Why You Should Be Wary of the "Cloud"
Author:
Al Harlow
Posted:
10/29/2009 6:28:41 PM
Category:
Security
Tags:
cloud, security, servers, API, XML
We all hear about social security numbers and identities being stolen all the time. Well, here's one you probably didn't hear about. Only those on the "inside" know. It drives home the point that, whomever you entrust your data with is critical to the security of that data.
Recently, iNamics was hired by a company to write a bit of code to communicate between servers, so that the transfer of data between several systems happens automatically, in what is known as an API (application program interface) using XML. This is common practice today, where servers at different locations and under independent management can communicate and share information as authorized to.
iNamics doesn't typically accept work where another business provides the server hosting, but in this case we believed it was going to be a way for us to earn the trust of a new, long-term customer, who found us through a procurement site monitored heavily by overseas developers.
In this experience, I have come to understand better, why the Internet is such a dangerous place, and again, am reminded that we all must be wary and extremely careful with who we put our trust in when storing our customer, client, medical, personal or whatever private information into the "cloud".
As we got into the project, it turned out, the data being transferred over the Internet, from one server to another, contains some very sensitive information. Now naturally, over https, the data being transferred is encrypted, so no concerns there. And before I go any further, I myself must say that I don't proclaim to be an Internet security expert, but as a business, iNamics is, and I like to think it's our middle name. We employ the best Internet security experts money can buy, I believe; so when our Systems Administrator found out that the client's hosted server storing this information was storing it unencrypted, he about flipped out.
I know our customer is very professional, sincere and knowledgeable, after numerous conversations with him. However, after we expressed our concern that anyone who broke into that server, whether an untrustworth or disgrunttled employee or a hacker, could steal that personal information since it's unencrypted, he told me something which came as a surprise: "Everyone does it. " He checked with five of his sources of this sensative information, AND EVERYONE OF THEM STORES THIS INFORMATION UNENCRYPTED!
This to us here at iNamics is a massive security vulnerability and should be stopped as a practice.
This is a stark reminder to beware, and know who you are providing your personal information to. Just because the server you're filling in your personal information on is secure (indicated by the "s" in "https"), doesn't mean that your information won't be stored insecurely somewhere in the Cloud.
We hope that one day soon there are standards followed rigerously regarding how servers store sensative information, such as social security numbers, where personal information such as this can't just be plucked off by someone unscrupulously tapped into IP. Heaven knows there are plenty of them trying and many have succeeded, so why are they taking the chance?
The author of this post, Al Harlow, is President and CEO of iNamics Corporation. To learn more about this subject matter, go to www.WordPress.com.