May 17, 2010 By Dan Lohrmann
Try typing "free storage" into a Google search, and you'll get almost 47 million results. Here are a few highlights:
Mozy.com offers: "2GB, Absolutely Free - Not A Trial! Fast, Secure, And Free."
Squidoo.com offers: "Up to 45 GB Free Online Storage Not Trials. No CC req.100% Free."
Over on the sponsored links we see Huddle.net which offers free document sharing and: " Free 100% Secure, Get Up To 25GB Store and Edit Documents Online."
Why would you want to do this research? Well, I can think of many reasons. For one, your users probably are. Even if the services are not free, the top online storage prices may be so attractive to some customers that they just get their credit cards out - without asking for permission from anyone.
If you are thinking that I am advocating this approach, you should read my recent article on the topic: Is Cloud Computing More Secure? There are many, many questions that must be answered prior to using one of these low cost storage providers in the cloud. Some of those questions include: Who owns the data? Where is my data? Do the laws of that country protect privacy rights? What are the terms and conditions? How can that company use my data? Is the data available 7x24x365? Can I get my data back if they go bankrupt? Can I switch providers easily? Is our data secure? Are you sure? Can I legally enter into this agreement for my government? How do I audit you? Can I see your logs? The list goes on and on.
A recent cloud security survey of U.S. and European IT security professionals conducted by CA and the Ponemon Institute found: "... About half of the respondents don't believe the organization has thoroughly vetted cloud services for security risks prior to deployment. It also showed that 55 percent of respondents are not confident they know all the cloud services in use in their organization today."
There are many recent blogs on this topic, such as this one from Information Week's George Hulme . Commenting on the lack of understanding that security pros have regarding what cloud services that are in use in their organizations, George says, " Let's hope that the end users are employing some common sense, and not moving corporate financial information, trade secrets, customer data, or health related information to the cloud. Unfortunately, we don't know what data is moving to the cloud because IT departments have no clue how their end users are using cloud services."
So where does that leave us as IT executives in government? We clearly need to perform an "As Is" assessment of current Internet usage (or cloud computing usage) first. This includes an understanding all Software as a Service (SaaS) activity as well as cloud storage usage and other relevant activity.
In Michigan, one of our first steps was to use our web monitoring capabilities to monitor and block unauthorized cloud connectivity. Yes, we fully embrace the power and opportunities brought by cloud computing. We are running a cloud storage pilot, and we are expanding our cloud storage over the coming year. We will be publishing a new strategic plan that includes many exciting cloud offerings.
However, we don't want unauthorized cloud providers entering and leaving through the back door either. This would be penny-wise but pound foolish. While these various low-cost options may seem enticing to end users, they provide perhaps even more problems than other undesireable storage options (like putting data on USB flash drives) - if these new relationships are not managed appropriately. Information is vital to the running of every area within government, and we can't lose control of that data inventory.
Let me end on a positive note. Cloud computing will transform government IT Service delivery. Positive changes are already beginning to happen. The opportunities are immense. Many of these companies offer excellent service, and I appreciate what they do. We don't want to appear defensive or dismissive of their value.
Nevertheless, we need to implement cloud services legally, safely and with excellence. Include your clients in this discussion and help them understand what is at stake by getting out their credit card and sending sensitive government data off to a free or low cost cloud service without following proper procedures. This service will not be "free" or "low cost" if you lose your information or run into other trouble. In fact, it will cost much more.
What are your thoughts on this topic? What is your government doing?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.