Management of trade secrets is fraught with competing interests. There is the tradeoff between security and inconvenience—for example, the annoying wait for a special code to allow “two-factor identification” when you already have your password handy. There is trusting your employees while knowing they might leave to join a competitor. And there is the tension between corporate secrecy and the public interest, such as when the fire department insists on knowing what toxic chemicals are used in your facility.
And now we have the cloud (like “internet,” its ubiquity merits lower case), which offers unparalleled convenience and flexibility to outsource corporate data management to others. But moving IT functions outside the enterprise creates new vulnerabilities for that data, which happens to be the fastest growing and most valuable category of commercial assets. So understanding this environment has to be a high priority for business managers.
The cloud has given us multiple acronyms, like SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). But it’s not as complicated as it sounds. From the customer’s perspective, the cloud is just a bunch of linked servers in some (presumably) secure location that gives you an array of IT resources whenever and wherever you want them. Tech companies like Amazon, Microsoft and Google have built massive clusters of computing power and data storage that can be rented out using their own applications, or as a host for the customer’s software tools. Cloud services are now ubiquitous. If you are using Twitter, Facebook, Office 365 or Box, or just doing a Google search, you are flying in the cloud.
It may come as a surprise to some Millennials that the cloud is not new. It is the result of an evolution of networked mainframe computers that began in the 1950s, leading to the development of “virtual machines” that combined the capabilities of several real ones. As telecommunications shifted to digital, these bundles of remote hardware became a powerful platform for business to increase efficiency by buying computing resources on an as-needed basis.
In the world of trade secrets, the cloud has wrought fundamental change. Software companies used to worry about their customers reverse engineering their products distributed on CDs. Now they put those applications in the cloud, so the customer only has access to its own data and outputs. And the massive and inexpensive capacity of the cloud has enabled companies to generate a new class of assets, including analytics from “big data.” Finally, the cloud has given industry the option to outsource all or part of the information security management function to full-time specialists.
But sending out your data to be stored and manipulated can be like sending out your shirts to be washed—they can get mixed up with other people’s clothes, and you are counting on the laundry to keep everything separated and organized. Even if you prefer the metaphor of putting your jewels in the hotel’s main safe, you need to realize that they are no longer in your control, and you don’t personally know the fellow who works behind the desk. It is this fundamental set of risks that represents the dark, threatening side of the cloud.
The nature and extent of risks to data security differ according to the type of service that the Cloud Service Provider (CSP) offers, as well as its commitment to overall security. The “public cloud” is like a dormitory or public swimming pool. Your information may be rubbing shoulders with others’, possibly including competitor data stored on the same server, so techniques for data isolation will be very important. A “private cloud” is like having everything run on your own servers, but management and location can be outsourced for efficiency.
In between are “hybrid” environments, in which data and applications are distributed among multiple clouds, one or more of which may be public or private, according to needs, risk reduction and cost. There is also the option of a “community cloud” in which multiple organizations with similar interests band together to create a shared private cloud, which can be managed and hosted internally or externally.
All of these models share to some extent the basic prospect of increased efficiency and reliability by not doing everything yourself on your own network of servers. But to the extent you’re not doing it yourself, you’re trusting that others will do it right, and that presents a potentially unknown level of risk to your data assets.
A nominal security advantage of the cloud is that this is the business of the CSPs, and presumably they commit serious resources to hiring the best professionals and installing and maintaining the best security tools. However, as with any other service, there are a lot of options, and unfortunately a lot of variability in quality. According to McAfee, a security firm, only 10% of today’s 25,000 CSPs provide encryption for stored data.
So what should businesses look for in a cloud service?
There is a legal dimension to this question, since being able to uphold your trade secret rights in court requires that you exercise “reasonable efforts” to protect them yourself. Your efforts will be judged in hindsight, and in any event you should view the standard as a minimum, not an aspiration. This means doing the due diligence to find out what sort of risks you may be taking on with a CSP, and working to minimize them.
First, be realistic about the risks to your data. According to the McAfee report, 80% of companies experience third party theft of cloud-stored data each month, with an average rate of 12 incidents per month. Chillingly, the report claims that cloud credentials for 92% of companies are for sale on the “Dark Web.” (Does this make you feel better about the value of two-factor authentication?)
Second, find out what the CSP does about security, and how it aligns with the policies and procedures of your organization. Are they certified under the ISO 27000 series of standards and do they guarantee continued compliance? Look for robust controls in the four primary areas of information security: deterrence, protection, detection and incident response. What features come as part of a package, and what options exist for enhancing them?
Third, learn how the provider actually manages specific security issues. Do they outsource any of their own infrastructure? How do they address internal threats from their own personnel? How do they guarantee separation of data? How will they ensure proper deletion of data?
Fourth, and speaking of guarantees, what does their contract say about the issues that matter most? Do they acknowledge that your data belongs to you? (About half will fail that test.) Do they accept liability for loss or contamination of your data? Do they guarantee logging and audit trails that will allow you to comply with existing and emerging government standards for data management compliance?
Finally, take a look in the mirror and accept that when you share your data with anyone, security becomes a shared responsibility. Make sure that you have robust software tools to help you monitor and receive alerts about what is going on. And take the opportunity to review carefully your own internal procedures, especially authentication protocols. Security management in the cloud forms a chain, and you may be its weakest link.