Let’s start with a simple question – I give you a pound to look after for me. How much would you spend of your own money on protecting that pound?
Less than a pound? A pound? More than a pound?
You have almost certainly gone for the first option. After all if you lose the pound then the most you will be out is one pound so why pay more?
Ok, but what if you are a bank? You expect to be looking after lots of money so you build vaults, employ guards and build processes. All of this costs significant sums of money but there has to be a chance, small though it may be, that at any moment in time you may just be protecting one pound with all this security and investment.
So what about cloud computing? I put a “pound’s” worth of data into the cloud. How much are you going to spend protecting my data?
People sometimes pitch to me that they are like “a bank for data based in the cloud”. And then I ask them what they do to prevent bank robberies…
So your data is in the cloud, and that is nice, it is accessible from anywhere, it is transparently backed up. Everything is wonderful, and then the bank goes out of business. What happens to your data then?
I once had someone telling me about their wonderful cloud based data bank service which lots of people had bought. I asked them what would happen if they went out of business. Oh, they said, no one has ever asked us that question before.
If your organization has a contract for cloud based data storage – back up, live use, whatever – I strongly suggest you find out the answer to that question if you do not already know!
So your data is in the cloud and you have proper governance arrangements in place in case the supplier goes bust. All is fine. Until suddenly someone mentions aggregation.
Aggregation is the principle that the more of something you have then the bigger a target it becomes and the greater the consequences are of loss.
Back to money again, if I put a million pounds in the bank vault then the Willy Sutton principle applies. If I leave my million pounds scattered in piles of one hundred then the risk to me is that I lose at most one hundred pounds, if the vault is raided then I lose all one million.
The same with data, finding data in most organizations is usually a matter of luck. It is hidden in emails, shared folders, private folders, EDRM systems, databases etc. Data loss or theft tends to be of individual documents and any sensible risk management policy segregates data access to minimise the threat of some one person having access to all the pieces.
But now we are putting them all into the cloud, all in one place. Ah, hello Mr Sutton.
Part of the problem is that our security model remains essentially medieval. We build a vault, we put our treasure in the vault, we post guards around it. We need a different model in the cloud age, one where security is embedded into the individual atoms of information.
And atoms of information is a good way of thinking about the potential implications of bringing some of these individually innocuous but collectively explosive nuggets of data. People may recall in the early days of chip and pin some tills would print out the last 4 digits of your debit card number, some would print out the first 4 digits, and some the middle digits. Individually, each piece was of little threat, collectively… Hello empty bank acount!!
You might just want to spend some time going through your last bank statement…