Cloud Data: Secure but not Private

Perhaps in the far future when data is stored on strands of dna something like that may be possible. But currently you have no way of even knowing where your data resides.

For example, at my company any data placed on one of our file servers was protected by shadow copies, an hourly cloud backup, a nightly disk to disk backup, and a disk to LTO tape copy that was stored offsite. All email sent or received was archived the moment it hit the server. So even if a user deleted a message the instant it was received the archived copy would be retained for 7 years. Only someone with access to all the copies could permanently delete any kind of file.

That wouldn’t protect your data from domestic hackers or your government.

But you are right about privacy laws. IMO, the only solution are laws governing how our personal data can be used. Virtually all of it is already known to someone.

You both (@OogieM and @ACautionaryTale) have valid points. You’re simply looking at this from two different perspectives IMHO.

Personally, I don’t think the threat model for the average user is one that would prevent them from managing their own data. If you patch/upgrade, use least privilege, and run some type of malware protection it’s been said that you’re protected against more than 85% of the threats out there (see NSA/ASD Goldilocks).

How many times have we seen some company or government leave an old database exposed on the internet for all to see? The responses are usually nothing more than an “oops”. And that’s just the stuff we know about…

This

Every one of my personal identity theft issues was from either a company entrusted with keeping my data safe leaking information through employee error or accidental unsecure access that was supposed to be impossible or was an inside job with a ring of thieves who had been given trusted access and had my unsecured data to work from.

Absolutely, and just to be clear, I’m participating here with absolutely no acrimony. One of the things that I love about this forum is that when I get into more protracted discussions, I get all kinds of interesting perspectives back and the discussions help me to solidify my own thoughts

I think that was more true in the recent past, remains true for a very small number of users, and is becoming less the case daily.

While I won’t point at any individual user and say that they’re not capable of managing the security of their data, when looking at any substantial population the number of users who can and will make the constant effort to secure their data seems to be vanishingly small.

The automation of cataloging, discovery, bridging gaps, and exploitation has really begun to swing the pendulum away from a place where individual users are able to consistently thwart typical adversaries. I don’t foresee this trend reversing anytime soon, but I would love to be wrong about that.

Personal me watching the news sees this frequently (though less so with time). Professional me sees far, far more sees this too, but far less often than problems from individually managed systems. When you factor in data loss along with violation of confidentiality, it’s not even close.

Also, most of the breaches that we hear about in the news are (as you said) the result of misconfiguration (leaving a database exposed) on the part of the user, not the cloud service provider. (Though, cloud provider breaches absolutely do occur; unfortunately I have first hand experience with them.)

I’m not singing the praises of cloud computing here; there have been and continue to be threats associated with the use of such services, but I am pushing back on the notion that it’s wise to dismiss them outright on the basis of security and on the idea that users are generally able to outdo them.

The number of times that I’ve watched someone who “knows what they’re doing” and had “a solid backup plan” lose years worth of effort is disturbingly high. I’ll concede that seeing that a few times may jade my view of user managed security

This field changes at an incredibly rapid pace: If you’re not constantly reevaluating your assumptions and beliefs then you’re already two steps behind your adversaries.

(For what it’s worth, this topic has been providing me with a lot of material for a conference session on the topic of burnout and depression among information security professionals )

On that we BOTH can agree.

The only company I’ve seen take a novel approach to this is Google. Have you read their white paper on “Autonomic Security”? They address the issue head on and take an SRE based approach at managing security.

To be clear the breaches I’m talking about aren’t necessarily the fault of the CSP’s; a lot of times it’s the companies that we deal with who are using these services who foolishly assume that the cloud is secure by default. For example, most people assume that if you deploy in different zones between one of the major CSP’s that your apps communications are encrypted by default. Nope! You have to turn it on yourself. Oh, and did I mention this is in the cloud approved for Government use?

Some of the stuff I’ve seen is SCARY. As a consumer of cloud services you’re still responsible for securing your data. AWS for example, is very clear about where their responsibility ends. And to your point, the attacks are now happening at “the speed of cloud”.

Good luck with the talk. Let us know how it goes!

I have now, sadly, cancelled my Workflowy subscription because of this. I posted on their community website in December highlighting that anyone using their services who does not live in the US will be afforded no privacy against the US government. Their response was to not even post my comment but to delete it. This has totally broken my confidence that my data privacy is in good hands.

That’s the world we live in. We have no privacy from our government, or any government friendly to ours. I have no doubt that it would take more than an email from a friendly government for the US to give out my data. Or vice versa.

Like the US Constitution only protects US citizens and interests, GDPR only protects EU citizens (and UK citizens for the time being, as they might leave GDPR control). It does so worldwide. Companies therefore can be in a GDPR breach for wrongly handling the data of EU citizens, wherever the data resides and irrespective of how it got there (the user consent for moving or storing their data outside the EU does not take away the need for GDPR compliance by the data operator for said data as it is owned by a EU citizen). Think it will be interesting to see first legal cases where US law bites GDPR and vice versa, and also how current EU-US discussions as per @JKoopmans end up to go …

Quote:

"The GDPR does apply outside Europe The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

In reality that’s not possible. Countries cannot enforce laws outside their jurisdiction. Also, the easy way around that is the privacy policy which states you agree to have your data stored on servers outside your jurisdiction, or you cannot use the service.

I think the EU would not shy away from GDPR penalties to non-EU companies or their EU subsidiaries. The whole penalty system is based on global revenues. They have found ways to impose penalties on their EU business interests before (licenses, taxes etc)

Companies maybe, governments, probably not. I think the bottom line for me is that storing info on servers not in your jurisdiction means that privacy is unlikely. I’m checking more and more these days about where services actually store my data. That has become a high priority in my service selection.

That I do too! Always choose EU or UK based.

For those using Workflowy, I’ve now had a definitive answer that Workflowy have no immediate plans of allowing users to choose where their data is stored, even thought they are using AWS. This means unless you are in the US you have no guarantee of privacy from the US government.