Cloud will never be fully secure, get over it

A friend and I were at a cafe over the weekend when he pulled out his mobile phone and showed me the app that served as the cafe's customer loyalty programme and stored value payment system. 

Customers of the cafe chain can create and save a profile of their personalized drinks in the app, which can include various options such as soy milk and less sugar, and flash the customized drinks at the counter staff when they make their order. They can also top up credits in their stored value cards and pay for their orders by flashing the QR codes — stored in the mobile app — at the cashier.

It seemed extremely convenient and personalized to the user's favorite beverage options. And the idea of using the mobile phone and not having to take out any cash to pay for orders was very appealing. But when I was told that customers would have to reload the value of their cards by giving their credit card details to the cafe chain, the first thought that popped up was: "Great, another database filled with customer financial data that hackers can target."

And this is an F&B company, which core business isn't focused on technology or IT security. If tech companies like Apple and Adobe can fall prey to malicious hackers, what more a retail company that spends more time brewing coffee. With beacons and location-based services expected to be deployed more widely across the consumer retail sector, even more non-tech market players are expected to increasingly tap mobile apps and personal user data to provide value-added services similar to those offered by the cafe chain.

Should this take off, think about the volume of personal data that will be stored — and become potential target for cyberattacks — across multiple systems and databases operated by different retailers, and their miscellaneous "IT partners" that may or may not have a keen understanding about enterprise-class security.  

But, if I allowed my security paranoia to stop me from using these retail apps, then I wouldn't be able to enjoy the convenience and value-add such services have to offer. It's the same dilemma I faced years before with e-commerce and online retail. It was only when I accepted it was impossible to have a fully secured online system that I started, quite delightfully, shopping online though to the demise of my wallet. 

I decided instead to focus on risk mitigation. For instance, I make all my online purchases via one credit card so I need only contact one bank to freeze the account and more quickly prevent any potential fraud. I also select the bank that offers the best credit card liability protection involving unauthorized transactions. 

And I think that's the approach we need to take as cloud services become increasingly pervasive. Hackers today continue to outsmart cloud service providers and local jurisdictions involving cloud data, such as those in the U.S., have triggered serious concerns about data sovereignty. However, the lack of security assurance shouldn't stop enterprises and consumers from embracing cloud and mobile services because, unless you cut the internet cord and completely unplug, there can never be guaranteed security. 

Instead, security strategies and best practices should focus on mitigation, so both businesses and consumers know what to do when a security breach occurs. Network defense and protection are important, but a sound risk mitigation strategy will enable enterprises to minimize losses and damage when — not if — a security breach occurs. 

I'll be discussing these issues later this week at a panel discussion for ZDNet, to be held at the Cloud Expo Asia conference and exhibition, where I'll be joined by panelists: 

• Ankur Gupta, IT director of big data at Sears Holdings; 
• Hammam Riza, executive CIO and director of ICT Center for Indonesia's Agency for the Assessment and Application of Technology; and 
• Marcelo Wesseler, senior vice president of e-commerce at Singapore Post.

If you have any questions for the panel, do list them via ZDNet's Talkback platform below or my Twitter account.