, the "end users" data held in Google's systems and the end-user's business plans based on Google's services may be in jeopardy in China.
Now business (nor life) is never guaranteed. In every business and life we take risks, but one of the selling points of Free Software is the control that you might have over mediating those risks and having more control.
I live in an interesting country, the United States of America. The United States produces a lot of software which is used all over the world. U.S. businesses are aware that companies sometimes go bankrupt (we are probably more aware of that lately from recent events), and that companies merge and product lines disappear. We typically do not think about companies deciding that they are going to stop doing business with us because of the policies of our country. Nor do we typically consider what would happen if the country that provided us with the software we use would formulate an embargo against us. Our Admirals, Generals and other military people also trust that the United States companies making software to put in U.S. ships, tanks and planes would try their best to create software that does the job and has no Trojan horses or other spy-ware built in.
If you were an Admiral or General in a country called "Cuba" or "Iran" you might have a different outlook on things. You might want software that you can see the sources for the software, and actually build the software yourself and put it into your own ships, tanks and planes. In fact, if you were really astute, you probably would want the sources not only for the actual software you use, but also for the compilers and total software environment that built the embedded software...just in case.
Now we go back to our Chinese neighbors. Perhaps a Chinese business person, or a Chinese end-user entrusted their data to Google's Cloud. Now, for no real fault of the person who used those services, and for reasons outside of their personal control, their data and services are in jeopardy. This is a wake-up call for anyone who uses "Cloud Computing".
Am I saying not to use "Cloud Computing"? No, since "Cloud Computing" has lots of advantages, and for the most part the risk of data loss is still lower then if you tried to store the data yourself in most cases. But you need to think what would happen if your "Cloud" was disrupted, how you could recover your data and how you would keep your business going. Do you have control?
As an example, I do business with several companies that request I use Google Apps for collaboration. As I set up my Google Apps account, I make sure (with their blessing) that any emails sent to my accounts are forwarded on to a secure server so I can keep a record of that email. Therefore I have a record of every email sent to me (minus various pieces of obvious SPAM) for the past fifteen years. Since I typically copy myself on my emails, I also have a copy of every email I have sent in the past fifteen years.
Google has been active in formulating ways that people can back up critical files, and there are people (and even Google employees) working to make sure that you can extract and recover your data if you ever want to stop using their services. You should become aware of these techniques, and exercise them from time to time.
Of course this does not completely protect you, since people still become used to working with the services and finding replacements might be difficult and time-consuming, two things you should not be doing in a panic mode. You should plan for these contingencies before you need them, and test these contingencies from time to time, just as you would any "disaster recovery" plan.
As in most "disaster recovery" plans, you may not be able to operate at peak efficiency but you would still be able to operate.
Carpe Control.comments powered by Disqus
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.