1 year ago, in a ABC company not too far away....
Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save 100K by outsourcing our storage place to cloud service provider JKL... with this, we also reduce our IT spending as we don't need as many IT support personnel for our IT system as before. Another advantage is that, now we can access our data anywhere and anytime.... blah..blah...
6 months ago, in that very same ABC company.....
Senior Manager mate: <*talking to the Board members*> I'm pleased to announce that we managed to save another 50K by moving to another cloud service provider FGH.... blah.. blah..
3 days ago, still at that ABC company....
Information Security lad: Senior Manager sir, have you read the headlines today? It says "DEF company found ABC company data on JKL's cloud storage assigned to them"......
Senior Manager mate: What? That's not possible! We deleted all our data before we moved to FGH. I personally pressed that shift-DELETE button.
Information Security lad: I'm sure you did that sir.. I called up that JKL dude this morning and now I think I understand what had happened. Basically, when a customer left, the storage space will be assigned to another customer. JKL does not obliged to ensure all the data are wiped before they assigned the storage. I checked that, it's indeed stated in their terms and conditions.
Senior Manager mate: But I shift-DELETE that.. all data shouldn't be there anymore!
Information Security lad: Not really sir. Let me explain a bit.. this will get a bit technical.... when we shift-DELETE the files, we basically just telling the Operating System that the spaces that were occupied by those files are now available for other use, but the actual data still reside on the filesystem layer as long as that spaces were not overridden by any new files. Hence, there are ways to recover those deleted files, even with some free tool.....
Senior Manager mate: I feel betrayed by this cloud service provider....
Information Security lad: ...... <* served you well.. had you involved us in the beginning, you wouldn't have had this issue... we would have had advised you accordingly... *>
Moral of the story?
1. Data security is still the main concern in cloud services. Based on a recent assessment, many cloud providers' have weak data security measure in place. Hence, make sure that you assessed and understand how your data is going to be stored by them before you sign-up for it.
2. Involve those security guys in earlier stage as possible. Yes, most of the times, you'll feel annoyed by questions or comments raised by them. But, at the end of the day, what they are doing is protecting company's data, and indirectly also covering your ass....
Ain't security fun? ;)
Acknowledgement: Photo taken from http://www.flickr.com/photos/comedynose/7048321621/sizes/m/in/photostream/
No comments:
Post a Comment