Most small and mid-market companies these days have had some type of discussion around the cloud. Many are even using the cloud or are developing their strategy to take advantage of what the cloud has to offer. In the IT consulting strategy sessions we hold with our customers, trying to figure out how to use the power of the cloud but do so in a safe and secure way is one of the most popular topics of conversation.
In almost every case when discussing moving workloads to the cloud, your data will end up in the hands of some third party company. From our perspective as the ‘virtual CIO’ of our customers, that immediately raises a number of questions:
1. Who is this company?
2. What are their security policies?
3. Who has access to the data?
4. What auditing is provided for us to review how, when, and by whom the data is accessed?
This issue of access control and ownership of data in the cloud was brought to the forefront when Microsoft recently revealed that they had apparently taken it upon themselves to search a user’s Hotmail account (unbeknownst to that user) to aid them in an internal investigation related to software piracy. I was pretty shocked when I read this, and what is interesting about it is that when you apply the questions above to Microsoft, one would generally think they’d probably rate pretty high.
Granted, Microsoft states in the article that they are changing their policy. Mind you, they don’t say they won’t do it anymore they just say they’ll apply some tougher standards before doing it. So if Microsoft is openly stating they feel they have the right to search through your email on their systems without your knowledge, where do you think that leaves your cloud provider? What is their stance? How can you verify that they are doing what they say to protect your data?